Hairpining remote user SSL VPN with site to site vpn on CISCO ASA

[toy4two2]

Hoping someone can spot what I'm missing in my sanitized hairpining config below.

Have a site to site tunnel that works great connecting my 2 remote sites public ip a.b.c.d and w.x.y.z. Then I also have a SSL remote user network of 192.168.101.0 that can connect to the a.b.c.d ASA fine and ping all the internal hosts (192.168.100.0) , but when trying to get back across the site to site tunnel to w.x.y.z (inside hosts 192.168.200.0) it doesn't work.

I included allow traffic on the same intra and interfaces which should allow this, created a NAT exempt rule for my 192.168.101.0 remote access users and also included the 192.168.101.0 network in the protected traffic in the site to site VPN. What could I be missing?

: Saved
:
ASA Version 8.2(1)
!
hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address a.b.c.d 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 192.168.100.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Field_Engineers_DHCP 192.168.101.2-192.168.101.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.100.0 255.255.255.0
nat (inside) 10 192.168.101.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 a.b.c.d 1
route outside 192.168.200.0 255.255.255.0 w.x.y.z 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer w.x.y.z
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa
ip-address a.b.c.d
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 757e084b
3082021d 30820186 a0030201 02020475 7e084b30 0d06092a 864886f7 0d010104
05003053 31163014 06035504 03130d73 68656c6c 2d617361 2d633263 3139301a
06092a86 4886f70d 01090216 0d736865 6c6c2d61 73612d63 3263301b 06092a86
4886f70d 01090813 0e323133 2e313837 2e313332 2e393830 1e170d30 39313132
31323335 3734315a 170d3139 31313139 32333537 34315a30 53311630 14060355
0403130d 7368656c 6c2d6173 612d6332 63313930 1a06092a 864886f7 0d010902
160d7368 656c6c2d 6173612d 63326330 1b06092a 864886f7 0d010908 130e3231
332e3138 372e3133 322e3938 30819f30 0d06092a 864886f7 0d010101 05000381
8d003081 89028181 00dffa9a b628bc7b b166e98f 72e81aee e8dfa235 a392a272
77931d31 97b37b5a 145bacb2 4136e7de 9af525bb bf5b555e b6165fc2 8b91fe8a
15afb4d3 9f4e9a82 29915c3c 1d904e64 604f1645 2f058681 608496e5 04497813
8ea8fa61 b4f3cd96 a9949d8e 2f17b1f4 5f77b281 6dcdc567 96cd7643 07d3e03f
5719e4ea f76cfafb e7020301 0001300d 06092a86 4886f70d 01010405 00038181
0027fe3a 6107de66 0a2b6bc3 c0012d39 f147dde7 80635697 14974ffe 39408dd0
9ba48487 591d993f abed20e8 1009807f c048fbab 548c8e62 6d0d2deb d98ec3fe
289539a4 c278e343 b2409ecc d031cce4 34e65c37 b3fa764b d8d57401 5064eef7
48edcbea 8bdc6f11 49a57506 fc698e6a d17355ea 39e41165 c44ab7ff baa91bb9 2e
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 inside
ssh 192.168.101.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
group-policy Field_Engineers internal
group-policy Field_Engineers attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
username administrator password ebig6fOaou2jCV3a encrypted privilege 15
username user password .dOhtYhWfQfFJSWx encrypted privilege 15
tunnel-group w.x.y.z type ipsec-l2l
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key *
tunnel-group Field_Engineers type remote-access
tunnel-group Field_Engineers general-attributes
address-pool Field_Engineers_DHCP
default-group-policy Field_Engineers
tunnel-group Field_Engineers webvpn-attributes
group-alias Field_Engineer enable
group-url

https://a.b.c.d/Field_Engineer

enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f5ee0ad0aeac4ac58f8ee00107474a98
: end
no asdm history enable

 

[toy4two2]

One thing I forgot to add to the config I posted is the NAT exempt rule for SSL VPN users to the Corporate Network and vice versa, I only had 1/2 of the NAT exemption posted above, but have since added it to all full communication between the SSL VPN users and the corporate users, still cannot get SSL VPN users access to the site to site tunnel though.

 

[Supergrrover]

how is the other end of the tunnel configured? are you getting traffic hits on the other end? will it send the traffic back through the tunnel?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[toy4two2]

OK got it all fixed. I'll post the configs for both sides this week, was a missing nat exemption.

 

[krunchyklown]

Would you be able to post your solution to this issue?

I am setting up a similar configuration right now, but my SSL VPN clients cannot access anything across the site-to-site VPN link.

They can access everything else behind the ASA without issue.

Thanks,
James

 

[toy4two2]

It worked great in a lab but still had issues in production, I gave up.

These examples helped me out tremendously:

https://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

 

[cgorriaran]

What worked for me was making sure that the VPN pool IP space I was using was not within the range I was already using in my tunnel for interfaces. Also the "same-security-traffic permit intra-interface". Once those two things were in place, all I had to do was add the VPN pool address space to my "nonat" access-list and interesting traffic access-list.

 

[burtsbees]

Yes---you cannot NAT the VPN traffic.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!