ASA55xx hairpin VPN between Client and L2L VPNs
I'm attempting to setup hairpinning between VPN clients and an ASA5505 (version 7.2), with an ASA5510 (Version 8.4) as the hub.
The VPN clients have an IP of 10.70.56.x, the hub subnet is 10.70.0.x, and the spoke subnet is 172.15.50.x. There are two L2L VPNs, the one I'm trying to hairpin right now is the LA_LAN.
When I ping the spoke subnet (ex 172.15.50.28) from any devices on the hub LAN (10.70.x.x) it works. Similiarly, I can ping any VPN clients from the hub LAN, so I know individually everything is working, with one possible exception - I can't ping any VPN devices from the hub ASA5510 itself. I don't know if that's part of the problem, or has to do with ASA security settings. (I'd love to change that eventually, but it's not my focus here).
I'd much appreciate if someone can spot what I'm missing in the config. I'm guessing it has to do with NAT or access lists, but I'm missing it. One possibity is that I frequently use 10.70.x x as a catch-all for the entire hub LAN, which includes the VPN clients (but not the spoke VPN). I tried more specific subnets at times but didn't see any change.
Many thanks.
The VPN clients have an IP of 10.70.56.x, the hub subnet is 10.70.0.x, and the spoke subnet is 172.15.50.x. There are two L2L VPNs, the one I'm trying to hairpin right now is the LA_LAN.
When I ping the spoke subnet (ex 172.15.50.28) from any devices on the hub LAN (10.70.x.x) it works. Similiarly, I can ping any VPN clients from the hub LAN, so I know individually everything is working, with one possible exception - I can't ping any VPN devices from the hub ASA5510 itself. I don't know if that's part of the problem, or has to do with ASA security settings. (I'd love to change that eventually, but it's not my focus here).
I'd much appreciate if someone can spot what I'm missing in the config. I'm guessing it has to do with NAT or access lists, but I'm missing it. One possibity is that I frequently use 10.70.x x as a catch-all for the entire hub LAN, which includes the VPN clients (but not the spoke VPN). I tried more specific subnets at times but didn't see any change.
Many thanks.
Config for the Hub, ASA5510
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.70.0.3 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.74.210.20 255.255.255.248
!
interface Ethernet0/2
nameif secondary
security-level 0
ip address 208.33.109.235 255.255.255.224
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.15.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network NETWORK_LAN
subnet 10.70.0.0 255.255.0.0
object network WORKSTATION_LAN
subnet 10.70.50.0 255.255.255.0
object network BO_LAN
subnet 10.70.0.0 255.255.0.0
object network BO_LAN_02
subnet 10.70.0.0 255.255.0.0
object network obj-kcelauro
host 192.168.254.254
description Static IP for kcelauro VPN
object network BONY_VPN_POOL
subnet 10.70.55.0 255.255.255.0
object network CLIENT_VPN_POOL
subnet 10.70.56.0 255.255.255.0
object network NETWORK_LAN_02
subnet 10.70.0.0 255.255.0.0
object network LA_LAN
subnet 172.15.0.0 255.255.0.0
object network Sausalito_LAN
subnet 172.21.0.0 255.255.0.0
object network CLIENT_VPN_NAT
subnet 10.70.56.0 255.255.255.0
!
object-group icmp-type icmp_traffic
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
icmp-object echo
!
access-list PERMIT_IN extended permit icmp any any object-group icmp_traffic
access-list splitVPN standard permit 10.70.0.0 255.255.0.0
access-list splitVPN standard permit 172.15.0.0 255.255.0.0
access-list splitVPN standard permit 172.16.0.0 255.255.0.0
access-list splitVPN standard permit 172.17.0.0 255.255.0.0
access-list splitVPN standard permit 172.19.0.0 255.255.0.0
access-list splitVPN standard permit 172.21.0.0 255.255.0.0
access-list splitVPN standard permit 172.23.0.0 255.255.0.0
access-list splitVPN standard permit 172.25.0.0 255.255.0.0
access-list splitVPN standard permit 206.0.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip object BO_LAN object LA_LAN
access-list outside_cryptomap extended permit ip object CLIENT_VPN_POOL object LA_LAN
access-list outside_cryptomap_1 extended permit ip object BO_LAN object Sausalito_LAN
!
ip local pool bonyvpnpool1 10.70.56.111-10.70.56.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
!
nat (inside,any) source static BO_LAN BO_LAN destination static LA_LAN LA_LAN no-proxy-arp
nat (inside,any) source static BO_LAN BO_LAN destination static Sausalito_LAN Sausalito_LAN no-proxy-arp
nat (inside,any) source static BO_LAN BO_LAN destination static CLIENT_VPN_POOL CLIENT_VPN_POOL no-proxy-arp
!
object network BO_LAN
nat (inside,outside) dynamic interface
object network BO_LAN_02
nat (inside,secondary) dynamic interface
access-group PERMIT_IN in interface outside
access-group PERMIT_IN in interface secondary
route outside 0.0.0.0 0.0.0.0 50.74.210.17 1 track 10
route secondary 0.0.0.0 0.0.0.0 208.33.109.226 50 track 20
route secondary 4.2.2.1 255.255.255.255 208.33.109.226 1
route inside 10.70.10.0 255.255.255.0 10.70.0.1 1
route inside 10.70.50.0 255.255.255.0 10.70.0.1 1
route inside 10.70.150.0 255.255.255.0 10.70.0.1 1
route inside 10.250.250.0 255.255.255.0 10.70.0.1 1
route inside 139.61.248.231 255.255.255.255 10.70.0.1 1
route inside 172.16.0.0 255.255.0.0 10.70.0.1 1
route inside 172.19.0.0 255.255.0.0 10.70.0.1 1
route inside 172.25.0.0 255.255.0.0 10.70.0.1 1
route inside 206.0.0.0 255.255.255.0 10.70.0.1 1
dynamic-access-policy-record DfltAccessPolicy
!
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 66.92.40.234
crypto map outside_map 1 set ikev1 transform-set (a buncha transform sets...)
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 173.164.149.197
crypto map outside_map 2 set ikev1 transform-set (a buncha transform sets...)
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map secondary_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map secondary_map interface secondary
crypto isakmp identity address
crypto isakmp disconnect-notify
!
group-policy GroupPolicy_173.164.149.197 internal
group-policy GroupPolicy_173.164.149.197 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_66.92.40.234 internal
group-policy GroupPolicy_66.92.40.234 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy bonyvpn internal
group-policy bonyvpn attributes
dns-server value 10.70.50.5
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitVPN
default-domain value belardiostroy.local
split-dns value bo.local alc.local
split-tunnel-all-dns disable
!
tunnel-group bonyvpn type remote-access
tunnel-group bonyvpn general-attributes
address-pool bonyvpnpool1
authentication-server-group nycradius LOCAL
default-group-policy bonyvpn
tunnel-group bonyvpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 66.92.40.234 type ipsec-l2l
tunnel-group 66.92.40.234 general-attributes
default-group-policy GroupPolicy_66.92.40.234
tunnel-group 66.92.40.234 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 173.164.149.197 type ipsec-l2l
tunnel-group 173.164.149.197 general-attributes
default-group-policy GroupPolicy_173.164.149.197
tunnel-group 173.164.149.197 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy globalConfig for Spoke, ASA5505
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.15.10.11 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.92.40.234 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 172.25.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 206.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 10.70.56.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.15.0.0 255.255.0.0 10.70.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 172.15.0.0 255.255.0.0 172.25.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 172.15.0.0 255.255.0.0 206.0.0.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.15.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list outside_4_cryptomap extended permit ip 172.15.0.0 255.255.0.0 10.70.0.0 255.255.0.0
access-list outside_4_cryptomap extended permit ip 172.15.0.0 255.255.0.0 172.21.0.0 255.255.0.0
access-list outside_4_cryptomap extended permit ip 172.15.0.0 255.255.0.0 10.70.56.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 66.92.40.1 1
!
crypto ipsec transform-set NJ2LA esp-3des esp-sha-hmac
crypto ipsec transform-set LA2tarry esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 206.158.98.2
crypto map outside_map 2 set transform-set NJ2LA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 63.172.191.243
crypto map outside_map 3 set transform-set LA2tarry
crypto map outside_map 3 set security-association lifetime seconds 86400
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs group1
crypto map outside_map 4 set peer 50.74.210.20
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
dhcpd address 172.15.50.1-172.15.50.100 inside
dhcpd enable inside
!
tunnel-group 206.158.98.2 type ipsec-l2l
tunnel-group 206.158.98.2 ipsec-attributes
pre-shared-key *
tunnel-group 63.172.191.243 type ipsec-l2l
tunnel-group 63.172.191.243 ipsec-attributes
pre-shared-key *
tunnel-group 50.74.210.20 type ipsec-l2l
tunnel-group 50.74.210.20 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname contextASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you jmeggers. Turns out that putting the vpn NAT statement at the top of the list was the key to getting it working. Your advice was spot on!
ASKER