VPN Routing - Full Connectivity

Hi,
I'm in need of some help.

We have just added a new colocation to our network.
See attached diagram (not great)

Pretty much everyone can talk to each other with 1 exception.

There are two IPsec VPN client sites.
There is one at the corp location and another at the colocation.

If I am on the 192.168.1.0/24 network (corp users) and I am trying to do support for remote vpn users - 192.168.252.0/24, what will I need to do?

My problem is I'm not sure how to add the route on the CORP ASA for a subnet on the other side of the tunnel.

So, users on 192.168.1.0/24 trying to get to remote machines/users on 192.168.252.0 in the CoLocation VPN subnet.

I've tried to add the following on the corp ASA (where my desktop is)
route inside 192.168.252.0 255.255.255.0 192.168.2.1

I cannot ping any of the remote clients and traceroute fails.

I've added nat rules to both devices and access-lists.

The packet trace in ADSM both show the packets are allowed.

I'm not sure where to look next.
Q1.jpg
LVL 1
jsctechyInfrastructure Team LeadAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
It's quite simple..

You need to add the remote VPN users network in the existing IPSec tunnel (between corp and co location) crypto map acl in

If the traffic been initiated from corp remote VPN users to colocation network , this traffic treated as interesting traffic and this will go via IPSec tunnel..

You also need to configure no NAT between these two subnets

Example.

Corp remote subnet X/24   ---- remote IPSec tunnel -- corp ASA --- ( add X subnet under crypto map acl) ---- colocation ASA ----

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
again, you need to do the same login in your colocation ASA too
jsctechyInfrastructure Team LeadAuthor Commented:
Thanks for the response, but I must be missing something.  If you wouldn't mind taking a look below, that would be great.


I have my crypto map from the COLO VPN.
object network obj-inside
 subnet 192.168.2.0 255.255.255.0
object network obj-corp
 subnet 192.168.1.0 255.255.255.0
object network obj-ipsecVPN
 subnet 192.168.252.0 255.255.255.0

access-list crypto_corp extended permit ip object obj-inside object obj-corp
access-list crypto_corp extended permit ip object obj-coloVPN object obj-corp

group-policy vpngroup internal
group-policy vpngroup attributes
 wins-server value 192.168.1.236
 dns-server value 192.168.1.236 192.168.1.237
 vpn-tunnel-protocol ikev1
 split-tunnel-network-list value ipsec_split
 default-domain value domain.int
 address-pools value VPN

tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
 authentication-server-group TACSVRS
 accounting-server-group TACSVRS
 default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
 ikev1 pre-shared-key *****


Then on the other end- the corporate side:
object network obj-Inside
 subnet 192.168.1.0 255.255.255.0
object network obj-corpVPN
 subnet 192.168.253.0 255.255.255.0
object network obj-coloVPN
 subnet 192.168.252.0 255.255.255.0
object network obj-colonet
 subnet 192.168.2.0 255.255.255.0

access-list ipsec_split extended permit ip object obj-corpVPN object obj-Inside
access-list ipsec_split extended permit ip object obj-Inside object obj-corpVPN
access-list crypto_colo permit ip object obj-Inside object obj-colonet
access-list crypto_colo extended permit ip object obj-Inside object obj-coloVPN
nat (Inside,Outside) source static obj-Inside obj-Inside destination static obj-colonet obj-colonet route-lookup

group-policy vpngroup internal
group-policy vpngroup attributes
 dns-server value 192.168.1.237 192.168.1.236
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ipsec_split
 default-domain value domain.int
 address-pools value VPNusers

tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
 authentication-server-group TACSVRS
 accounting-server-group TACSVRS
 default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
 ikev1 pre-shared-key *****




I'm not sure what I'm missing.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Have you added NAT exemption (NO NAT) for the VPN traffic .

The crypto config looks OK

While the colo VPN users tried to access corporate network , have you noticed anything on the ASA ASDM logs
jsctechyInfrastructure Team LeadAuthor Commented:
My NAT rules:

Corp ASA
nat (Inside,Outside) source static obj-Inside obj-Inside destination static obj-corpVPN obj-corpVPN route-lookup
nat (Inside,Outside) source static obj-Inside obj-Inside destination static obj-coloVPN obj-coloVPN route-lookup


COLO ASA
nat (inside,outside) source static obj-inside obj-inside destination static obj-corp obj-corp route-lookup
nat (inside,outside) source static obj-inside obj-inside destination static obj-ipsecVPN obj-ipsecVPN route-lookup
jsctechyInfrastructure Team LeadAuthor Commented:
Just in case anyone is looking for the solution to this:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpnsysop.html
http://www.petenetlive.com/KB/Article/0000040.htm

Using the two links I was able to set up hair-pinned VPNs.
jsctechyInfrastructure Team LeadAuthor Commented:
Linked to articles from Cisco and another site showing exactly how it is done.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.