Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1696
Views
0
Helpful
7
Replies

Spoke to Spoke VPN Routing - Via Hub

tomas roberton
Level 1
Level 1

‎12-30-2016 04:23 AM

Hi All,

I hope somebody can help me with this, VPN's are not my strong point so any help would be appreciated.

Current Scenario (See Attached Diagram - ICU_Network_Schematic.pdf)

We have three sites, a remote site with an ASA 5506x (config attached), a head office with an ASA 5506x and an Azure Cloud Virtual Network with a VPN gateway.

The remote site has a site to site vpn to the head office, allowing these two sites to communicate without any issues.

The Head Office has a site to site vpn to the Azure Cloud network which is also working fine.

What we want to achieve ?

We would like the remote site to be able to route to Azure and for Azure to be able to route to the remote site. This must be via the HQ ASA as the Azure virtual network does not support multiple VPN's.

I have achieved this before with SonicWALLS in this topology but not yet with cisco.

What have I tried, what is the problem ?

Using ASDM I have stumbled at the first hurdle; when changing the destination networks on the remote site VPN profile to include the Azure subnet and changing the head office VPN profile source network to include Azure. The VPN drops and does not come back online.

My primary goal is to get the Remote Site - HQ VPN working with a configuration that includes the Azure subnet. However ultimately the goal is to allow the routing all the way through. If somebody could help me achieve either of these goals by proposing some configuration that would be great.


Apologies if you feel I have missed any information, please ask and I will bring any further information back to you.

Attached: Network schematic, both ASA config files.

Labels:
Preview file
10 KB
Preview file
321 KB
Preview file
11 KB
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎12-30-2016 04:57 AM

Here is what you need:

Your Remote-ASA needs to know that Azure is reachable through the tunnel. So you have to add:

object network NETWORK_OBJ_10.10.0.0_16
 subnet 10.10.0.0 255.255.0.0
access-list l2l_list extended permit ip object 192.168.2.0_24 object NETWORK_OBJ_10.10.0.0_16

This traffic should not be NATted. For simplicity, your dynamic NAT-rule should be moved to the end of the rules:

no nat (inside,Outside_PPPoE) source dynamic NETWORK_OBJ_192.168.2.0_24 interface
nat (inside,Outside_PPPoE) after-auto source dynamic NETWORK_OBJ_192.168.2.0_24 interface
!
nat (inside,Outside_PPPoE) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_10.10.0.0_16 NETWORK_OBJ_10.10.0.0_16 no-proxy-arp route-lookup

You pasted two times the config of the remote ASA ... So on the HQ-ASA you need:

  • The crypto-ACL for the remote site has to permit traffic from 10.10.0.0/16 to 192.168.2.0/24
  • The crypto-ACL for Azure has to permit the traffic from 192.168.2.0/24 to 10.10.0.0/16
  • This traffic has to be exempted from NAT
  • The ASA must allow traffic coming in and sent out the same interface:
same-security-traffic permit intra-interface

0 Helpful

tomas roberton
Level 1
Level 1
In response to Karsten Iwen

‎12-31-2016 02:58 AM

Hi Karsten,

Thank you for the extremely thorough reply.

I have attached the actual HQ config just incase this does change anything. I am awaiting a change window to open so that I can apply the configuration and I will confirm with you how it goes :)

Thanks again for the help! 

Attached: Actual HQ Config

Preview file
15 KB
0 Helpful

Karsten Iwen
VIP
VIP
In response to tomas roberton

‎12-31-2016 05:07 AM

ok, let's see what you need to add:

For the crypto-ACL to your spoke:

access-list Outside_PPPoE_cryptomap_9 extended permit ip object-group azure-networks object NETWORK_OBJ_192.168.2.0_24

The crypto-ACL to Azure:

access-list azure-vpn-acl extended permit ip object NETWORK_OBJ_192.168.2.0_24 object-group azure-networks

No NAT for this traffic (this is in fact not needed in your actual config, but I would add it to make sure later changes don't break your VPN):

nat (Outside_PPPoE,Outside_PPPoE) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static azure-networks azure-networks no-proxy-arp route-lookup

And to allow hair-pinning:

same-security-traffic permit intra-interface
0 Helpful

tomas roberton
Level 1
Level 1
In response to Karsten Iwen

‎01-10-2017 04:09 PM

Hi Karsten,

I have finally had permission to make the changes this evening.

I have applied all commands as you proposed with one change, the network object I used was 10.0.0.0/16 and not 10.10.0.0/16.

The VPN is up between the remote site and the HQ site and the VPN between the HQ and Azure is up and running.

However I can't ping from Remote Site to Azure or vice versa.

I have attached the new configs which look fine too me, can you propose any further troubleshooting ?

Thanks

Preview file
11 KB
Preview file
16 KB
0 Helpful

Karsten Iwen
VIP
VIP
In response to tomas roberton

‎01-11-2017 04:56 AM

Is it only Ping that is not working or any communication from remote to Azure and back?

0 Helpful

tomas roberton
Level 1
Level 1
In response to Karsten Iwen

‎01-11-2017 06:01 AM

Hi Karsten,

No, remote desktop also fails, so does windows explorer traffic.

I'm a little stumped as to what troubleshooting step to take, I have performed packet tracer and it says the packet is allowed.

Thanks,

0 Helpful

Karsten Iwen
VIP
VIP
In response to tomas roberton

‎01-11-2017 06:24 AM

Next step ist to trigger the tunnels (with ping or whatever traffic you want) and see if IPsec SAs are build:

show vpn-sessiondb detail l2l

On both the remote and HQ-ASA you should see SAs for:

  • remote-network <-> Azure-Network

0 Helpful
Customers Also Viewed These Support Documents