08-30-2016 09:26 PM - edited 03-12-2019 01:12 AM
Hi All,
First BEFORE any of you toss the hairpin examples at me - I've read all of them and they didn't help. They mainly concern hairpins between static gateway2gateway VPN's coming into an ASA. Here is my setup:
Main ASA #1 that is setup to allow dynamic VPN clients (running the Cisco VPN client - NOT anyconnect, NOT quick VPN NOT ppp none of that - the plain old Cisco xauth VPN client we all know). Main ASA #1 also has a static LAN2LAN VPN to ASA #2 It has an inside subnet of 192.168.200.0 that is connected to a router with a bunch more 192.168.x subnets behind it and a static public IP address It has 2 vpn pools and 2 separate VPN entries. One VPN entry uses split tunneling the other does not.
ASA1 hands out 192.168.221.0 as it's dynamic VPN subnet
ASA2 uses 192.168.215.0/24 as it's inside subnet
The Dynamic clients use split tunneling.
I want to hairpin VPN traffic from the dynamic clients coming in on the split tunnel VPN to the other VPN that's static. When I set everything up I can see (in the logs) packets from a remote VPN client at 192.168.221.1 coming into ASA #1 being hairpinned out to ASA#2, then the machine behind that responds and it's responses get sent back through the LAN2LAN VPN to ASA #1. But, the responses never make it back to the remote VPN client. Instead, I get:
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.215.43/0 gaddr 192.168.221.1/5 laddr 192.168.221.1/5(LOCAL\assupm)
%ASA-6-110003: Routing failed to locate next hop for ICMP from outside:192.168.215.43/0 to inside:192.168.221.1/5
Here is the simplified config for ASA #1:
ASA #1
!
ASA Version 9.5(2)2
!
ip local pool ipsecclientpool 192.168.221.1-192.168.221.254
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 7.19.87.62 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
!
object network OBJ-192.168.221.0-24
subnet 192.168.221.0 255.255.255.0
object network OBJ-192.168.200.0-24
subnet 192.168.200.0 255.255.255.0
object network OBJ-192.168.4.0-24
subnet 192.168.4.0 255.255.255.0
object network OBJ-192.168.5.0-24
subnet 192.168.5.0 255.255.255.0
object network OBJ-192.168.6.0-24
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.215.0_24
subnet 192.168.215.0 255.255.255.0
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_2
network-object object OBJ-192.168.4.0-24
network-object object OBJ-192.168.5.0-24
network-object object OBJ-192.168.6.0-24
network-object object OBJ-192.168.200.0-24
network-object object OBJ-192.168.221.0-24
!
access-list splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list splitTunnelAcl standard permit 192.168.6.0 255.255.255.0
access-list splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list splitTunnelAcl standard permit 192.168.215.0 255.255.255.0
!
access-list outside_access_in extended permit icmp any any log disable
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.221.0 255.255.255.0 192.168.215.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.215.0 255.255.255.0 192.168.221.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 192.168.215.0 255.255.255.0
access-list inside_access_in extended permit ip any any
pager lines 34
logging enable
logging buffered debugging
nat (inside,any) source static OBJ-192.168.200.0-24 OBJ-192.168.200.0-24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT
nat (inside,any) source static OBJ-192.168.6.0-24 OBJ-192.168.6.0-24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT
nat (inside,any) source static OBJ-192.168.5.0-24 OBJ-192.168.5.0-24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT
nat (inside,any) source static OBJ-192.168.4.0-24 OBJ-192.168.4.0-24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT
nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.215.0_24 NETWORK_OBJ_192.168.215.0_24 no-proxy-arp description NONAT
nat (outside,outside) source static NETWORK_OBJ_192.168.215.0_24 NETWORK_OBJ_192.168.215.0_24 destination static OBJ-192.168.221.0-24 OBJ-192.168.221.0-24 no-proxy-arp description NONAT
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 7.19.87.61 1
route inside 192.168.4.0 255.255.255.0 192.168.200.2 1
route inside 192.168.5.0 255.255.255.0 192.168.200.2 1
route inside 192.168.6.0 255.255.255.0 192.168.200.2 1
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-
SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 8.8.8.8
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
group-policy america internal
group-policy america attributes
wins-server value 192.168.4.22
dns-server value 192.168.4.22 192.168.4.23
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitTunnelAcl
username assupm password xxxxxxxxxxxxxx encrypted privilege 15
username assupm attributes
vpn-group-policy america
service-type remote-access
tunnel-group america type remote-access
tunnel-group america general-attributes
address-pool ipsecclientpool
authorization-server-group LOCAL
default-group-policy america
tunnel-group america ipsec-attributes
ikev1 pre-shared-key EatMyShorts
08-30-2016 09:31 PM
I read this:
https://supportforums.cisco.com/discussion/11175761/asa-6-110003-routing-failed-locate-next-hop-tcp-outside2606-inside22
Does not contain an answer. Does not explain how to exempt from natting data flow from and to dynamic vpn clients.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide