ASA55xx hairpin VPN between Client and L2L VPNs

I'm attempting to setup hairpinning between VPN clients and an ASA5505 (version 7.2), with an ASA5510 (Version 8.4) as the hub.

The VPN clients have an IP of 10.70.56.x, the hub subnet is 10.70.0.x, and the spoke subnet is 172.15.50.x. There are two L2L VPNs, the one I'm trying to hairpin right now is the LA_LAN.

When I ping the spoke subnet (ex 172.15.50.28) from any devices on the hub LAN (10.70.x.x) it works. Similiarly, I can ping any VPN clients from the hub LAN, so I know individually everything is working, with one possible exception - I can't ping any VPN devices from the hub ASA5510 itself. I don't know if that's part of the problem, or has to do with ASA security settings. (I'd love to change that eventually, but it's not my focus here).

I'd much appreciate if someone can spot what I'm missing in the config. I'm guessing it has to do with NAT or access lists, but I'm missing it. One possibity is that I frequently use 10.70.x x as a catch-all for the entire hub LAN, which includes the VPN clients (but not the spoke VPN). I tried more specific subnets at times but didn't see any change.

Many thanks.


 
Config for the Hub, ASA5510


names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.70.0.3 255.255.255.0 
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 50.74.210.20 255.255.255.248 
!
interface Ethernet0/2
 nameif secondary
 security-level 0
 ip address 208.33.109.235 255.255.255.224 
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.15.1 255.255.255.0 
 management-only
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network NETWORK_LAN
 subnet 10.70.0.0 255.255.0.0
object network WORKSTATION_LAN
 subnet 10.70.50.0 255.255.255.0
object network BO_LAN
 subnet 10.70.0.0 255.255.0.0
object network BO_LAN_02
 subnet 10.70.0.0 255.255.0.0
object network obj-kcelauro
 host 192.168.254.254
 description Static IP for kcelauro VPN
object network BONY_VPN_POOL
 subnet 10.70.55.0 255.255.255.0
object network CLIENT_VPN_POOL
 subnet 10.70.56.0 255.255.255.0
object network NETWORK_LAN_02
 subnet 10.70.0.0 255.255.0.0
object network LA_LAN
 subnet 172.15.0.0 255.255.0.0
object network Sausalito_LAN
 subnet 172.21.0.0 255.255.0.0
object network CLIENT_VPN_NAT
 subnet 10.70.56.0 255.255.255.0
!
object-group icmp-type icmp_traffic
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object unreachable
 icmp-object time-exceeded
 icmp-object echo
!
access-list PERMIT_IN extended permit icmp any any object-group icmp_traffic 
access-list splitVPN standard permit 10.70.0.0 255.255.0.0 
access-list splitVPN standard permit 172.15.0.0 255.255.0.0 
access-list splitVPN standard permit 172.16.0.0 255.255.0.0 
access-list splitVPN standard permit 172.17.0.0 255.255.0.0 
access-list splitVPN standard permit 172.19.0.0 255.255.0.0 
access-list splitVPN standard permit 172.21.0.0 255.255.0.0 
access-list splitVPN standard permit 172.23.0.0 255.255.0.0 
access-list splitVPN standard permit 172.25.0.0 255.255.0.0 
access-list splitVPN standard permit 206.0.0.0 255.255.255.0 
access-list outside_cryptomap extended permit ip object BO_LAN object LA_LAN 
access-list outside_cryptomap extended permit ip object CLIENT_VPN_POOL object LA_LAN 
access-list outside_cryptomap_1 extended permit ip object BO_LAN object Sausalito_LAN 
!
ip local pool bonyvpnpool1 10.70.56.111-10.70.56.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
!
nat (inside,any) source static BO_LAN BO_LAN destination static LA_LAN LA_LAN no-proxy-arp
nat (inside,any) source static BO_LAN BO_LAN destination static Sausalito_LAN Sausalito_LAN no-proxy-arp
nat (inside,any) source static BO_LAN BO_LAN destination static CLIENT_VPN_POOL CLIENT_VPN_POOL no-proxy-arp
!
object network BO_LAN
 nat (inside,outside) dynamic interface
object network BO_LAN_02
 nat (inside,secondary) dynamic interface
access-group PERMIT_IN in interface outside
access-group PERMIT_IN in interface secondary
route outside 0.0.0.0 0.0.0.0 50.74.210.17 1 track 10
route secondary 0.0.0.0 0.0.0.0 208.33.109.226 50 track 20
route secondary 4.2.2.1 255.255.255.255 208.33.109.226 1
route inside 10.70.10.0 255.255.255.0 10.70.0.1 1
route inside 10.70.50.0 255.255.255.0 10.70.0.1 1
route inside 10.70.150.0 255.255.255.0 10.70.0.1 1
route inside 10.250.250.0 255.255.255.0 10.70.0.1 1
route inside 139.61.248.231 255.255.255.255 10.70.0.1 1
route inside 172.16.0.0 255.255.0.0 10.70.0.1 1
route inside 172.19.0.0 255.255.0.0 10.70.0.1 1
route inside 172.25.0.0 255.255.0.0 10.70.0.1 1
route inside 206.0.0.0 255.255.255.0 10.70.0.1 1
dynamic-access-policy-record DfltAccessPolicy
!
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 66.92.40.234 
crypto map outside_map 1 set ikev1 transform-set (a buncha transform sets...)
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 173.164.149.197 
crypto map outside_map 2 set ikev1 transform-set (a buncha transform sets...)
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map secondary_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map secondary_map interface secondary
crypto isakmp identity address 
crypto isakmp disconnect-notify
!
group-policy GroupPolicy_173.164.149.197 internal
group-policy GroupPolicy_173.164.149.197 attributes
 vpn-tunnel-protocol ikev1 ikev2 
group-policy GroupPolicy_66.92.40.234 internal
group-policy GroupPolicy_66.92.40.234 attributes
 vpn-tunnel-protocol ikev1 ikev2 
group-policy bonyvpn internal
group-policy bonyvpn attributes
 dns-server value 10.70.50.5
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitVPN
 default-domain value belardiostroy.local
 split-dns value bo.local alc.local
 split-tunnel-all-dns disable
!
tunnel-group bonyvpn type remote-access
tunnel-group bonyvpn general-attributes
 address-pool bonyvpnpool1
 authentication-server-group nycradius LOCAL
 default-group-policy bonyvpn
tunnel-group bonyvpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 66.92.40.234 type ipsec-l2l
tunnel-group 66.92.40.234 general-attributes
 default-group-policy GroupPolicy_66.92.40.234
tunnel-group 66.92.40.234 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 173.164.149.197 type ipsec-l2l
tunnel-group 173.164.149.197 general-attributes
 default-group-policy GroupPolicy_173.164.149.197
tunnel-group 173.164.149.197 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global

Open in new window

Config for Spoke, ASA5505

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.15.10.11 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.92.40.234 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 172.25.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 206.0.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 10.70.56.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 10.70.0.0 255.255.0.0 
access-list outside_2_cryptomap extended permit ip 172.15.0.0 255.255.0.0 172.25.0.0 255.255.0.0 
access-list outside_2_cryptomap extended permit ip 172.15.0.0 255.255.0.0 206.0.0.0 255.255.255.0 
access-list outside_3_cryptomap extended permit ip 172.15.0.0 255.255.0.0 172.16.0.0 255.255.0.0 
access-list outside_4_cryptomap extended permit ip 172.15.0.0 255.255.0.0 10.70.0.0 255.255.0.0 
access-list outside_4_cryptomap extended permit ip 172.15.0.0 255.255.0.0 172.21.0.0 255.255.0.0 
access-list outside_4_cryptomap extended permit ip 172.15.0.0 255.255.0.0 10.70.56.0 255.255.255.0 
!
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 66.92.40.1 1
!
crypto ipsec transform-set NJ2LA esp-3des esp-sha-hmac 
crypto ipsec transform-set LA2tarry esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 206.158.98.2 
crypto map outside_map 2 set transform-set NJ2LA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 63.172.191.243 
crypto map outside_map 3 set transform-set LA2tarry
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs group1
crypto map outside_map 4 set peer 50.74.210.20 
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
dhcpd address 172.15.50.1-172.15.50.100 inside
dhcpd enable inside
!
tunnel-group 206.158.98.2 type ipsec-l2l
tunnel-group 206.158.98.2 ipsec-attributes
 pre-shared-key *
tunnel-group 63.172.191.243 type ipsec-l2l
tunnel-group 63.172.191.243 ipsec-attributes
 pre-shared-key *
tunnel-group 50.74.210.20 type ipsec-l2l
tunnel-group 50.74.210.20 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context

Open in new window

Network Diagram
ptsolutionsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
Basically you need to "no-nat" traffic between the client pool and the remote subnet.  I'm not as strong on post-8.3 NAT but I found this at https://supportforums.cisco.com/docs/DOC-11640:

Example of Uturning RA VPN traffic accross another L2L (ie your VPN client connects to one ASA but needs to reach remote subnets at another ASA accross a L2L tunnel)
 
Topology
192.168.1.0/24 inside(ASA1)outside===VPN==outside(ASA2)inside 192.168.2.0/24
                                             |
                                             ===VPN===VPN Client (vpnclient pool 192.168.3.0/24)
 
object network obj-vpnpool
     subnet 192.168.3.0 255.255.255.0
 
object network obj-remote
     subnet 192.168.2.0 255.255.255.0
 
nat (outside,outside) 1 source static obj-vpnpool obj-vpnpool destination static obj-remote obj-remote
 
You may also need the reverse (logs will indicate assymetric entry) if you are running code without the fix for CSCth72642:
nat (outside,outside) 2 source static obj-remote obj-remote destination static obj-vpnpool obj-vpnpool
 
*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the vpn nat statement at the top of all my nat statements.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ptsolutionsAuthor Commented:
And... I have it working. Think it was a combination of a number of things (as it often is) but the above was definitely a part of it. Will test it out more tonight and make sure I understand the finer details.
0
ptsolutionsAuthor Commented:
Thank you jmeggers. Turns out that putting the vpn NAT statement at the top of the list was the key to getting it working. Your advice was spot on!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.