02-21-2019 12:11 PM - edited 02-21-2020 09:34 PM
Hi friends, I hope someone can help with this, it's driving me up the wall.
Here's a summary:
Site A - 10.20.4.0 /24 - has a working VPN tunnel to Cisco ASA
Site B - 192.168.142.0 /24 - has a working VPN tunnel to same Cisco ASA
Site A can ping Site B through both tunnels via the Cisco ASA
Site B can ping the Cisco ASA VPN endpoint but not Site A - I believe I have a hairpinning issue
It appears as though traffic is leaving Site B, hitting the outside Interface of the ASA then getting lost in a black hole somewhere. It points to an ACL issue but I cannot see any issues in the rules. I've attached the full ASA config and packet tracer results. Both tunnels are up so I know the VPN config is fine.
I would be hugely grateful if someone could spot something that I've obviously missed.
Many thanks in advance.
02-21-2019 12:20 PM
02-21-2019 01:31 PM
Hi RJI
Yes you're correct about the subnets.
Would you mind highlighting the no NAT rule you're referring to for the other remote sites please?
Many thanks
B
02-21-2019 01:40 PM
02-21-2019 11:29 PM
Ok thanks for clarifying.
So to confirm, here are the current nat outside rules:
nat (outside,outside) source static DIGI_VPN_SITES DIGI_VPN_SITES destination static formac-remote formac-remote
nat (outside,outside) source static formac-remote formac-remote destination static DIGI_VPN_SITES DIGI_VPN_SITES
nat (outside,outside) source static formac-remote formac-remote destination static Sherwood-remote Sherwood-remote
nat (outside,outside) source dynamic Bevercotes-remote interface destination static obj-any_20 obj-any_20
nat (outside,outside) source dynamic Calverton-remote interface destination static obj-any_10 obj-any_10
The Calverton subnet is also included in the DIGI_VPN_SITES group. Would this rule be sufficient or should the object name only contain one subnet?
object-group network DIGI_VPN_SITES
network-object 10.20.3.0 255.255.255.0
network-object 10.20.4.0 255.255.255.0
network-object 10.20.12.0 255.255.255.0
network-object 10.20.5.0 255.255.255.0
object-group network formac-remote
network-object 192.168.142.0 255.255.255.0
object-group network Calverton-remote
network-object 10.20.4.0 255.255.255.0
02-22-2019 12:41 AM
Here are the packet tracer results:
vpn# packet-tracer input outside icmp 192.168.142.25 0 0 10.20.4.10
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static DIGI_VPN_SITES DIGI_VPN_SITES destination static formac-remote formac-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.20.4.10/0 to 10.20.4.10/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group incoming-outside in interface outside
access-list incoming-outside extended permit icmp any any
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static DIGI_VPN_SITES DIGI_VPN_SITES destination static formac-remote formac-remote
Additional Information:
Static translate 192.168.142.25/0 to 192.168.142.25/0
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-22-2019 12:49 AM
02-24-2019 12:29 PM
Thank you so much for the replies.
Unfortunately, I don't have full access on the ASA so I can't run certain commands. I will run the debugger and send pings in the morning and will feedback the results. Same applies to the 'show nat detail' command.
To confirm, yes I am pinging from the main ASA. I'm unable to specify a source, again perhaps due to my restricted permissions, but will attempt this tomorrow morning. I've also posted output of the 'show access-list formac' and 'show crypto ipsec sa peer 35.176.80.84' commands.
vpn# ping 10.20.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/56/60 ms
vpn# ping 10.20.4.1 ?
data specify data pattern
repeat specify repeat count
size specify datagram size
timeout specify timeout interval
validate validate reply data
<cr>
vpn# ping 192.168.142.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.142.25, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
vpn# ping 192.168.142.25 ?
data specify data pattern
repeat specify repeat count
size specify datagram size
timeout specify timeout interval
validate validate reply data
<cr>
=========================================================================================================================
vpn# show access-list Formac
access-list Formac; 12 elements; name hash: 0x3a4a345c
access-list Formac line 1 extended permit ip object-group formac-local object-group formac-remote (hitcnt=694216) 0xf004809a
access-list Formac line 1 extended permit ip 10.99.206.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=143867) 0x67f78194
access-list Formac line 1 extended permit ip 10.99.240.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=0) 0x9e342d38
access-list Formac line 1 extended permit ip 10.99.241.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=154897) 0x3a5d8483
access-list Formac line 1 extended permit ip 10.99.242.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=51) 0x1f2df50c
access-list Formac line 1 extended permit ip 10.99.243.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=0) 0x3089d4fd
access-list Formac line 1 extended permit ip 10.1.0.0 255.255.0.0 192.168.142.0 255.255.255.0 (hitcnt=0) 0x973f8be3
access-list Formac line 1 extended permit ip 10.2.0.0 255.255.0.0 192.168.142.0 255.255.255.0 (hitcnt=0) 0x890ab788
access-list Formac line 1 extended permit ip 10.20.3.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=336) 0xb263d1ad
access-list Formac line 1 extended permit ip 10.20.4.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=394454) 0x6d3eca4e
access-list Formac line 1 extended permit ip 10.20.12.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=336) 0x6b37dd12
access-list Formac line 1 extended permit ip 10.20.5.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=382) 0x77ea7571
access-list Formac line 2 extended permit ip any4 object-group formac-remote (hitcnt=184) 0x4661225b
access-list Formac line 2 extended permit ip any4 192.168.142.0 255.255.255.0 (hitcnt=184) 0xc9b1302e
=========================================================================================================================
vpn# show crypto ipsec sa peer 35.176.80.84
peer address: 35.176.80.84
Crypto map tag: external-vpns, seq num: 600, local addr: 195.12.22.33
access-list Formac extended permit ip any 192.168.142.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.142.0/255.255.255.0/0/0)
current_peer: 35.176.80.84
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 202708, #pkts decrypt: 202708, #pkts verify: 202708
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.12.22.33/4500, remote crypto endpt.: 35.176.80.84/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 2F61A8A2
current inbound spi : E53C5820
inbound esp sas:
spi: 0xE53C5820 (3845937184)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 221884416, crypto-map: external-vpns
sa timing: remaining key lifetime (kB/sec): (4373827/2522)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2F61A8A2 (794929314)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 221884416, crypto-map: external-vpns
sa timing: remaining key lifetime (kB/sec): (4374000/2522)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
=========================================================================================================================
I agree with your suggestion and will remove that second ACL for formac. With regards to the formac-local and formac-remote ACLs, I inherited this configuration so I'm not fully certain of the reasons behind some of it but it seems a bit convaluted. There's also another group called 'DIGI_VPN_SITES'. This also contains Site A 10.20.4.0 /24 and allows access to Formac-Remote.
I'll send further results tomorrow.
Thanks
B
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide