IPSEC L2L question

Unanswered Question
Mar 16th, 2008

Hi i have a network running eigrp and my default gateway is the ASA 5510. THe network runs find but i want to set up remote connectivity through the other site incase they loose link with IPSEC tunneling. I have establish Ipsec between sites (ASA and Remote site) but i can not get to the LAN behind the ASA. My version of ASA is 7.2...Do i have to upgrade to 8.0 just to get it to work.

LAN---CORE---->ASA--->(CLOUD)<-----Remote

LAN: 192.168.4.1

CORE2ASA: 192.168.200.1 -.2

REMOTE: 192.168.15.2

PLease help and thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
dongdongliu Sat, 03/15/2008 - 08:57

hi

sorry,I have some more question

1. if core receive a packet from LAN want to go to REMOTE,how does it do,

2. acl of two side for interesting traffic must be mirroring each other, are`t they?

3. when IPSec built, pls traceroute from LAN to REMOTE and look at what will happen.

regards

dongdong

rlloveras Wed, 03/19/2008 - 18:31

Hello

1. When i trigger interesting traffic from remote to lan I see the tunnel comes up active but packet seems to go no where. To me it seems to die out of the ASA.

2.ACL does mirror each site since tunnel comes up active but it seems that EIGRP neigbor relationship is not establish.

3.( I will try this one next)

thanks

dongdong

rlloveras Wed, 03/19/2008 - 18:44

I have a ttached a better picture of the network. Currently i am running 7.2 on the ASA. I have been reading a lot on L2L IPsec and i have a few questions just to clear things up.

1. Does EIGRP run on L2L IPSEC tunnel and base on my diagram is it possible that i can get EIGRP relationship between sites. I have heard that it can not be establish since it goes thrugh the tunnel unicast.

2.Considering the option of upgrading to 8.03 to run EIGRP between the static routes (diagram). Would this actually even solve my problem?

3. Do i have to configure the GRE tunnel within IPSEC to get this to work?

Thanks everyone for their inputs. I have been working on this thing for weeks now and its kickin me all day long.

Attachment: 
rlloveras Fri, 03/28/2008 - 07:16

I have enabled reverse route on ASA 5510 and it is replying to the icmp packets and remote and lan is working. But also it give a new problem to my situation. Reverse route injection puts a static route on my routing table even when the tunnel is not up. This causes issue routing issue when the tunnel is not up and the static route for the remote site is still on the ASA routing table. Is there anyway to have it that when the tunnel is not in use or incative that the Static route on the ASA for teh remote site to dissapear.

dongdongliu Sun, 03/16/2008 - 20:38

hi

have you set a policy that traffic from LAN to REMOTE is not NATed?

regards

dongdong

rlloveras Mon, 03/17/2008 - 06:11

Hi dongdong

Yes i have specified that lan to remote not to be natted. It seems that the ASA dont know what to do with it since i am not running dynamic protocol such as OSPF or EIGRP between the router CORE--->ASA its static between these two links.

brettmilborrow Mon, 03/17/2008 - 06:40

have you configured routing on the ASA for the remote network? Either a static or using the reverse-route command on the crypto map entry?

rlloveras Mon, 03/17/2008 - 06:59

This is what i have currently....

(EIGRP) LAN---CORE---->ASA--->(CLOUD)<--Remote(EIGRP)

Between the ASA and the CORE i have not configured any routing protocol. Between the CORE and ASA only static. However i do have eigrp running between the Core and LAN. I have not configured reverse-route yet on my crypto-map.

The purpose of this configuration is incase of remote site loose connectivity over frame-relay. The remote site can connect back to the CORE lan via IPSEC tunnel.

I do apologize and thank everyone for helping and inputs. This is the first time i have work with ASA so thank you again.

Attachment: 
brettmilborrow Mon, 03/17/2008 - 07:23

no problem! your asa should know how to to get to the remote VPN peer, so you will need some sort of routing out of the asa covering the remote peer device. (static default for example).

besides this you will also need to have a route for the remote (private network) This can be installed one of two ways: manually, or using the reverse-route command on your crypto map config.

Can you post your config?

rlloveras Mon, 03/17/2008 - 07:46

Ping works between:

ASA---->CORE

ASA---->Remote

LAN---->ASA inside and outside interface

LAN---->Remote does not work. IPSEC is establish between remote and ASA just can pass through the ASA to get through the LAN. I will have to clean up the config but it will take sometime. Thanks again.

Actions

This Discussion