Solved: ASA 8.4.(1) VPN L2L Can only be stablished throught default gateway

joseluis.pedrosa · ‎06-20-2011

Hi All!

We have an ASA 5510, with two internet connections. One inteded for VPN l2l and the other for general users inet access.

On asa 8.04, I configured the crypto map on inteface "VPNAccess" and a static route to the L2L remote peer through VPN internet access, the default rotue was pointing the general inet router.

We bought a new firewall with 8.4.1, and now asa only tries to initiate traffic if remote peer is on the default gateway.

It ignores more specific routes (i mean longer masks) and always tries to use default gateway, but only for VPN, if I make a trace route for that peers it uses correctly the routing table.

Any advice?

Thanks!

Jennifer Halim · ‎06-21-2011

Well, (any,any) certainly does not help.

You would need to be more specific otherwise, again as advised earlier, it does not know which interface to use since you have not specify it.

Also, you would also need to be specific with the source and destination network. Otherwise, the firewall will not know which interface the subnet should be connected to.

The more specific the better for NAT statement.

nat (,PublicTESAVPNBackup) source static destination static

View solution in original post

Jennifer Halim · ‎06-20-2011

Pls ensure that you have both the remote peer and the remote LAN subnet configured to route towards the VPN interface next hop.

Also pls ensure that you have configured NAT exemption just between the inside interface and the VPN interface (not inside to any, or any to any).

Pls feel free to post the config to double check.

joseluis.pedrosa · ‎06-20-2011

What kind of route should I add for the remote network??? In asa 8.0.4 It was not necesarry at all!...

As I'm building config from scratch, i have not set up nat yet, so debugging is simpler.

Jennifer Halim · ‎06-20-2011

route

joseluis.pedrosa · ‎06-20-2011

I don't understand... next hop is the firewall itself?

or are you talking about tunneled route?

joseluis.pedrosa · ‎06-20-2011

I added the route, and it worked, but I really can't understand why.

Is this the propper way or a work around? in other versions I really didn't needed this private route.

Jennifer Halim · ‎06-20-2011

Yes, as you mentioned that you have not configured any NAT at all, when the clear text traffic arrives at the ASA destined for the remote LAN subnet, the ASA will check its routing table, and route it accordingly. And since initially you have not configured route for the remote LAN towards the VPN interface next hop, it will route it towards the default gateway.

joseluis.pedrosa · ‎06-21-2011

Hi,

I've setup nat and I get the same behavior.

this is the routing table:

x.x.x.x 255.255.255.255 [2/0] via InetRouter2, PublicTESAVPNBackup

0.0.0.0 0.0.0.0 [1/0] via InetRouter1, PublicTESA

This is the nat:

nat (any,any) source static PrivateAddress PrivateAddress destination static PrivateAddress PrivateAddress

nat (any,PublicTESAVPNBackup) source dynamic any interface

nat (any,PublicTESA) source dynamic any interface

nat (any,PublicBT) source dynamic any interface

PrivateAddress is:

object-group network PrivateAddress

description All Private address ranges

network-object object PrivateRange_10.0.0.0 (/8)

network-object object PrivateRange_172.16.0.0 (/12)

network-object object PrivateRange_192.168 (/16)

default GW is on PublicTESA, But L2L peers should be reached over PublicBT as first option and

PublicTESAVPNBackup as backup route (tracking will be done).

Crypto map is defined for both interfaces (PublicBT and PublicTESAVPNBackup but now there's only the backup pluged in). Remote L2L public peer is: x.x.x.x

Well, the crypto map even dont start it's negotiation, but if i change the default route to

PublicTESAVPNBackup it's working.

Thanks

Jennifer Halim · ‎06-21-2011

Well, (any,any) certainly does not help.

You would need to be more specific otherwise, again as advised earlier, it does not know which interface to use since you have not specify it.

Also, you would also need to be specific with the source and destination network. Otherwise, the firewall will not know which interface the subnet should be connected to.

The more specific the better for NAT statement.

nat (,PublicTESAVPNBackup) source static destination static

joseluis.pedrosa · ‎06-21-2011

Hi!

You're right, It's working, I've specified the same source and destination in nat as in L2L local and remote nets, and it's working.

Now, the choice is: Add 14 specific nat rules (one Per L2L) or 14 routes (Which can be condensed in 3 one per private range).

What is the most 'proper' aproach?

If I did understand... problem is: route look up is done before vpn lookup.

Regards, Thanks

Jennifer Halim · ‎06-21-2011

Yes, you are correct. Route lookup first before vpn lookup.

The most proper approach is to configure specific NAT rules, and this will definitely help especially if you have other NAT rules as well. This will ensure that there is no overlapping, and each subnet is configured specific towards the interface where the subnet is connected.

(any,any) NAT approach is highly not recommended as it can potentially cause issue as your NAT rules grow and will make troubleshooting difficult.

joseluis.pedrosa · ‎06-21-2011

Hi

Thanks again, I didn't understand your explanation...

The (any,any) + PrivateAddres group... seems safer to me, that ensures no other nat rule will have to be added.

If I did understook correctly documentation, this is a nat exempt rule:

nat (any,any) source static PrivateAddress PrivateAddress destination static PrivateAddress PrivateAddress

What's the point I'm missing?

Jennifer Halim · ‎06-21-2011

Best would be to configure:

nat () source static destination static

instead of:

nat (any,any) source static destination static

With NAT statement, the more specific you are, the less issue you might face.