Connect from VPN to a site to site VPN

jeremymjackson
jeremymjackson used Ask the Experts™
on
Hello everyone. Let me see if I can explain the problem I am having. Our office uses Cisco VPN for our remote users to connect. We use the VPN client and the Anyconnect cliet and they work just fine. We also have a site-to-site vpn with a customer and that works fine when you are in the office. The problem occurs if you are using the VPN cliet to connect to the office and then you try to traverse the site to site vpn. I believe this has to be a NAT issue. I know that I should not be nating the VPN traffic when it leaves the Firewall. I have posted what I think is relavent below.

access-list INSIDE_nat0_outbound extended permit ip any 10.3.1.0 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.4 255.255.255.252 10.3.1.0 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.31.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 159.105.186.112 255.255.255.248 10.1.1.8 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list OUTSIDE_nat0_outbound extended permit ip any 159.105.186.112 255.255.255.248
access-list OUTSIDE_nat0_outbound extended permit ip 10.1.1.8 255.255.255.252 any
access-list OUTSIDE_nat0_outbound extended permit ip 172.30.1.0 255.255.255.0 172.31.0.0 255.255.0.0
access-list DMZ_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DMZ_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list OUTSIDE_nat_static extended permit object-group TCPUDP host 24.181.250.10 object-group VPN any object-group VPN
access-list OUTSIDE_nat0_outbound_1 extended permit ip any host 24.181.250.14
flow-export destination INSIDE 172.16.3.45 9999
nat (INSIDE) 0 access-list inside_nat0_outbound
nat (INSIDE) 20 access-list REMOTE-Site-to-Site-NAT
nat (INSIDE) 1 10.1.1.0 255.255.255.0
nat (INSIDE) 1 172.16.0.0 255.255.0.0
nat (INSIDE) 1 172.17.0.0 255.255.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 172.31.0.0 255.255.0.0
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound_1 outside
nat (CONNECTION-TO-CSC_SSM) 1 10.1.1.14 255.255.255.255
crypto map outside_map 20 set nat-t-disable
  flow-export event-type all destination 172.16.3.45
  flow-export event-type all destination 172.16.3.45


When I run a packet trace in the Cisco ASA 5510 where this occurs I get the Packet is dropped because of Ipsec Spoofing.
Thank you very much for any help.

Tom
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Pete LongTechnical Consultant

Commented:
Its not a nat issue - its a crytomap issue you want to do hub-spoke hairpinning see my website here..............
http://www.petenetlive.com/KB/Article/0000040.htm
 
 

Author

Commented:
Well I think there is one issue with this. We are connected to the customers site with a site to site vpn between 2 Cisco ASA 5510s. In order for this to work it must look like the data is still coming from our public Ip address. If it does not then it will not work. Can you tell me if this is the case. Because when I view our access-list for crypto map it only has our public IP address and non of our private addressing at all. Please let me know if this makes sense.
First off Pete nice site.

Secondly, for this to work you have to modify both ends, fixing just your end will not correct the problem.

Lastly, I have to admit a couple of your statements have me confused. Possibly we can clear some things up with these questions.

Local Private address range =
Remote Private address range =
VPN pool address range =

A full config help as well but we can start here.

What code version is running on this asa?

Something to think about is this is a 3 piece puzzle and all pieces need to be done correctly on both end device for it to work.

First the ASA needs to have NAT rules that tell it not to NAT traffic from your private network. It also needs a rule to tell it not to NAT the traffic from the VPN pool to the remote site.

Secondly your crypto maps need to tell the device that traffic from Your private IP address and traffic from your VPN pool are interesting traffic and should be allowed across the vpn site to site tunnel.

Lastly you need to enable these:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Regards,

3nerds

Author

Commented:
I have attached a modified config. You are right Pete has a great site. Let us start with my end and I can notifiy the customer of changes they need to make.
ASA Version 8.2(1)11

My local network runs a 172.16.0.0/16 and 172.31.0.0/16 for DMZ
My VPn Clients run a 172.31.1.0/24 network range.
My customers remote site conntect to an ASA peer of 161.xxx.xxx.xxx there are 6 machines there that all have a 161.xxx.xxx.xxx ip address as well. So there is no private ip address on the other end.

I have already enable these 2 commands before today
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Please let me know if you need other information.
modified-config
From a NAT side of things this looks pretty good. Now the reverse needs to be on the other side. Boy do you have a lot of object groups.
access-list CBT-NAT extended permit ip 172.16.0.0 255.255.224.0 161.xxx.xxx.xxx 255.255.255.0  --> Your Private to the other side
access-list CBT-NAT extended permit ip object-group VPNPOOL 161.xxx.xxx.xxx 255.255.255.0 --> your vpnpool to the other side

Crypo - You already have all of the lines for your private to the other side so you just need to fix from VPNPOOL to the other side:

access-list CBT-VPN extended permit ip 172.31.0.0 255.255.0.0 host 161.xxx.xxx.xxx   This looks correct, but seeing how the others maps appear to do a one for one, you are going to have to most likely do that for these as well. unless the 161 side address doesn't change.

You will need to duplicate all of this on the other end as well.

Good Luck,

3nerds

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial