Solved

Can't ping through 2 VPN tunnels

Posted on 2014-10-28
7
591 Views
Last Modified: 2014-10-30
Overlooking something in a messy ASA configuration. The scenario is:

Three sites connected via (2) Cisco ASA VPN Tunnels
Branch office <--Site to Site VPN #1--> New Hospital <--Site to Site VPN #2--> GreenWay

1. Branch office (BCH-BMC) 10.16.x.x
2. New Hospital 10.1.x.x
3. GreenWay vendor site 172.16.201.x (specifically to 172.16.201.5)

Can ping & RDP from Branch office to New Hospital & vice-versa via VPN #1
Can ping & RDP from New Hospital to GreenWay & vice-versa via VPN #2
Cannot ping or RDP from the Branch Office  via VPN #1 (through New Hospital) then via VPN #2 to GreenWay

Branch office ASA config: (crypto info removed to shorten)

ASA Version 8.2(5)
!
hostname BCH-BMC
names
name 10.10.0.0 Cisco_WAP
name 10.1.0.0 New_Hospital
name 10.5.0.0 VDI_Server
name 172.16.201.0 GreenWayRDP description GreenWayRDP Inbound
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport trunk allowed vlan 3-4
 switchport trunk native vlan 100
 switchport mode trunk
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.16.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.8.223.194 255.255.255.252
!
interface Vlan3
 nameif VOIP
 security-level 100
 ip address 10.18.1.1 255.255.255.0
!
interface Vlan4
 nameif WIFI
 security-level 100
 ip address 10.17.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name bchhc.org
object-group network DM_INLINE_NETWORK_2
 network-object New_Hospital 255.255.0.0
 network-object Cisco_WAP 255.255.0.0
 network-object VDI_Server 255.255.0.0
access-list outside_1_cryptomap extended permit ip 10.16.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list outside_1_cryptomap extended permit ip 10.17.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list outside_1_cryptomap extended permit ip 10.18.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip 10.16.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip 10.17.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip 10.18.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
pager lines 24
logging enable
logging buffered informational
logging asdm informational
no logging message 402127
mtu inside 1500
mtu outside 1500
mtu VOIP 1500
mtu WIFI 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (VOIP) 0 access-list inside_nat0_outbound
nat (WIFI) 0 access-list inside_nat0_outbound
nat (WIFI) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 71.8.223.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 173.244.130.50
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.16.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh 173.244.130.48 255.255.255.248 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd option 150 ip 10.5.0.31
!
dhcpd address 10.18.1.100-10.18.1.200 VOIP
dhcpd enable VOIP
!
dhcpd address 10.17.1.100-10.17.1.200 WIFI
dhcpd dns 10.1.50.252 10.1.50.254 interface WIFI
dhcpd option 43 hex f1040a0a0a15 interface WIFI
dhcpd option 60 ascii "CiscoAPc1140" interface WIFI
dhcpd enable WIFI
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username bch-adm1n password fl6ziYgWNqkPu1EU encrypted
tunnel-group 173.244.130.50 type ipsec-l2l
tunnel-group 173.244.130.50 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:28b90f4307ea85dbd620107a0d157e78
: end
BCH-BMC#
0
Comment
Question by:Eric Carel
  • 4
  • 2
7 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40409982
Are the VPNs at the hospital hosted on the same ASA?

Where are the routes?

Is the internet gateway the same as the ASA at the hospital or is there another device that's the gateway?

What settings have you made to assure that a packet destined from remote to remote will get there?

How do you address a packet from a remote destined for the other remote to get to the local VPN which points to the hospital LAN?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40410314
This is normal, you want what Cisco Term a 'spoke to spoke' VPN, with the hospital being the Hub
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40410472
Sorry for the brief answer above I had to go into meeting, So............

BCH-BMC - version 8.2 (bah! OK)

access-list outside_1_cryptomap permit ip 10.16.1.0 255.255.255.0 172.16.201.0 255.255.255.0
access-list inside_nat0_outbound permit ip 10.16.1.0 255.255.255.0 172.16.201.0 255.255.255.0

You have not shown me the config for the other two devices, or I would have done the heavy lifting for you, but essentially on the HOSPITAL site (in the middle) you need to add the subnet of greenway, to BOTH the cryptomap ACL thats going to BCH-BMC, and the nat0 ACL (assuming all your other devices are running a version older than 8.3, and it will probably already be on there if the tunnel is up to greenway)

Then you need to Add the BCH-BMC subnet to the crytomap ACL thats going to Greenway (and add the nat0 if thats not already there).

Finally on the Greenway Firewall add the subnet of BCH-BMC to the cryptomap ACL thats going to HOSPITAL, and add the BCH-BMC subnet to the nat0 ACL (again assuming your on a pre 8.3 version of the OS).

Also remember make sure you inspect ICMP on ALL devices or the pings will not work.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Eric Carel
ID: 40411625
Thanks for the feedback. I've included the HOSPITAL running-config below. As you can see, it is quite long and probably less than ideal. Anyhow, appreciate any feedback on specific changes on this.

: Saved
: Written by admin at 11:54:53.565 CDT Fri Oct 17 2014
ASA Version 9.1(3) 
dns-guard
ip local pool clientvpnpool01 10.2.52.52-10.2.52.100 mask 255.255.255.0
ip local pool vlan1Pool 10.1.237.1-10.1.237.50 mask 255.255.0.0
interface GigabitEthernet0/0
 duplex full
 nameif outside no nameif
 no security-level
 no ip address
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/5
 description LAN/STATE Failover Interface
interface Management0/0
 management-only
 nameif management
 security-level 100
 no ip address
boot system disk0:/asa913-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.1.1.2
 host 10.1.1.252
object network GreenWayVPN-LOCAL-OVERLOAD icmp-object unreachable
 icmp-object time-exceeded
 icmp-object echo
 icmp-object echo-reply
object-group network RFC1918
 network-object object RFC1918-10.0.0.0
 network-object object RFC1918-172.16.0.0
 network-object object RFC1918-192.168.0.0
 network-object host 63.71.8.41
object-group network GuestNetwork
 network-object 10.10.20.0 255.255.255.0
 network-object 10.10.21.0 255.255.255.0
object-group network SMTPServers
object-group service GuestInternetPorts
 service-object tcp destination eq domain 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object udp destination eq domain 
 service-object object GuestRDPAccess 
 service-object object GuestRDPAccess2 
 service-object object vpn.npsllc.org 
 service-object object CiscoVPNports1 
 service-object object CiscoVPNports2 
 service-object object CiscoVPNports3 
 service-object tcp-udp destination eq 8443 
 service-object object Vidyo-TCP 
 service-object object Vidyo-UPD 
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq smtp 
object-group network INTERNAL_HOSTS_AMI
 network-object host 10.1.11.138
object-group network AMI_HOSTS
 network-object host 10.10.12.14
 network-object host 10.10.12.22
 network-object host 10.10.12.23
object-group network NCC
 network-object 10.7.0.0 255.255.0.0
object-group network GreenWayVPN-LOCAL
 network-object 172.16.101.0 255.255.255.0
object-group network GreenWayVPN-REMOTE
object network Greenway_HOST
 nat (any,any) dynamic GreenWayVPN-LOCAL-OVERLOAD
access-group outside_access_in in interface outside
access-group acl_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 173.244.130.49 1
route inside 10.0.0.0 255.0.0.0 10.1.199.1 1
route inside 10.5.0.0 255.255.0.0 10.1.199.1 1
route outside 10.10.12.14 255.255.255.255 173.244.130.49 1
route outside 10.10.12.22 255.255.255.255 173.244.130.49 1
route outside 10.10.12.23 255.255.255.255 173.244.130.49 1
route inside 172.16.0.0 255.255.255.0 10.1.199.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server IAS protocol radius
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host 10.1.50.252
 timeout 15 anyconnect enable
 tunnel-group-list enable
 tunnel-group-preference group-url
group-policy DfltGrpPolicy attributes
 dns-server value 10.1.1.2
 vpn-simultaneous-logins 15
 vpn-idle-timeout 5
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
 split-tunnel-network-list value VPN-G01_splitTunnelAcl
 default-domain value bchhc.org
group-policy Provider-Policy internal
group-policy Provider-Policy attributes
 wins-server none
 dns-server value 10.1.50.252
 vpn-idle-timeout 15
 vpn-session-timeout 180
 vpn-session-timeout alert-interval 12
 vpn-tunnel-protocol ssl-clientless
 default-domain value bchhc.org
 webvpn
  url-list value Provider-bookmarks
  http-proxy enable  activex-relay enable
group-policy VendorSSLVPN internal
group-policy VendorSSLVPN attributes
 wins-server none
 dns-server value 10.1.1.2
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
 default-domain value bchhc.org
group-policy VendorSSL internal
group-policy GroupPolicy_phonevpn internal
group-policy GroupPolicy_phonevpn attributes
 wins-server none
 dns-server value 10.1.50.252 10.1.50.254
 vpn-tunnel-protocol ssl-client 
class-map PCI-class
 match access-list CXSC
class-map inside-class
 match access-list CXSC
class-map inspection_default
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect esmtp 
 class class-default
policy-map inside-policy
 class inside-class
  cxsc fail-open
policy-map PCI-policy
 class PCI-class
  cxsc fail-open
service-policy global_policy global
service-policy inside-policy interface inside
service-policy PCI-policy interface PCI
prompt hostname context 
no call-home reporting anonymous
: end

Open in new window


*** config info replaced with a sanitized one - Modalot, EE Moderator ***
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40411856
Jeez there's a lot of potentially sensitive info in there! and its 9.1 you like to mix your Operating Systems!

Anyway this is gonna complicate matters......

nat (inside,outside) source dynamic ALL-CLINICS GreenWayVPN-LOCAL-OVERLOAD destination static GreenWayVPN-REMOTE GreenWayVPN-REMOTE

Thats twice natting any traffic from these networks

 network-object 10.1.0.0 255.255.0.0
 network-object 10.3.0.0 255.255.0.0
 network-object 10.13.0.0 255.255.0.0
 network-object 10.2.0.0 255.255.0.0
 network-object 10.16.0.0 255.255.0.0
 network-object 10.9.0.0 255.255.0.0
 network-object 10.5.0.0 255.255.0.0

to change its source ip to

172.16.101.1

Then exemting traffic from above that goes to  172.16.201.0 theres a typo that means trafic goes to the whole subnet not .5

---------------

This will get our VPN traffic to Greenway, but will stuff up any encrypted traffic that wants to go from Greenway to BCH-BMC

-------------

If I were n front of the gear it would take me about 40 mins to fix, so back up your firewall in case we are about to break it

.................
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40411895
...........

OK Issue these commands

object-group network BCH-BMC
 network-object 10.16.0.0 255.255.0.0
object-group network ALL-CLINICS
 no network-object 10.16.0.0 255.255.0.0
nat (inside,outside) source static BCH-BMC BCH-BMCdestination static GreenWayVPN-REMOTE GreenWayVPN-REMOTE

NOW CHECK ALL YOUR VPNS STILL WORK, if not reboot the firewall as we have not saved any changes!

-------------------------------

Now to progress our original problem

access-list outside_7_cryptomap extended permit ip object-group DM_INLINE_NETWORK_11 object-group GreenWayVPN-REMOTE
nat (inside,outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static GreenWayVPN-REMOTE GreenWayVPN-REMOTE no-proxy-arp route-lookup
!
access-list GreenWayVPN extended permit ip object-group DM_INLINE_NETWORK_12 object Greenway_HOST

This still leaves the Greenway Site ASA that will need configuring

Sigh - that made my brain hurt

P
0
 

Author Comment

by:Eric Carel
ID: 40411963
Thanks so much for the input! This solved my issue!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now