Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
0
Helpful
4
Replies

Traversing traffic across multiple VPN tunnels

James Dykes
Level 1
Level 1

‎07-22-2013 02:10 PM

I have a customer that has the following networks:

Office 1

-------

192.168.200.0/24

192.168.90.0/24

192.168.10.0/24

Office 2

--------

192.168.201.0/24

192.168.91.0/24

192.168.11.0/24

172.16.20.0/24

Office 1 also has four address pools for its dial-in VPN clients:

192.168.80.0/24

192.168.82.0/24

192.168.83.0/24

192.168.84.0/24

The customer wants to be able to dial in from their remote location and communicate all the way across to Office 2's networks. Traffic originating from the dial-in networks is not causing the tunnels to be spun up, however.

The firewall config is attached.

Labels:
15364548-5499fwlconfredacted.txt.zip
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎07-22-2013 02:30 PM

Hi,

You seem to have added lines to the L2L VPNs ACL that dont really make sense. I mean you have source networks on the ACL that are not located on your site at all

So the following (which you already have in the ACL) should be the only thing in the crypto ACL and the rest should be removed

OFFICE1 TO OFFICE2

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.90.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.90.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.90.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.90.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 172.16.20.0 255.255.255.0

OFFICE1 VPN POOLS TO OFFICE2

access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.82.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.82.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.82.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.82.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.83.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.83.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.83.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.83.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.84.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.84.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.84.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.84.0 255.255.255.0 172.16.20.0 255.255.255.0

You will also have to make sure that the Office 2 device has the corresponding crypto ACLs and NAT0 configurations to allow the traffic between the VPN Pool networks and its local office networks.

You also seem to be using Split Tunnel VPN and using the "vpn_splittunnel" ACL to define the network to which VPN users should be able to forward traffic through the VPN connections. This ACL does not yet contain every Office 2 network in it.

So assuming you want the Split Tunnel VPN to reach all Office 1 and Office 2 networks then the ACL should look something like this

access-list vpn_splittunnel standard permit 192.168.200.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.201.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.90.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.91.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.10.0 255.255.255.0

access-list vpn_splittunnel standard permit 192.168.11.0 255.255.255.0

access-list vpn_splittunnel standard permit 172.16.20.0 255.255.255.0

You seem to lack a NAT0 configuration on the "outside" interface of the ASA. As the VPN Client connections are coming to the "outside" interface and they are also leaving through the "outside" interface back to the L2L VPN connections, you will need to have a NAT0 configuration on the "outside" interface also.

So you need to add

access-list OUTSIDE-NAT0 extended permit ip 192.168.80.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.80.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.80.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.80.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.82.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.82.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.82.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.82.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.83.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.83.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.83.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.83.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.84.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.84.0 255.255.255.0 192.168.91.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.84.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list OUTSIDE-NAT0 extended permit ip 192.168.84.0 255.255.255.0 172.16.20.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

I would also highly suggest that you go through your local interface NAT0 configurations and use separate ACL for each interfaces NAT0 so that they dont each contain a lot of source networks which arent located behind those interfaces. This might in the worst cause cause problems to the ASAs NAT operation.

- Jouni

0 Helpful

James Dykes
Level 1
Level 1
In response to Jouni Forss

‎07-22-2013 02:55 PM

These changes have not resolved the issue.

"The change did not resolve the issue. The P2 was staying alive due to packets incoming from this side (192.168.201.1). The tunnel is still not coming up when traffic is originating from the 192.168.80.0 network. Can you check for any other adjustments that need to be made?"

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to James Dykes

‎07-22-2013 03:00 PM

Hi,

Actually seem that for some reason your actual L2L VPN crypto map IS NOT attached to any interface at the moment?

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 65.61.105.34

Instead if seems you have some dynamic map configured (usually for VPN Client use) and that is attached to the "outside" interface.

crypto map vpn_map interface outside

If you want to use both L2L VPN and IPsec VPN Client connections then the configurations are usually in the same crypto map.

- Jouni

0 Helpful

James Dykes
Level 1
Level 1
In response to Jouni Forss

‎07-22-2013 03:04 PM

Some background - the VPN Client configuration was already in place before I was given the project to add L2L VPN tunnels to the device. You're saying that configuration should be part of the crypto map vpn_map configuration and not in its own config? Can you give me an example?

Thank you,

James

0 Helpful
Customers Also Viewed These Support Documents