VPN routing to secondary site

[ms092]

Hi!

I have to offices, A(10.0.6.0/24) and B(10.4.6.0/24), being A the primary site into wich everybody can login via VPN(10.10.6.0/24).

Being on site A I can access all resources on site B and I'm happy. But if I login via VPN to site A I can't access site B.

All I get is:
.......................................................
3 Dec 02 2010 11:44:14 305005 10.10.6.255 No translation group found for udp src Outside:10.10.6.108/137 dst Outside:10.10.6.255/137
%PIX|ASA-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port
A packet does not match any of the outbound nat command rules.

This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address.
If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host,
check the ACL bound to the NAT 0 ACL.
.......................................................

I tried different rules but whitout luck.

Which rule do I need to put in place to get it working?

Thanks in advance.

Regards

/ms

 

[unclerico]

Make sure that:
a) same-security-traffic permit intra-interface is in your config
b) make sure that site B has the RA VPN pool included in the crypto ACL

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ms092]

Thanks for the reply!

Stupid question: why b)?
Isn't it only valid for site A?

/ms

 

[unclerico]

site b needs to know that communication from 10.4.6/24 to 10.10.6/24 is indeed interesting and should be passed through the L2L tunnel.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ms092]

Hi, thanks for the help.
I have been troubleshooting this and what I see is that when the user tries to access the internal resource 10.4.6.15, on site-B, the traffic dosn't go trhough the Cisco ASA. The traffic goes just through my ISP right out into the net...
I've been trying with nat, routing and ipsec rules but without luck.

Any ideas?

 

[unclerico]

try adding:

access-list Outside_3_cryptomap extended permit ip 10.10.6.0 255.255.255.0 10.4.6.0 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ms092]

Hi, thanks for the advice.
But it didn't work :-(

I see that the traffic goes through the VPN-tunnel and the cisco but intstead of staing behinde the firewall it goes out to the internet via our ISP. No traffic to network 10.4.6.0/24.

The log-viewer says:
10.10.6.255 No translation group found for udp src Outside:10.10.6.118/137 dst Outside:10.10.6.255/137

 

[unclerico]

ok, one more thing to try would be this:

access-list outside_nat0_outbound extended permit ip 10.10.6.0 255.255.255.0 10.4.6.0 255.255.255.0

nat (Outside) 0 access-list outside_nat0_outbound

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ms092]

No, that didn't work.

Thanks anyway.

/ms

 

[unclerico]

does it still give you the same error in the logs??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ms092]

No, now I get nothing
Nothing for that network session.

I'm going to read a lot this weekend so maybe I figure out what's wrong

If you come up with some idea pleas let me know.


/ms

 

[PScottC]

Post ACLs for NAT and VPN, and your NAT statements (for both ASAs). We shouldn't need any other part of the config.

Based on your posts, traffic from the remote site going to the VPN client isn't being selected as interesting traffic.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[ms092]

Hi PScottC!

Had been a busy week so I hadn't have time to respond :-(

Here is the config:
Site-A

nat (Outside) 1 10.10.6.0 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0

access-list inside extended permit ip any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any gt 60000
access-list outside extended permit udp any any gt 60000
access-list Inside_nat0_outbound extended permit ip 10.0.6.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.6.0 255.255.255.0 10.4.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 10.10.6.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.6.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list rsa extended permit ip host 10.0.6.1 host 10.0.6.5
access-list rsa extended permit ip host 10.0.6.5 host 10.0.6.1
access-list Outside_3_cryptomap extended permit ip 10.0.6.0 255.255.255.0 10.4.6.0 255.255.255.0
access-list Outside_4_cryptomap extended permit ip 10.0.6.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto map outside_map 3 match address Outside_3_cryptomap
crypto map outside_map 3 set peer {site.b.ip.address}
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
tunnel-group 95.128.119.132 type ipsec-l2l
tunnel-group 95.128.119.132 ipsec-attributes
 pre-shared-key *

ip local pool vpn-pool2 10.10.6.1-10.10.6.254 mask 255.255.255.0

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.0.6.20 10.0.6.25
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value domain.com
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none

group-policy RAVPN internal
group-policy RAVPN attributes
 dns-server value 10.0.6.20 10.0.6.25
 vpn-simultaneous-logins 50]
 vpn-tunnel-protocol IPSec
 default-domain value domain.com
username admin password XXXXXXXXXXXXX encrypted privilege 15

tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
 address-pool vpn-pool2
 authentication-server-group RSA-Prop
 default-group-policy RAVPN
tunnel-group RAVPN ipsec-attributes
 pre-shared-key *

Site-B

access-list outside_20_cryptomap extended permit ip 10.4.6.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.6.0 255.255.255.0 10.0.6.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any

nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 {external.ip.address} 1

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer {site.a.ip.address}
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer {site.a.ip.address}
crypto map outside_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group {site.a.ip.address} type ipsec-l2l
tunnel-group {site.a.ip.address} ipsec-attributes
 pre-shared-key *

 

[PScottC]

You're missing a NAT 0 for your VPN traffic which would allow it to hairpin into the other VPN tunnel.

Site-A
[green]! NoNAT: Any Site --> RA VPN (Won't work for VPN sites. VPN is actually outside. So you need an outside to outside NoNAT.)[/green]
access-list Inside_nat0_outbound extended permit ip any 10.10.6.0 255.255.255.0
[green]! NoNAT: Site A --> RA VPN (This is what you need)[/green]
access-list Inside_nat0_outbound extended permit ip 10.0.6.0 255.255.255.0 10.10.6.0 255.255.255.0

[red]! New Access List[/red]
[green]! NoNAT: RA VPN --> Site B[/green]
access-list outside_nat0_outbound extended permit ip 10.10.6.0 255.255.255.0 10.4.6.0 255.255.255.0
[green]! NoNAT: Any Site (Return Traffic) --> RA VPN [/green]
access-list outside_nat0_outbound extended permit ip any 10.10.6.0 255.255.255.0

[green]! Add NoNAT for VPN to VPN hairpin[/green]
nat (Outside) 0 access-list outside_nat0_outbound

[green]! Make RA VPN to Site-B traffic interesting[/green]
access-list Outside_3_cryptomap extended permit ip 10.10.6.0 255.255.255.0 10.4.6.0 255.255.255.0

Site-B
[green]! NoNAT: Site B --> RA VPN [/green]
access-list inside_nat0_outbound extended permit ip 10.4.6.0 255.255.255.0 10.10.6.0 255.255.255.0

[green]! Make Site-B to RA VPN traffic interesting[/green]
access-list outside_20_cryptomap extended permit ip 10.4.6.0 255.255.255.0 10.10.6.0 255.255.255.0


Also... Make sure you have "same-security-traffic permit intra-interface" to allow the VPN to VPN hairpin to occur.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[ms092]

Thanks for the tips!

I'm going to test it as soon as I get time, hopefully already today.
I already have "same-security-traffic permit intra-interface" on both site A and B cisco configuration. Do you mean something else?

/ms

 

[PScottC]

You need it on the side where the RA VPN hairpins traffic into the L2L VPN. That's all.

Hopefully the notes clarify what the rules do for you.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers