Vlan – Site to Site VPN with no access to second vlan

cisco-asavlanvpn

I am having an issue with my site to site VPN. I have a bit of an odd setup but for a short time. At our central location I have a 2911 router, and behind that I have my 5515X. The router just has a 1:1 nat rule for the ASA outside interface. We are only using the ASA to terminate the site to site VPN connections right now.

My tunnel comes up, from my default vlan at central I can access everything at the remote site. I can access everything at central from my remote location.

My problem is I have another vlan (everything in 192.168.50.0) at central, I cannot access anything at the remote site from it. If at the remote site I send traffic to that vlan at central I can then access everything as normal. Example below

On host 192.168.0.2 I can ping 192.168.11.2.

On host 192.168.11.2 I can ping 192.168.0.2.

On host 192.168.50.2 I cannot ping 192.168.11.2 unless I first do the reverse.

This only seems to be an issue at locations that have dynamic crypto maps.

Configs below. Any help would be appreciated. Thanks.

Central Config

: Saved
:
ASA Version 8.6(1)2 
!
hostname ASA
enable password ****** encrypted
passwd ****** encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address ****** ******
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.203 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 192.168.0.1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside_network
 subnet 192.168.0.0 255.255.255.0
object network REMOTEASA
 subnet 192.168.11.0 255.255.255.0
object network video_inside
 subnet 192.168.50.0 255.255.255.0
object-group network Trusted-Networks
 network-object object inside_network
 network-object object video_inside
access-list outside_cryptomap_30 extended permit ip object-group Trused-Networks object Dustin 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Trusted-Networks Trusted-Networks destination static REMOTEASA REMOTEASA
nat (inside,outside) source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ****** 1
route inside 192.168.50.0 255.255.255.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set FirstSet esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP-3DES-SHA mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map REMOTEASA 31 match address outside_cryptomap_30
crypto dynamic-map REMOTEASA 31 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 31 ipsec-isakmp dynamic REMOTEASA
crypto map outside_map interface outside
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy GroupPolicy1
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous

Remote Config

: Saved
:
ASA Version 8.2(5) 
!
hostname ASA
enable password ******** encrypted
passwd ******** encrypted
names
name 192.168.0.0 CML-Subnet
name 192.168.50.0 CML-Video
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.11.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
ftp mode passive 
object-group network Trusted-Networks
 network-object CML-Subnet 255.255.255.0
 network-object CML-Video 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object CML-Subnet 255.255.255.0
 network-object CML-Video 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 object-group Trusted-Networks 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
http server enable
http 192.168.11.0 255.255.255.0 inside
http CML-Subnet 255.255.255.0 inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer ****** 
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA
crypto map outside_map0 1 set reverse-route
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh CML-Subnet 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcp-client client-id interface outside
dhcpd dns 192.168.0.1 208.67.220.220
dhcpd auto_config outside
!
dhcpd address 192.168.11.100-192.168.11.150 inside
dhcpd dns 192.168.0.1 208.67.220.220 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec 
username tempadmin password ****** encrypted privilege 15
username admin password ****** encrypted privilege 15
username rouser password ****** encrypted privilege 5
tunnel-group ****** type ipsec-l2l
tunnel-group ******* general-attributes
 default-group-policy GroupPolicy1
tunnel-group ****** ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

Best Answer

The problem you are seeing is normal behavior. When you use object groups to define the tunnel traffic, the ACL gets expanded to a regular ACL with multiple entries. For example, this ACL

access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 object-group DM_INLINE_NETWORK_1  

becomes

access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.50.0 255.255.255.0

Each line in the ACL creates a Securty Association (SA) for the VPN.

Because you are using dynamic VPNs, the SA doesn’t get created until the remote router sees traffic that matches the ACL entry. You apparently have devices on the 192.168.0.0 network that are talking to the 192.168.11.0 network, and this creates the SA for that entry.

But you don’t have any devices on the 192.168.50.0 network talking to 192.168.11.0, so the SA never gets built. With no SA, you can’t send traffic from 192.168.11.0 to 192.168.50 0. Once you ping from 192.168.50.0 to 192.168.11.0, the SA is created and you can send traffic in either direction.

To make this work the way you want, you have three choices:

  1. Go back to static VPNs. The SAs are always up.
  2. Find some way to generate traffic on the 192.168.50.0 network. Anything will do.
  3. Readdress your networks so that you have one ACL entry that covers both networks at the remote end. You will have only one SA, which will be created as soon as traffic flows.