Connect from VPN to a site to site VPN
Hello everyone. Let me see if I can explain the problem I am having. Our office uses Cisco VPN for our remote users to connect. We use the VPN client and the Anyconnect cliet and they work just fine. We also have a site-to-site vpn with a customer and that works fine when you are in the office. The problem occurs if you are using the VPN cliet to connect to the office and then you try to traverse the site to site vpn. I believe this has to be a NAT issue. I know that I should not be nating the VPN traffic when it leaves the Firewall. I have posted what I think is relavent below.
access-list INSIDE_nat0_outbound extended permit ip any 10.3.1.0 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.4 255.255.255.252 10.3.1.0 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.31.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 159.105.186.112 255.255.255.248 10.1.1.8 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list OUTSIDE_nat0_outbound extended permit ip any 159.105.186.112 255.255.255.248
access-list OUTSIDE_nat0_outbound extended permit ip 10.1.1.8 255.255.255.252 any
access-list OUTSIDE_nat0_outbound extended permit ip 172.30.1.0 255.255.255.0 172.31.0.0 255.255.0.0
access-list DMZ_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DMZ_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list OUTSIDE_nat_static extended permit object-group TCPUDP host 24.181.250.10 object-group VPN any object-group VPN
access-list OUTSIDE_nat0_outbound_1 extended permit ip any host 24.181.250.14
flow-export destination INSIDE 172.16.3.45 9999
nat (INSIDE) 0 access-list inside_nat0_outbound
nat (INSIDE) 20 access-list REMOTE-Site-to-Site-NAT
nat (INSIDE) 1 10.1.1.0 255.255.255.0
nat (INSIDE) 1 172.16.0.0 255.255.0.0
nat (INSIDE) 1 172.17.0.0 255.255.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 172.31.0.0 255.255.0.0
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound_1 outside
nat (CONNECTION-TO-CSC_SSM) 1 10.1.1.14 255.255.255.255
crypto map outside_map 20 set nat-t-disable
flow-export event-type all destination 172.16.3.45
flow-export event-type all destination 172.16.3.45
When I run a packet trace in the Cisco ASA 5510 where this occurs I get the Packet is dropped because of Ipsec Spoofing.
Thank you very much for any help.
Tom
access-list INSIDE_nat0_outbound extended permit ip any 10.3.1.0 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.4 255.255.255.252 10.3.1.0 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.31.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 159.105.186.112 255.255.255.248 10.1.1.8 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list OUTSIDE_nat0_outbound extended permit ip any 159.105.186.112 255.255.255.248
access-list OUTSIDE_nat0_outbound extended permit ip 10.1.1.8 255.255.255.252 any
access-list OUTSIDE_nat0_outbound extended permit ip 172.30.1.0 255.255.255.0 172.31.0.0 255.255.0.0
access-list DMZ_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DMZ_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list OUTSIDE_nat_static extended permit object-group TCPUDP host 24.181.250.10 object-group VPN any object-group VPN
access-list OUTSIDE_nat0_outbound_1 extended permit ip any host 24.181.250.14
flow-export destination INSIDE 172.16.3.45 9999
nat (INSIDE) 0 access-list inside_nat0_outbound
nat (INSIDE) 20 access-list REMOTE-Site-to-Site-NAT
nat (INSIDE) 1 10.1.1.0 255.255.255.0
nat (INSIDE) 1 172.16.0.0 255.255.0.0
nat (INSIDE) 1 172.17.0.0 255.255.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 172.31.0.0 255.255.0.0
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound_1 outside
nat (CONNECTION-TO-CSC_SSM) 1 10.1.1.14 255.255.255.255
crypto map outside_map 20 set nat-t-disable
flow-export event-type all destination 172.16.3.45
flow-export event-type all destination 172.16.3.45
When I run a packet trace in the Cisco ASA 5510 where this occurs I get the Packet is dropped because of Ipsec Spoofing.
Thank you very much for any help.
Tom
ASKER
Well I think there is one issue with this. We are connected to the customers site with a site to site vpn between 2 Cisco ASA 5510s. In order for this to work it must look like the data is still coming from our public Ip address. If it does not then it will not work. Can you tell me if this is the case. Because when I view our access-list for crypto map it only has our public IP address and non of our private addressing at all. Please let me know if this makes sense.
First off Pete nice site.
Secondly, for this to work you have to modify both ends, fixing just your end will not correct the problem.
Lastly, I have to admit a couple of your statements have me confused. Possibly we can clear some things up with these questions.
Local Private address range =
Remote Private address range =
VPN pool address range =
A full config help as well but we can start here.
What code version is running on this asa?
Something to think about is this is a 3 piece puzzle and all pieces need to be done correctly on both end device for it to work.
First the ASA needs to have NAT rules that tell it not to NAT traffic from your private network. It also needs a rule to tell it not to NAT the traffic from the VPN pool to the remote site.
Secondly your crypto maps need to tell the device that traffic from Your private IP address and traffic from your VPN pool are interesting traffic and should be allowed across the vpn site to site tunnel.
Lastly you need to enable these:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Regards,
3nerds
Secondly, for this to work you have to modify both ends, fixing just your end will not correct the problem.
Lastly, I have to admit a couple of your statements have me confused. Possibly we can clear some things up with these questions.
Local Private address range =
Remote Private address range =
VPN pool address range =
A full config help as well but we can start here.
What code version is running on this asa?
Something to think about is this is a 3 piece puzzle and all pieces need to be done correctly on both end device for it to work.
First the ASA needs to have NAT rules that tell it not to NAT traffic from your private network. It also needs a rule to tell it not to NAT the traffic from the VPN pool to the remote site.
Secondly your crypto maps need to tell the device that traffic from Your private IP address and traffic from your VPN pool are interesting traffic and should be allowed across the vpn site to site tunnel.
Lastly you need to enable these:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Regards,
3nerds
ASKER
I have attached a modified config. You are right Pete has a great site. Let us start with my end and I can notifiy the customer of changes they need to make.
ASA Version 8.2(1)11
My local network runs a 172.16.0.0/16 and 172.31.0.0/16 for DMZ
My VPn Clients run a 172.31.1.0/24 network range.
My customers remote site conntect to an ASA peer of 161.xxx.xxx.xxx there are 6 machines there that all have a 161.xxx.xxx.xxx ip address as well. So there is no private ip address on the other end.
I have already enable these 2 commands before today
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Please let me know if you need other information.
modified-config
ASA Version 8.2(1)11
My local network runs a 172.16.0.0/16 and 172.31.0.0/16 for DMZ
My VPn Clients run a 172.31.1.0/24 network range.
My customers remote site conntect to an ASA peer of 161.xxx.xxx.xxx there are 6 machines there that all have a 161.xxx.xxx.xxx ip address as well. So there is no private ip address on the other end.
I have already enable these 2 commands before today
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Please let me know if you need other information.
modified-config
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.petenetlive.com/KB/Article/0000040.htm