cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4297
Views
0
Helpful
17
Replies

How to pass traffic from a PTP VPN tunnel to a L2L VPN tunnel co-located at 1 site.

lguerrero08
Level 1
Level 1

Here is the situation. I have a PTP tunnel from Site A to Site B. At Site B I have a S2S VPN tunnel to Site C. I need to get traffic from Site A to Site C. I did find this thread below:

https://supportforums.cisco.com/discussion/12302901/how-pass-traffic-one-s2s-vpn-site-through-asa-another-s2s-vpn-site

I guess I would like to know if this is the only way to go about doing it or if there would be a better route to take. There is a diagram attached for visual.

Note: Site B to C requires NAT. 

Site A - ASA5510

Site B - ASA5510

Site C - ASA5400

17 Replies 17

Abaji Rawool
Level 3
Level 3

Hi,

You can refer this document :http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/64692-enhance-vpn-pix70.html

Its for old pix firewall but concept remains same.

HTH

Abaji.

Hi Abaji,

Thanks for the reply. I have a question regarding when it is that I should be conducting the nat. I'm assuming it should be at the HUB location. And if that is the case, I believe I should exclude any nonats for the required NAT traffic. I'm correct in assuming that? 

Also, the tunnel from Site B to C was created solely for the traffic from Site A. I'm not sure if that'll complicate things less being that there is not specific traffic from Site B that is required for Site C.

Hi,

Yes, for traffic that requires nat will be natted on HUBs outside interface (U-turning traffic).

Traffic for tunnel is controlled by crypto map ACL and you can use whatever souce destination in it as long as there is connectivity through routes for those networks.

For example:

SiteA - Subnet1

SiteB - Subnet2

SiteC - Subnet3

As per my understanding of your design the VPN ACLs on HUB (Site B) will be something like

VPN to Site A - permit subnet2 to subnet1 and permit subnet3 to subnet1

VPN to Site C- permit subnet1 to subnet3

I hope this helps

HTH

Abaji.

Abaji,

Thanks for the clarification. So I'm doing everything correctly (as far as I can tell) but, I'm still not getting this tunnel to pass this traffic. 

While doing a tracert from the server on SiteA to SiteC it shows that it's still routing through my router rather than directing traffic through the PTP cryptomap. Am I missing something that is not "forcing" this IP through the PTP VPN tunnel?

Hi,

Could you share the configurations and packet tracer output from site A? (Highlight subnets of all 3 sites)

HTH,

Abaji.

Abaji,

Below is the access list for the PTP crypto. Attached are the packet tracer outputs. I can work on getting you the rest of the config. I just have to sanitize it.

route Outside 0.0.0.0 0.0.0.0 65.43.21.253 1 (GW1-Router)
route HUB_PTP 192.168.92.0 255.255.255.0 123.45.56.2 1 (siteB Peer Address)


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map HUB_PTP_map 1 match address HUB_PTP_cryptomap-new
crypto map HUB_PTP_map 1 set peer 123.45.56.2
crypto map HUB_PTP_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map HUB_PTP_map 1 set nat-t-disable
crypto map HUB_PTP_map interface HUB_PTP
crypto map crypto 16000 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

access-list HUB_PTP_cryptomap-new extended permit ip any SITE-B

access-list HUB_PTP_cryptomap-new extended permit ip object-group SITE-A object-group SITE-C log

HI,

Your route lookup is pointing to outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

As the destination subnet IP you are trying is 100.100.226.10 and it does not have route to your VPN interface.

If this is the natted subnet then your route should be pointed for 100.100.226.X

HTH,

Abaji.

Abaji,

Thanks for the reply, and forgive me if this sounds like a stupid question but, that would simply be a route command, right? 

i.e route HUB_PTP 100.100.226.1 (PTP Peer Address) 

The natted subnet is actually the 10.45.54.13 address. but that isn't being natted until it reaches siteB going to siteC

No worries!

It should be

route HUB_PTP 100.100.226.0 <subnet mask> <next hop gateway IP address on the PTP interface>

HTH,

Abaji.

Awesome! I'll give that a shot right now and see how it goes. Now I have a couple more questions if you don't mind. Is there a way I could do a bulk of IPs? I have a necessity to add various IPs that are not all on the same subnet... I'm assuming I'm going to have to add each one individually and consolidate what I can.

Next question is, if you might have any idea what may be causing the VPN Encrypt drop? I suspect it's something on siteB possibly?

Thank you so much for all the help you've provided me already!

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 100.100.226.10 255.255.255.255 HUB_PTP

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf9097f0, priority=3, domain=permit, deny=false
hits=14, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=HUB_PTP, output_ifc=HUB_PTP

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad9acd08, priority=0, domain=nat-per-session, deny=true
hits=5289395, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae18c468, priority=0, domain=inspect-ip-options, deny=true
hits=107489, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=UHS_PTP, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaecf3cc8, priority=66, domain=inspect-icmp-error, deny=false
hits=233, user_data=0xae1596b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=HUB_PTP, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf8fe2f0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=4360, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=UHS_PTP, output_ifc=any

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaf241ab0, priority=70, domain=encrypt, deny=false
hits=4, user_data=0x0, cs_id=0xafb96e58, reverse, flags=0x0, protocol=0
src ip/id=10.45.54.13, mask=255.255.255.255, port=0, tag=0
dst ip/id=100.100.226.10, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=HUB_PTP

Yes, You can add multiple subnets to crypto map ACL and add routes for those to the VPN interface. Mke sure the subnets are distinct and not overlapping with a existing tunnel if any.

VPN encrypt DROP may be occurring because the tunnel is not up currently. You need to make sure all VPN parameters are matching at both ends.

HTH,

Abaji.

It seems that I'm hitting an ACL drop at siteB. The VPN cryptos seem to match just fine. If I'm not mistaking, it should be hitting the NAT instead of an access-list correct? That's how it seems to work when I run a successful packet-trace on a different interface. (see attached)

HubFW(config)# packet-tracer input SiteA_PTP icmp 10.45.54.13 0 0 100.100.226.10

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae659910, priority=13, domain=capture, deny=false
hits=533991633, user_data=0xb3009d40, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=SiteA_PTP, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad9a53d8, priority=1, domain=permit, deny=false
hits=974213130, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=SiteA_PTP, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad7bd748, priority=11, domain=permit, deny=true
hits=5240, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=STRAC_PTP, output_ifc=any

Result:
input-interface: siteA_PTP
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Crypto ACL:


access-list STARK_PTP_cryptomap-new extended permit ip object-group CLIENT-Remote object-group SITE-A-NAT log
access-list STARK_PTP_cryptomap-new extended permit ip object-group SITE-A-NAT object-group CLIENT-Remote log
access-list STARK_PTP_cryptomap-new extended permit ip interface STARK_PTP interface ATT log
access-list STARK_PTP_cryptomap-new extended permit udp interface STARK_PTP interface ATT eq isakmp log
access-list STARK_PTP_cryptomap-new extended permit ip interface ATT host 199.XX.XX.69 log



Hello,

Make sure on HUB you have this command added for U-turn of traffic

same-security-traffic permit intra-interface

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html

HTH,

Abaji.

Abaji,

The command is there already. If you give me a few minutes, I will provide you with the config. I just need to finish sanitizing it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: