cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
0
Helpful
3
Replies

Problem with VPN using public ip addresses on the LAN

We have an issue where we are using public ip addresses on our lan and have setup a site to site vpn to out data center, we wish internet traffic to breakout at data center using the original ip addresses on our pc's. we are able to get to internet if we pat behind the outside interface of the data center interface but cant get it to work using the original addressing, does anybody have any suggestions? this worked ok when we were using a gre tunnel but not with ipsec vpn.

 

Thanks.

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

So you are saying that you have a public subnet on your central site and the central site has a connection to a datacenter with a L2L VPN connection (that the public subnet on the central site is using) and you want all traffic from the public subnet on your central site to first use the L2L VPN and then head out to the Internet through the datacenter?

 

My first question with regards to this would be related to the routing of the public subnet. Does the ISP as the datacenter site have the public subnet routed towards the datacenter VPN device? I would imagine that the actual central site ISP was adverticing this public subnet to be found on your central site?

 

You say doing Dynamic PAT on the datacenter for the central sites public subnet makes the connection to Internet work through the L2L VPN? This would again point to a problem that the actual public subnet is not adverticed on the Internet to be found throgh your datacenter ISP and the VPN device located there?

 

Naturally there is a slight change that a NAT configuration or lack of a NAT configuration on a datacenter site might cause the connections to fail towards the Internet. Though usually there is no NAT configuration that applies to traffic from "outside" to "outside" so that traffic should usually pass without NAT. But again we dont know what devices are being used and if they are ASAs we dont know the exact software levels running on those units.

 

So at first it seems to me to be a routing problem but I can't really say for sure on the basis of the above.

 

- Jouni

 

 

 

Thanks Jouni,

So you are saying that you have a public subnet on your central site and the central site has a connection to a datacenter with a L2L VPN connection (that the public subnet on the central site is using) and you want all traffic from the public subnet on your central site to first use the L2L VPN and then head out to the Internet through the datacenter?

This is correct, dont ask why we do this i just know i need to make it work :)

My first question with regards to this would be related to the routing of the public subnet. Does the ISP as the datacenter site have the public subnet routed towards the datacenter VPN device? I would imagine that the actual central site ISP was adverticing this public subnet to be found on your central site?

Yes the isp is routing the LAN(Public ip addresses) to the Data Center internet connection which terminates on our ASA. this worked with our old gre tunnel but when we upgraded to a site to site it stopped. the link between the central site and the data centre uses a different set of public addresses.

You say doing Dynamic PAT on the datacenter for the central sites public subnet makes the connection to Internet work through the L2L VPN? This would again point to a problem that the actual public subnet is not adverticed on the Internet to be found throgh your datacenter ISP and the VPN device located there?

As above the isp is routing our lan addresses to the data centre site and we are using a different subnet to communicate between the site and the data center.

Naturally there is a slight change that a NAT configuration or lack of a NAT configuration on a datacenter site might cause the connections to fail towards the Internet. Though usually there is no NAT configuration that applies to traffic from "outside" to "outside" so that traffic should usually pass without NAT. But again we dont know what devices are being used and if they are ASAs we dont know the exact software levels running on those units.

We are using Cisco ASA's at each site and are running 9.1.5 or newer. 

So at first it seems to me to be a routing problem but I can't really say for sure on the basis of the above.

I can confirm we can reach the data center asa using the original addressing across the vpn but internet bound traffic is failing.

Hi,

 

Since we are talking about a L2L VPN connection and the fact that the traffic is coming from "outside" to "outside" its probably not an option to use the "packet-tracer" command as the ASA can not really simulate a packet that is incoming from a VPN connection.

 

But it seems to me that if just adding Dynamic PAT on the datacenter site makes it work then you probably have the L2L VPN portion correctly configured. I presume that part of the Crypto ACL is configured like this on the ASAs

 

access-list CENTRAL-TO-DC permit ip <public subnet> <mask> any

 

access-list DC-TO-CENTRAL permit ip any <public subnet> <mask>

 

As the above should make sure that all public IP addresses should be reached through the L2L VPN. I am actually not sure can you have "deny" statements on a Crypto ACL to rule out any possible private/local networks.

 

I guess I would personally start troubleshooting this by

 

  • Attempt some TCP connection from the central sites public subnet towards the Internet.  Check what the output of "show conn | inc <public source ip>" says or does it say anything.
    • If it shows TCP connection that has not completely formed (for example TCP flags are not UIO) then it would point to a situation where the traffic is atleast allowed through the firewall. I would also possibly use the command "show conn long | inc <public source ip>" and confirm that the connection listed is between the correct interfaces and that the there is not NAT involved. I think the output should list the source/destination IP addresses twice and having the other inside ()
    • If it does not show anything at all in the listing it would seem to me that the ASA possibly drops the traffic. For that there could be a couple of reasons atleast but in this case it might even be conflicting NAT configurations as I doubt its any ACLs etc since by adding Dynamic PAT it works.
  • Attempt to monitor a TCP connection attempt through the ASDM Monitor/Logging section and see if the connection is Built/Teardown or if there is a Deny message related to the source IP address of the connection. Is there any error messages about Asymmetric NAT rules?
  • Capture the traffic on the external interface of the datacenter ASA to see if any traffic with the public subnet is heading out through the external ASA interface and if anything is coming through
    • The below sections list the ACLs for the capture and the actual "capture" command
      • access-list CENTRAL-CAP permit ip <public subnet> <mask> any
      • access-list CENTRAL-CAP permit ip any <public subnet> <mask>
      • capture CENTRAL-CAP type raw-data access-list CENTRAL-CAP interface outside buffer 33500000 circular-buffer
      • To show captures on the ASA: show capture
      • To show capture contents on the ASA: show capture CENTRAL-CAP
      • To copy capture: copy /pcap capture:CENTRAL-CAP tftp://x.x.x.x/CENTRAL-CAP.pcap
      • To remove capture: no capture CENTRAL-CAP

 

The above should be something to start with.

 

Hope this helps :)

 

- Jouni

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: