Solved: Re: hub and spoke - vpn clients cannot reach hub from spokes

brentwoodind · ‎12-15-2010

I have two remote sites that have exsisting site to site vpn conections. I have no issues if I VPN into a particular site, reaching services at that site.

I cannot reach services at other sites.

my VPN address pool is 192.168.20.X /24 at the hub

the spokes are 192.168.30.X/24 and 192.168.40.X/24 at the respective spokes.

My internal IP is 172.16.X.X/21

each site is on a seperate subnet in this range

So If I VPN into the hub VPN IP is 192.168.20.X/24 I can reach services at 172.16.8.X/21, but cannot reach a hub at 172.16.56.X/21

I am sure this may be a routing issue, I ahve tried adding static routes but no joy.

All sites are ASA 5510's

Federico Coto Fajardo · ‎12-15-2010

The configuration that you will need is:

Local ASA:

access-list L2L permit ip 192.168.40.0 255.255.255.0 172.16.8.0 255.255.248.0

access-list split permit ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

same-security-traffic permit intra-interface

Remote ASA:

access-list L2L permit ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

access-list nonat permit ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

The names of the ACLs reflect where to configure them.

Also, if there's a NAT rule configured on the outside interface of the main ASA, you should bypass NAT for this traffic.

Let me know how does it goes.

Federico.

View solution in original post

rahgovin · ‎12-16-2010

You said "I also added 192.168.40.0/24 to the split tunnel ACL".

This is not right if 192.168.40.0/24 is your vpn pool. You should be adding the remote subnet in the standard split acl.Check your statistics on the client once you connect if you are able to see both the local and remote subnets as a part of the secured routes.

View solution in original post

Federico Coto Fajardo · ‎12-15-2010

Hi,

Assuming you have this:

Local LAN --- Hub ---- Remote Site --- Remote LAN

|

VPN client

The VPN clients can reach the local LAN.

For the VPN clients to be able to reach the remote LAN (through the site-to-site between the hub and the spoke) you need to do this:

Add the VPN range to the interesting traffic for the site-to-site.

Add the Remote LAN to the split-tunneling configuration for the VPN clients.

Make sure NAT or bypass NAT is correct.

Enable the command ''same-security-traffic permit intra-interface''

Hope it helps.

Federico.

brentwoodind · ‎12-15-2010

Federico,

thank you for the quick response but no luck!

your drawing is correct here is a littel more detailed one.

Local Network ----- Local ASA ---(tunnel)--- Remote ASA --- Remote Network
(172.16.56.X/21) | (172.16.8.X/21)
|

VPN client

(192.168.40.X)

I added the 192.168.40.X/24 (VPN DHCP pool) to the crypto map entry for the site to site

then added the same IP address range to split tunnel standard ACL

I also added the 192 range to the outside int NAT exempt.

I hope you could or anyone assist with more detailed intstructions on setting it up.

Federico Coto Fajardo · ‎12-15-2010

The configuration that you will need is:

Local ASA:

access-list L2L permit ip 192.168.40.0 255.255.255.0 172.16.8.0 255.255.248.0

access-list split permit ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

same-security-traffic permit intra-interface

Remote ASA:

access-list L2L permit ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

access-list nonat permit ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

The names of the ACLs reflect where to configure them.

Also, if there's a NAT rule configured on the outside interface of the main ASA, you should bypass NAT for this traffic.

Let me know how does it goes.

Federico.

brentwoodind · ‎12-16-2010

Federico,

still no joy.

I am using the ASDM

On the local ASA I have added 192.168.40.0/24 to the outside crypto map for the tunnel in the source

I also added 192.168.40.0/24 to the split tunnel ACL

On the remote ASA I added 192.168.40.0/24 to the outside crypto map in the destination

I also added it to the exempt NAT on the inside as the destination

rahgovin · ‎12-16-2010

You said "I also added 192.168.40.0/24 to the split tunnel ACL".

This is not right if 192.168.40.0/24 is your vpn pool. You should be adding the remote subnet in the standard split acl.Check your statistics on the client once you connect if you are able to see both the local and remote subnets as a part of the secured routes.

Federico Coto Fajardo · ‎12-16-2010

Brent,

Rahul is correct.

Please make sure you're not mistyping the wrong networks in the wrong places.

Federico.

brentwoodind · ‎12-16-2010

I added the 172.16.8.0/21 network to the split. I now see in the client under secured routes, the local LAN (56.0/21) and the remote LAN (8.0/21)

I am getting this error on the remote ASA No translation group found for tcp src Outside:192.168.40.81/1384 dst Inside:172.16.X.X/80

X.X is a PC on the remote LAN

I added to teh remote ASA

access-list nonat-toczech permit ip 172.16.8.0 255.255.248.0 192.168.40.0 255.255.255.0

rahgovin · ‎12-16-2010

What is the nat translation that you have on the outside interface? And do you have nat-control enabled?

brentwoodind · ‎12-16-2010

I GOT IT!!

I added access-list Inside_nat0_outbound extended permit remote LAN to local LAN

I am able to ping and browse.

Thanks everyone