Remote VPN users need to access networks connected by static VPN

kerryjcox · ‎10-24-2012

I've searched through the discussions but am having troubles finding a solution to my problem.

I have five (5) sites all connected via static VPN tunnels. They are all using Cisco ASA 5510s running 8.4(4)1. Any internal IP on each site can ping any IP on a remote site thanks to the static VPN tunnels. I have the external IP (routeable) addresses connecting to each other.

Site A: 10.1.0.0 /24

Site B: 10.2.0.0 /24

Site C: 10.3.0.0 /24

Site D: 10.5.0.0 /24

Site E: 10.10.0.0 /20

I have remote users who connect using Cisco AnyConnect 3.1 to Site E. They get a static IP within the 10.10.100.0 /24 subnet (vpnpool00) and can access anything in the 10.10.0.0 /20 subnet. So far, so good.

No management wants users to access devices within the other sites, specifically Site A using teh same AnyConnect connection. In other words, they get an Ip address of say, 10.10.100.5 and now need to access a server on Site A's subnet or 10.1.0.5.

I have checked my NAT statements and they appear to allow this, but so far when I do a ping I get the following:

Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0

What am I missing? Is there a NAT statement that is wrong, or an access-list statement or possibly a static route?

Any suggestions would be appreciated.

Thanks in advance.

Javier Portuguez · ‎10-24-2012

Hi Kerry,

Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0

It points to the inside and according to your description you are connected to Site E, so the 10.1.0.0/24 network is supposed to be on the outside across a L2L tunnel.

So, you either have a wrong route or your NAT rules are not properly configured.

For this to work, we don't really need a NAT rule on the outside unless you have another NAT affecting this inbound traffic.

You need the "same-security-traffic permit intra-interface" in order to allow U-turning on the outside interface.

So, please check the following (I am going to assume that you may have some NAT rules affecting the inbound connections):

1- object network anyconnect_pool

subnet 10.10.100.0 255.255.255.0

!

object network 10.1.0.0_24

subnet 10.1.0.0.0 255.255.255.0

!

nat (outside,outside) 1 source static anyconnect_pool anyconnect_pool destination static 10.1.0.0_24 10.1.0.0_24

!

route outside 10.10.100.0 255.255.255.0 default_gateway_outside

route outside 10.1.0.0 255.255.255.0 default_gateway_outside

!

This should cover any possible routing and NAT issue.

In addition to this, make sure you include the AnyConnect pool to the L2L between Site E and Site A.

HTH.

Portu.

Please rate any helpful posts

kerryjcox · ‎10-25-2012

Thanks for the information. I will check once I get into the office and have time to debug.

Will let you know the results.

Javier Portuguez · ‎10-25-2012

Sounds good.

Portu.

Please rate any helpful posts

kerryjcox · ‎10-25-2012

Portu,

Thanks for the help, but after adding the NAT statement and the two extra routes and including the anyconnect pool into the L2L connection, I am still unable to connect to any other subnet outside of the Site E subnet or 10.10.0.0 /20.

I tried pinging 10.1.0.5 (Site A) and got the same error as before.

Informational logging is not showing me anything.

Here is what was added via my Rancid report:

Index: configs/10.10.0.1

===================================================================

retrieving revision 1.24

diff -U 4 -r1.24 10.10.0.1

@@ -419,8 +419,11 @@

+ object-group network DM_INLINE_NETWORK_8 network-object 10.10.0.0

+ 255.255.240.0 network-object object vpnpool00

- access-list outside_cryptomap_1 extended permit ip 10.10.0.0 255.255.240.0 object 10.1.0.0_24

+ access-list outside_cryptomap_1 extended permit ip object-group

+ DM_INLINE_NETWORK_8 object 10.1.0.0_24

+ nat (outside,outside) source static vpnpool00 vpnpool00 destination static 10.1.0.0_24 10.1.0.0_24

+ route outside 10.10.100.0 255.255.255.0 216.xx.xx.xx 1

+ route outside 10.1.0.0 255.255.255.0 216.xx.xx.xx 1

Again, while attempting to ping from the vpnpool00 or 10.10.100.4 to the 10.1.0.5 box I see the ICMP connection being built and torndown, but nothing more. The pings from my VPN'ed laptop to Site A simply show "Request timeout for icmp_seq....."

Any suggestions are appreciated.

Javier Portuguez · ‎10-25-2012

Thanks for the heads up.

Please include the "show crypto ipsec sa peer SiteA_Public_IP" output from SiteE.

Also please attach the latest logs.

Thanks.

Please rate helpful posts.

kerryjcox · ‎10-25-2012

cisco# sho crypto ipsec sa peer 209.xxx.xx.xxx

peer address: 209.xxx.xx.xxx

Crypto map tag: outside_map, seq num: 2, local addr: 216.xx.xx.xxx

access-list outside_cryptomap_1 extended permit ip 10.10.0.0 255.255.240.0 10.1.0.0 255.255.255.0

local ident (addr/mask/prot/port): (10.10.0.0/255.255.240.0/0/0)

remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)

current_peer: 209.xxx.xx.xxx

#pkts encaps: 53047, #pkts encrypt: 53047, #pkts digest: 53047

#pkts decaps: 52234, #pkts decrypt: 52225, #pkts verify: 52225

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 53047, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 9

local crypto endpt.: 216.xx.xx.xxx/0, remote crypto endpt.: 209.xxx.xx.xxx/0

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: F426BE72

current inbound spi : 32C641FA

inbound esp sas:

spi: 0x32C641FA (851853818)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 2400256, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 756

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xF426BE72 (4096179826)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 2400256, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 755

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

cisco#

I tried to obfuscate the information as best I could.

Just an FYI, the internal IP addresses (RFC1918) are also not exactly what I am using, but are close enough.

I can trun on debugging and capture some data and post it here if that helps as well.

Javier Portuguez · ‎10-25-2012

The VPN pool: 10.10.100.0 255.255.255.0

Local VPN proxy (LAN-to-LAN): 10.10.0.0 255.255.240.0 = 10.10.0.1 ---> 10.10.15.255

So:

1- Please add the 10.10.100.0 /24 network to LAN-to-LAN tunnel.

2- The network is already added, but the SA is not coming up.

Please confirm.

Thanks.

kerryjcox · ‎10-25-2012

Yep, that has all been done.

slccorp(config)# nat (outside,outside) 1 source static vpnpool00 vpnpool00 destination static denver-corp denver-corp

slccorp(config)# route outside 10.10.100.0 255.255.255.0 216.xx.xx.xx 1

slccorp(config)# route outside 10.1.0.0 255.255.255.0 216.xx.xx.xx 1

slccorp(config)# end

The internal subnet for denver-corp is 10.1.0.0_24

So, the NAT is there, I confirmed it via CLI and via ASDM. The two routes are also there.

I went into the L2L settings and added both the internal_subnet (10.10.0.0_20) and the vpnpool00 (10.10.100.0_24) to the L2L connection.

Am attaching a copy of the ASDM output.

kerryjcox · ‎10-25-2012

Is it possible that I need to make the same changes on the denver-corp firewall as well?

I can't believe I forgot to look on the opposing side.

Javier Portuguez · ‎10-25-2012

Yes, we need to make sure the remote side does have the same settings.

Thanks.

Let me know.