Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA 8.4 - RAVPN Hairpinning to subnet across S2S VPN - Routing failed to locate next hop

Posted on 2013-06-29
9
Medium Priority
?
1,084 Views
Last Modified: 2014-02-20
Hi all!

Having a weird issue trying to get my RAVPN users to access resources at a remote site(corp).  RAVPN users (192.168.11.x) can access resources at the main site, and the main site can access resources at the remote site(192.168.101.x), but when I try to setup the hairpin connection so the RAVPN users can hit the remote site, I get a weird error in the logs - "Routing failed to locate next hop for ICMP from Outside:192.168.11.x to Inside:192.168.101.x"

My thought here is that it's trying to access the remote subnet via the Inside interface as shown in the error above "Inside:192.168.101.x", as my understanding is that since that subnet is on the other end of a site to site VPN, it should be accessed via the outside interface.  

Relevant sections of crypto map on main ASA:

crypto map Outside_map 1 match address Outside_cryptomap_1

access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 object Corp-subnet 

object-group network DM_INLINE_NETWORK_3
 network-object object VPN-network

object network VPN-network
 subnet 192.168.11.0 255.255.255.0
 description VPN Subnet

Open in new window


Nat statements:
nat (Outside,Outside) source static VPN-network VPN-network destination static Corp-subnet Corp-subnet
nat (Inside,Outside) source static any any destination static VPN-network VPN-network

Open in new window


Access Lists:
access-list Outside_access_in extended permit ip object VPN-network object Corp-subnet 
access-list Outside_access_in extended permit ip object Corp-subnet object VPN-network 

Open in new window


Any ideas what I'm doing wrong?
0
Comment
Question by:valheru_m
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 39287834
Do pings or trace routes from the firewall to 192.168.101.x connect properly?  If not, what path does the trace route reveal?
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39287868
I suspect that the traffic from the RAVPN is not being encrypted over the site to site vpn.  make sure the 192.168.11.x network is configured in the crypto ACL at both the corp and remote site also that there is an identity NAT / no nat statement for this traffic at both sites also.

would help to see the full sanitized configuration from both sites.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39287870
Also make sure that routing is configured for the RAVPN at the remote site
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 5

Author Comment

by:valheru_m
ID: 39288152
eeRoot:  Ping gets no response.  Traceroute doesnt even show a first hop.
0
 
LVL 5

Author Comment

by:valheru_m
ID: 39288155
Attached is the CoLo (Main site) config sanitized. Will sanitize corp and post shortly.
CoLoASA-sanitized.rtf
0
 
LVL 5

Author Comment

by:valheru_m
ID: 39288179
Corp config sanitized
CorpSanitized.txt
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39288498
it doesn't look like you have defined the RAVPN in the site to site cryptomap, but it is difficult to tell since a lot of the IPs are removed.  Are you using public IPs internally?

Also, The EasyVPN configuration at the corp office, I did not find a corresponding config on the remote office so I am assuming that is not being used here.

I would set up the site to site to include the 192.168.11.x network and add it to the no nat config at both ends.
0
 
LVL 5

Author Comment

by:valheru_m
ID: 39288852
On the corp site, users do have the ability to RAVPN there as well, but I'm trying to get rid of that for reasons that are a little too long-winded to expand upon here.  The RAVPN config at that site will be going away.  

There are no internal public IPs.  

As for the config, the relevant lines from the config I posted that address the nonat on both ends I *think* are these, but if I'm mistaken please feel free to correct me:

crypto map outside_map 2 match address outside_cryptomap
access-list outside_cryptomap extended permit ip 192.168.101.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
object-group network DM_INLINE_NETWORK_2
 <redacted> *** note that I only redacted the IPs not involved with the VPNNet, which is the VPN subnet from the CoLo ***
 network-object VPNNet 255.255.255.0

name 192.168.11.0 VPNNet description  VPN Network

Open in new window


The 192.168.101.0(Corp) and 192.168.11.0(CoLo VPN) nets are the only ones I'm concerned with at this time and everything else seems to be working fine.

On the CoLo config, I believe these are the relevant lines:

nat (any,any) source static VPN-network VPN-network destination static Corp-subnet Corp-subnet

crypto map Outside_map 1 match address Outside_cryptomap_1

access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 object Corp-subnet 

object-group network DM_INLINE_NETWORK_3
 network-object object Dev-Network
 network-object object Prod-Network
 network-object object VPN-network

object network VPN-network
 subnet 192.168.11.0 255.255.255.0
 description VPN Subnet

Open in new window


Are you reccommending modifications to these lines specifically or...?

Thanks for your time!
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 1500 total points
ID: 39291236
At the ColoASA remove the any any from the NAT statements and specify the exact subnets.  Something like the following

nat (Outside,Outside) source static VPN-network VPN-network destination static Corp-subnet Corp-subnet
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question