Solved: ASA5505 Remote VPN with hairpin to L2L VPN

fuoritedesco · ‎08-04-2011

Hi. I have been searching for days trying to find out what could be wrong with the configuration of an ASA5505 running Firmware version 7.2(2). I am trying to set up a hairpin connection between my laptop on the VPN tunnel (192.168.25.12) to access the server across the L2L VPN (192.168.1.10) on the diagram below.

The remote VPN function is working, as I can RDP to the 192.168.25.10 server from my laptop, and the L2L VPN is working since I can RDP from server 192.168.25.10 to server 192.168.1.10. I am trying specifically to run RDP from my laptop without having to log into the .25 network.

I have tried multiple changes to my NAT tables and my ACL configurations to no avail. Can someone please help me to understand what is wrong with my configuration?

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ykhud5eCZELCCoHu encrypted

names

name 192.168.24.0 RemoteVPN

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.25.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 173.xxx.xxx.20 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.25.10

name-server 68.87.85.98

domain-name default.domain.invalid

dns server-group ncdc

name-server 192.168.25.10

name-server 68.87.85.98

same-security-traffic permit intra-interface

object-group network Dallas

network-object 192.168.1.0 255.255.255.0

network-object host 192.168.1.10

object-group service RDP tcp

description Remote Desktop Port

port-object eq 3389

access-list inside_20_cryptomap extended permit ip any host 192.168.1.10

access-list inside_nat0_outbound extended permit ip any object-group Dallas

access-list inside_nat0_outbound extended permit ip 173.11.214.16 255.255.255.248 object-group Dallas

access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip any host 192.168.1.10

access-list inside_nat0_outbound extended permit ip any RemoteVPN 255.255.255.192

access-list inside_access_out extended permit ip 192.168.25.0 255.255.255.0 any

access-list inside_access_out extended permit icmp any any echo

access-list inside_access_out extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip any 192.168.25.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit ip RemoteVPN 255.255.255.0 host 192.168.1.10

access-list outside_cryptomap_20 extended permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list VP_splitTunnelAcl standard permit 192.168.25.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip RemoteVPN 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool Dallas 192.168.2.12-192.168.2.34 mask 255.255.255.0

ip local pool RemoteConnect 192.168.24.10-192.168.24.45 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.10 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp 192.168.25.51 87 173.xxx.xxx.20 ftp netmask 255.255.255.255

static (outside,inside) tcp 192.168.25.51 8080 173.xxx.xxx.20 8080 netmask 255.255.255.255

static (outside,inside) tcp 192.168.25.10 3389 173.xxx.xxx.20 3389 netmask 255.255.255.255

static (inside,outside) RemoteVPN RemoteVPN netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 173.11.214.22 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

ldap attribute-map ActiveDirectoryMapTable

map-name VP cVPN3000-IETF-Radius-Class

map-value VP CN=VPNUser,CN=Users,DC=VP VPNUserPolicy

aaa-server VP protocol ldap

aaa-server VP host 192.168.25.10

ldap-base-dn CN=Administrators,CN=Builtin,DC=VP

ldap-scope onelevel

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn CN=Administrator,CN=Users,DC=VP

server-type microsoft

ldap-attribute-map ActiveDirectoryMapTable

group-policy VP internal

group-policy VP attributes

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VP_splitTunnelAcl

username Tech password f05JZRvsmFaw4Uqf encrypted privilege 15

username VPNUser password cnYM.Ml1XxVujQd4 encrypted privilege 7

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.25.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 66.xxx.xxx.148

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map 20 match address inside_20_cryptomap

crypto map inside_map 20 set pfs

crypto map inside_map 20 set peer 66.xxx.xxx.148

crypto map inside_map 20 set transform-set ESP-DES-MD5

crypto map inside_map interface inside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 28800

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group 66.xxx.xxx.148 type ipsec-l2l

tunnel-group 66.xxx.xxx.148 ipsec-attributes

pre-shared-key *

tunnel-group VP type ipsec-ra

tunnel-group VP general-attributes

address-pool RemoteConnect

default-group-policy VP

tunnel-group VP ipsec-attributes

pre-shared-key *

tunnel-group Domainaccts type ipsec-ra

tunnel-group Domainaccts general-attributes

address-pool RemoteConnect

authentication-server-group VP

default-group-policy VP

tunnel-group Domainaccts ipsec-attributes

pre-shared-key *

telnet 173.xxx.xxx.20 255.255.255.255 outside

telnet 192.168.25.0 255.255.255.0 inside

telnet RemoteVPN 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 192.168.25.10 68.87.85.98

dhcpd domain VP

dhcpd auto_config outside

!

dhcpd address 192.168.25.12-192.168.25.129 inside

dhcpd dns 192.168.25.10 68.87.85.98 interface inside

dhcpd update dns interface inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

client-update enable

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:0ad2ea133bd13d8018f2899f86a9a101

: end

raga.fusionet · ‎08-08-2011

Anthony,

In order for the traffic to traverse the tunnel, the other site must include the subnet of your VPN clients on their Interesting traffic. Remeber that a VPN consists of a set of rules that must match on both sides so your VPN client will fail to the get to other side as long as they dont allow it on their ACLs.

At this point there is no security association created for the traffic between your VPN client and the remote site. That means that the traffic will no go thru. This is because they havent added your VPN client's subnet to their interesting traffic.

BTW the fact that the tunnel is up, doesnt mean you can send any network's traffic thru it. Remember that it should be explicitly allowed on the ACLs of both sites.

I hope this answers your questions.

Raga

View solution in original post

raga.fusionet · ‎08-05-2011

Basically you need to modify your interesting traffic.

On the ASA:

Add your IP Pool the the crypto ACL:

access-list outside_cryptomap_20 permit ip 192.168.24.0 255.255.255.0 192.168.1.0 255.255.255.0

Add the remote site's network to your SPlit tunneling ACL:

access-list VP_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

On the remote Router, add a line for the return traffic to the VPN Pool

access-list xxx permit ip 192.168.1.0 255.255.255.0 192.168.24.0 255.255.255.0

Do the same for the NAT Exception ACL on the remote site.

And that should do it.

Here is a doc that explains what you are trying to do in case you need some clarification:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

I hope this helps.

Raga

Parminder Sian · ‎08-05-2011

Hi,

Add the pool to crypto access of VPN tunnel and add remote sites network in split tunneling, and yeh dont for get to add no nat acl for remote site as well.

That sould do the trick.

Sian

fuoritedesco · ‎08-07-2011

Luis,

The link you posted with the information was close to what I am trying to get working, however, I am not using TACACS+ Authentication. Knowing that I could find an article close to what I was looking for, I found this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

With that information, I have added the recommended lines to my CRYPTO and NAT ACLs. Now when I run packet tracer for an echo reply from my laptop to the L2L network server, I no longer get an IPSECspoof failure. Instead, I get a failure in phase 10 of the packet tracer.

Is this a condition of the IPSec traffic coming in encryped from the VPN client, then being decrypted by the ASA before going back out? If so, what keeps the ASA from sending the un-encrypted version back through to fail?

In case it was an Authentication problem, I removed some extra AAA server information that was not being utilized in my configuration so that I can work one issue at a time.

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ykhud5eCZELCCoHu encrypted

names

name 192.168.24.0 RemoteVPN

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.25.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 173.xxx.xxx.20 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.25.10

name-server 68.xxx.xxx.98

domain-name default.domain.invalid

dns server-group ncdc

name-server 192.168.25.10

name-server 68.xxx.xxx.98

same-security-traffic permit intra-interface

object-group network Dallas

network-object 192.168.1.0 255.255.255.0

network-object host 192.168.1.10

object-group service RDP tcp

description Remote Desktop Port

port-object eq 3389

access-list inside_20_cryptomap extended permit ip any host 192.168.1.10

access-list inside_nat0_outbound extended permit ip any object-group Dallas

access-list inside_nat0_outbound extended permit ip 173.xxx.xxx.16 255.255.255.248 object-group Dallas