Solved: VPN is not talking to the subnet behind a remote router

Keithshum · ‎09-11-2013

Hi All,

I have been banging my head on the wall for a few days about what is wrong with my ASA setup...

This is what I got:

Anyconnect vpn (10.10.70.0/24) => tunnel => ASA5505 running v9.1.2 (10.10.20.1) => (10.10.20.2) 1841 Router (10.10.50.1) => my lap environment (10.10.50.0/24)

VPN is OK to authenticate, get an address, ping 10.10.20.0/24 but unable to pass traffic (ping, ftp, etc) 10.10.50.0 network at all.

Using EIGRP between ASA and 1841, tried both 'network' statement then 'redisturbute static' and just the 'redisturbute static route-map', still no luck.

Found several docs, tried them, doesn't seem to help...

https://supportforums.cisco.com/thread/2206416

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

Please help...

Attaching the configs for the ASA and router

Thank you in advance!

Keith S.

Jeet Kumar · ‎09-11-2013

Hi Keith,

Are you using IKEv1 or IKEV2.

This is your configuration:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto dynamic-map test-map 10 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

The dynamic map which is applied on the interface is SYSTEM_DEFAULT_CRYPTO_MAP which is a ikev2.

But the issue is not that. As per your configuration there is an EIGRP runnning between the ASA and the router and as per your routing table router doesn't know where is 10.10.70.0/24 subnet is. To inject the VPN pool subnet into the routing table we needed a reverse-route command which you have configured on a map which is not in use. Try this:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route.

And let me know if it helps.

Thanks

Jeet Kumar

View solution in original post

Jeet Kumar · ‎09-11-2013

Ok i went through your configuration again and i think this is your issue.

You have NAT exempt configured for only 10.10.20.0/24, configure the same for the other network and see if that helps.

nat (inside,outside) source static NETWORK_OBJ_10.10.20.0_24 NETWORK_OBJ_10.10.20.0_24 destination static NETWORK_OBJ_10.10.70.0_24 NETWORK_OBJ_10.10.70.0_24 no-proxy-arp route-lookup

View solution in original post

Michael Muenz · ‎09-11-2013

Can you post the routing table on both systems?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Keithshum · ‎09-11-2013

Sure, Michael, thanks for an extra brain and pair of eyes! =)

*******************************************************************************************

asa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 67.164.80.1 to network 0.0.0.0

C 67.164.80.0 255.255.252.0 is directly connected, outside

C 10.10.20.0 255.255.255.0 is directly connected, inside

D 10.10.50.0 255.255.255.0 [90/30720] via 10.10.20.2, 17:35:14, inside

S 10.10.70.1 255.255.255.255 [1/0] via 67.164.80.1, outside

d* 0.0.0.0 0.0.0.0 [1/0] via 67.164.80.1, outside

asa#

asa# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(1)/ID(10.10.20.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 10.10.20.0 255.255.255.0, 1 successors, FD is 28160

via Connected, Vlan1

P 10.10.50.0 255.255.255.0, 1 successors, FD is 30720

via 10.10.20.2 (30720/28160), Vlan1

asa#

asa# sh eigrp topology all-links

EIGRP-IPv4 Topology Table for AS(1)/ID(10.10.20.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 10.10.20.0 255.255.255.0, 1 successors, FD is 28160, serno 1

via Connected, Vlan1

P 10.10.50.0 255.255.255.0, 1 successors, FD is 30720, serno 2

via 10.10.20.2 (30720/28160), Vlan1

*******************************************************************************************

1841#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.10.20.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.20.1

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.10.20.0/24 is directly connected, FastEthernet0/0

L 10.10.20.2/32 is directly connected, FastEthernet0/0

C 10.10.50.0/24 is directly connected, FastEthernet0/1

L 10.10.50.1/32 is directly connected, FastEthernet0/1

1841#

1841#sh ip eigrp topology

EIGRP-IPv4 Topology Table for AS(1)/ID(10.10.50.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 10.10.20.0/24, 1 successors, FD is 28160

via Connected, FastEthernet0/0

P 10.10.50.0/24, 1 successors, FD is 28160

via Connected, FastEthernet0/1

1841#

1841#sh ip eigrp topology all-links

EIGRP-IPv4 Topology Table for AS(1)/ID(10.10.50.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 10.10.20.0/24, 1 successors, FD is 28160, serno 1

via Connected, FastEthernet0/0

P 10.10.50.0/24, 1 successors, FD is 28160, serno 5

via Connected, FastEthernet0/1

Jeet Kumar · ‎09-11-2013

Hi Keith,

Are you using IKEv1 or IKEV2.

This is your configuration:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto dynamic-map test-map 10 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

The dynamic map which is applied on the interface is SYSTEM_DEFAULT_CRYPTO_MAP which is a ikev2.

But the issue is not that. As per your configuration there is an EIGRP runnning between the ASA and the router and as per your routing table router doesn't know where is 10.10.70.0/24 subnet is. To inject the VPN pool subnet into the routing table we needed a reverse-route command which you have configured on a map which is not in use. Try this:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route.

And let me know if it helps.

Thanks

Jeet Kumar

Keithshum · ‎09-11-2013

Hi Jeet,

Just added the line you suggested, still don't seem to be able to get in...

asa# sh run | i set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto dynamic-map test-map 10 set reverse-route

*****************

C:\Users\kshum>ping -t 10.10.50.1

Pinging 10.10.50.1 with 32 bytes of data:

Request timed out.

...

Ping statistics for 10.10.50.1:

Packets: Sent = 15, Received = 0, Lost = 15 (100% loss),

Control-C

^C

*****************

By the way, I am at the office now, verified vpn connection, ssh to the firewall 10.10.20.1, telnet to the router 10.10.20.2, but no luck on the 10.10.50.0's still...

Jeet Kumar · ‎09-11-2013

Ok i went through your configuration again and i think this is your issue.

You have NAT exempt configured for only 10.10.20.0/24, configure the same for the other network and see if that helps.

nat (inside,outside) source static NETWORK_OBJ_10.10.20.0_24 NETWORK_OBJ_10.10.20.0_24 destination static NETWORK_OBJ_10.10.70.0_24 NETWORK_OBJ_10.10.70.0_24 no-proxy-arp route-lookup

Keithshum · ‎09-11-2013

However, take a look again on the routing table of the 1841, found that the external eigrp route is now showing up.

I can also ping back my vpn ip address from the telnet session of 1841 which it didn't happen before. Thanks for this!!!

So, now it's saying that the traffic is there, just somehow it's not blocking from the 70's to 50's..

****************************************

1841#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.10.20.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.20.1

10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

C 10.10.20.0/24 is directly connected, FastEthernet0/0

L 10.10.20.2/32 is directly connected, FastEthernet0/0

C 10.10.50.0/24 is directly connected, FastEthernet0/1

L 10.10.50.1/32 is directly connected, FastEthernet0/1

D EX 10.10.70.1/32 [170/30720] via 10.10.20.1, 00:14:34, FastEthernet0/0

1841#ping 10.10.70.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.70.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/87/108 ms

Keithshum · ‎09-11-2013

Cool bean! That's it!

Added these lines to test it out...

object network NETWORK_OBJ_10.10.50.0_24

subnet 10.10.50.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_10.10.50.0_24 NETWORK_OBJ_10.10.50.0_24 destination static NETWORK_OBJ_10.10.70.0_24 NETWORK_OBJ_10.10.70.0_24 no-proxy-arp route-lookup

C:\Users\kshum>ping -t 10.10.50.1

Pinging 10.10.50.1 with 32 bytes of data:

Reply from 10.10.50.1: bytes=32 time=90ms TTL=255

Reply from 10.10.50.1: bytes=32 time=133ms TTL=255

Reply from 10.10.50.1: bytes=32 time=71ms TTL=255

And works liked a charm.

Then modified the line as the following to cover the whole 10.0.0.0/8...

nat (inside,outside) source static net-10.8 net-10.8 destination static NETWORK_OBJ_10.10.70.0_24 NETWORK_OBJ_10.10.70.0_24 no-proxy-arp route-lookup

Thank you so much, I will mark the right answers from you.