10-24-2012 07:23 PM
I've searched through the discussions but am having troubles finding a solution to my problem.
I have five (5) sites all connected via static VPN tunnels. They are all using Cisco ASA 5510s running 8.4(4)1. Any internal IP on each site can ping any IP on a remote site thanks to the static VPN tunnels. I have the external IP (routeable) addresses connecting to each other.
Site A: 10.1.0.0 /24
Site B: 10.2.0.0 /24
Site C: 10.3.0.0 /24
Site D: 10.5.0.0 /24
Site E: 10.10.0.0 /20
I have remote users who connect using Cisco AnyConnect 3.1 to Site E. They get a static IP within the 10.10.100.0 /24 subnet (vpnpool00) and can access anything in the 10.10.0.0 /20 subnet. So far, so good.
No management wants users to access devices within the other sites, specifically Site A using teh same AnyConnect connection. In other words, they get an Ip address of say, 10.10.100.5 and now need to access a server on Site A's subnet or 10.1.0.5.
I have checked my NAT statements and they appear to allow this, but so far when I do a ping I get the following:
Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0
What am I missing? Is there a NAT statement that is wrong, or an access-list statement or possibly a static route?
Any suggestions would be appreciated.
Thanks in advance.
10-24-2012 07:35 PM
Hi Kerry,
Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0
It points to the inside and according to your description you are connected to Site E, so the 10.1.0.0/24 network is supposed to be on the outside across a L2L tunnel.
So, you either have a wrong route or your NAT rules are not properly configured.
For this to work, we don't really need a NAT rule on the outside unless you have another NAT affecting this inbound traffic.
You need the "same-security-traffic permit intra-interface" in order to allow U-turning on the outside interface.
So, please check the following (I am going to assume that you may have some NAT rules affecting the inbound connections):
1- object network anyconnect_pool
subnet 10.10.100.0 255.255.255.0
!
object network 10.1.0.0_24
subnet 10.1.0.0.0 255.255.255.0
!
nat (outside,outside) 1 source static anyconnect_pool anyconnect_pool destination static 10.1.0.0_24 10.1.0.0_24
!
route outside 10.10.100.0 255.255.255.0 default_gateway_outside
route outside 10.1.0.0 255.255.255.0 default_gateway_outside
!
This should cover any possible routing and NAT issue.
In addition to this, make sure you include the AnyConnect pool to the L2L between Site E and Site A.
HTH.
Portu.
Please rate any helpful posts
10-25-2012 04:41 AM
Thanks for the information. I will check once I get into the office and have time to debug.
Will let you know the results.
10-25-2012 06:07 AM
Sounds good.
Portu.
Please rate any helpful posts
10-25-2012 07:30 AM
Portu,
Thanks for the help, but after adding the NAT statement and the two extra routes and including the anyconnect pool into the L2L connection, I am still unable to connect to any other subnet outside of the Site E subnet or 10.10.0.0 /20.
I tried pinging 10.1.0.5 (Site A) and got the same error as before.
Informational logging is not showing me anything.
Here is what was added via my Rancid report:
Index: configs/10.10.0.1
===================================================================
retrieving revision 1.24
diff -U 4 -r1.24 10.10.0.1
@@ -419,8 +419,11 @@
+ object-group network DM_INLINE_NETWORK_8 network-object 10.10.0.0
+ 255.255.240.0 network-object object vpnpool00
- access-list outside_cryptomap_1 extended permit ip 10.10.0.0 255.255.240.0 object 10.1.0.0_24
+ access-list outside_cryptomap_1 extended permit ip object-group
+ DM_INLINE_NETWORK_8 object 10.1.0.0_24
+ nat (outside,outside) source static vpnpool00 vpnpool00 destination static 10.1.0.0_24 10.1.0.0_24
+ route outside 10.10.100.0 255.255.255.0 216.xx.xx.xx 1
+ route outside 10.1.0.0 255.255.255.0 216.xx.xx.xx 1
Again, while attempting to ping from the vpnpool00 or 10.10.100.4 to the 10.1.0.5 box I see the ICMP connection being built and torndown, but nothing more. The pings from my VPN'ed laptop to Site A simply show "Request timeout for icmp_seq....."
Any suggestions are appreciated.
10-25-2012 07:48 AM
Thanks for the heads up.
Please include the "show crypto ipsec sa peer SiteA_Public_IP" output from SiteE.
Also please attach the latest logs.
Thanks.
Please rate helpful posts.
10-25-2012 07:53 AM
cisco# sho crypto ipsec sa peer 209.xxx.xx.xxx
peer address: 209.xxx.xx.xxx
Crypto map tag: outside_map, seq num: 2, local addr: 216.xx.xx.xxx
access-list outside_cryptomap_1 extended permit ip 10.10.0.0 255.255.240.0 10.1.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.0.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
current_peer: 209.xxx.xx.xxx
#pkts encaps: 53047, #pkts encrypt: 53047, #pkts digest: 53047
#pkts decaps: 52234, #pkts decrypt: 52225, #pkts verify: 52225
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 53047, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 9
local crypto endpt.: 216.xx.xx.xxx/0, remote crypto endpt.: 209.xxx.xx.xxx/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F426BE72
current inbound spi : 32C641FA
inbound esp sas:
spi: 0x32C641FA (851853818)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2400256, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 756
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF426BE72 (4096179826)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2400256, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 755
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
cisco#
I tried to obfuscate the information as best I could.
Just an FYI, the internal IP addresses (RFC1918) are also not exactly what I am using, but are close enough.
I can trun on debugging and capture some data and post it here if that helps as well.
10-25-2012 08:17 AM
The VPN pool: 10.10.100.0 255.255.255.0
Local VPN proxy (LAN-to-LAN): 10.10.0.0 255.255.240.0 = 10.10.0.1 ---> 10.10.15.255
So:
1- Please add the 10.10.100.0 /24 network to LAN-to-LAN tunnel.
2- The network is already added, but the SA is not coming up.
Please confirm.
Thanks.
10-25-2012 08:49 AM
Yep, that has all been done.
slccorp(config)# nat (outside,outside) 1 source static vpnpool00 vpnpool00 destination static denver-corp denver-corp
slccorp(config)# route outside 10.10.100.0 255.255.255.0 216.xx.xx.xx 1
slccorp(config)# route outside 10.1.0.0 255.255.255.0 216.xx.xx.xx 1
slccorp(config)# end
The internal subnet for denver-corp is 10.1.0.0_24
So, the NAT is there, I confirmed it via CLI and via ASDM. The two routes are also there.
I went into the L2L settings and added both the internal_subnet (10.10.0.0_20) and the vpnpool00 (10.10.100.0_24) to the L2L connection.
Am attaching a copy of the ASDM output.
10-25-2012 08:54 AM
Is it possible that I need to make the same changes on the denver-corp firewall as well?
I can't believe I forgot to look on the opposing side.
10-25-2012 09:08 AM
Yes, we need to make sure the remote side does have the same settings.
Thanks.
Let me know.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: