cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
762
Views
0
Helpful
10
Replies

Remote VPN users need to access networks connected by static VPN

kerryjcox
Level 1
Level 1

I've searched through the discussions but am having troubles finding a solution to my problem.

I have five (5) sites all connected via static VPN tunnels.  They are all using Cisco ASA 5510s running 8.4(4)1. Any internal IP on each site can ping any IP on a remote site thanks to the static VPN tunnels.  I have the external IP (routeable) addresses connecting to each other.

Site A: 10.1.0.0 /24

Site B: 10.2.0.0 /24

Site C: 10.3.0.0 /24

Site D: 10.5.0.0 /24

Site E: 10.10.0.0 /20

I have remote users who connect using Cisco AnyConnect 3.1 to Site E.  They get a static IP within the 10.10.100.0 /24 subnet (vpnpool00) and can access anything in the 10.10.0.0 /20 subnet. So far, so good.

No management wants users to access devices within the other sites, specifically Site A using teh same AnyConnect connection.  In other words, they get an Ip address of say, 10.10.100.5 and now need to access a server on Site A's subnet or 10.1.0.5.

I have checked my NAT statements and they appear to allow this, but so far when I do a ping I get the following:

     Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0

What am I missing?  Is there a NAT statement that is wrong, or an access-list statement or possibly a static route?

Any suggestions would be appreciated.

Thanks in advance.

10 Replies 10

Hi Kerry,

Routing failed to locate next hop for ICMP from outside: 10.10.100.5/1 to inside: 10.1.0.5/0

It points to the inside and according to your description you are connected to Site E, so the 10.1.0.0/24 network is supposed to be on the outside across a L2L tunnel.

So, you either have a wrong route or your NAT rules are not properly configured.

For this to work, we don't really need a NAT rule on the outside unless you have another NAT affecting this inbound traffic.

You need the "same-security-traffic permit intra-interface" in order to allow U-turning on the outside interface.

So, please check the following (I am going to assume that you may have some NAT rules affecting the inbound connections):

1- object network anyconnect_pool

     subnet 10.10.100.0 255.255.255.0

     !

    object network 10.1.0.0_24

      subnet 10.1.0.0.0 255.255.255.0

     !

     nat (outside,outside) 1 source static anyconnect_pool anyconnect_pool destination static 10.1.0.0_24 10.1.0.0_24

     !

     route outside 10.10.100.0 255.255.255.0 default_gateway_outside

     route outside 10.1.0.0 255.255.255.0 default_gateway_outside

     !

    

This should cover any possible routing and NAT issue.

In addition to this, make sure you include the AnyConnect pool to the L2L between Site E and Site A.

HTH.

Portu.

Please rate any helpful posts

Thanks for the information. I will check once I get into the office and have time to debug.

Will let you know the results.

Sounds good.

Portu.

Please rate any helpful posts

Portu,

Thanks for the help, but after adding the NAT statement and the two extra routes and including the anyconnect pool into the L2L connection, I am still unable to connect to any other subnet outside of the Site E subnet or 10.10.0.0 /20. 

I tried pinging 10.1.0.5 (Site A) and got the same error as before. 

Informational logging is not showing me anything.

Here is what was added via my Rancid report:

Index: configs/10.10.0.1

===================================================================

retrieving revision 1.24

diff -U 4 -r1.24 10.10.0.1

@@ -419,8 +419,11 @@

+ object-group network DM_INLINE_NETWORK_8 network-object 10.10.0.0

+ 255.255.240.0 network-object object vpnpool00

- access-list outside_cryptomap_1 extended permit ip 10.10.0.0 255.255.240.0 object 10.1.0.0_24

+ access-list outside_cryptomap_1 extended permit ip object-group

+ DM_INLINE_NETWORK_8 object 10.1.0.0_24

+ nat (outside,outside) source static vpnpool00 vpnpool00 destination static 10.1.0.0_24 10.1.0.0_24

+ route outside 10.10.100.0 255.255.255.0 216.xx.xx.xx 1

+ route outside 10.1.0.0 255.255.255.0 216.xx.xx.xx 1

Again, while attempting to ping from the vpnpool00 or 10.10.100.4 to the 10.1.0.5 box I see the ICMP connection being built and torndown, but nothing more. The pings from my VPN'ed laptop to Site A simply show "Request timeout for icmp_seq....."

Any suggestions are appreciated.

Thanks for the heads up.

Please include the "show crypto ipsec sa peer SiteA_Public_IP" output from SiteE.

Also please attach the latest logs.

Thanks.

Please rate helpful posts.

cisco# sho crypto ipsec sa peer 209.xxx.xx.xxx

  peer address: 209.xxx.xx.xxx

    Crypto map tag: outside_map, seq num: 2, local addr: 216.xx.xx.xxx

      access-list outside_cryptomap_1 extended permit ip 10.10.0.0 255.255.240.0 10.1.0.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.10.0.0/255.255.240.0/0/0)

      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)

      current_peer: 209.xxx.xx.xxx

      #pkts encaps: 53047, #pkts encrypt: 53047, #pkts digest: 53047

      #pkts decaps: 52234, #pkts decrypt: 52225, #pkts verify: 52225

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 53047, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 9

      local crypto endpt.: 216.xx.xx.xxx/0, remote crypto endpt.: 209.xxx.xx.xxx/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: F426BE72

      current inbound spi : 32C641FA

    inbound esp sas:

      spi: 0x32C641FA (851853818)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 2400256, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 756

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xF426BE72 (4096179826)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 2400256, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 755

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

cisco#

I tried to obfuscate the information as best I could.

Just an FYI, the internal IP addresses (RFC1918) are also not exactly what I am using, but are close enough.

I can trun on debugging and capture some data and post it here if that helps as well.

The VPN pool: 10.10.100.0 255.255.255.0

Local VPN proxy (LAN-to-LAN): 10.10.0.0 255.255.240.0 = 10.10.0.1 ---> 10.10.15.255

So:

1- Please add the 10.10.100.0 /24 network to LAN-to-LAN tunnel.

2- The network is already added, but the SA is not coming up.

Please confirm.

Thanks.

Yep, that has all been done.

slccorp(config)# nat (outside,outside) 1 source static vpnpool00 vpnpool00 destination static denver-corp denver-corp

slccorp(config)# route outside 10.10.100.0 255.255.255.0 216.xx.xx.xx 1 

slccorp(config)# route outside 10.1.0.0 255.255.255.0 216.xx.xx.xx 1

slccorp(config)# end      

The internal subnet for denver-corp is 10.1.0.0_24

So, the NAT is there, I confirmed it via CLI and via ASDM.  The two routes are also there.

I went into the L2L settings and added both the internal_subnet (10.10.0.0_20) and the vpnpool00 (10.10.100.0_24) to the L2L connection.

Am attaching a copy of the ASDM output.

Is it possible that I need to make the same changes on the denver-corp firewall as well? 

I can't believe I forgot to look on the opposing side.

Yes, we need to make sure the remote side does have the same settings.

Thanks.

Let me know.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: