Multisite VPN routing issue

Unanswered Question

I have a client with several sites and have an interesting routing issue. At Site B, the subnet is, with an ASA 5505. Site A is, with an ASA5510, as well as a 2810 series router (managed by someone else). There is one vpn tunnel between the two ASA's that is working just fine, site A to site B communication is working perfectly. There is a second VPN at Site A from the 2810 router to a service provider (we'll call their site SiteC). I've been able to hairpin the 5510 at site A so it redirects traffic for SiteC to the 2810. However, at Site B, I can't seem to get the 5505 to take traffic destined for SiteC to get pushed through the VPN tunnel to Site A, and then on to the 2810.

So, from Site A, I can ping anything on Site B, and anything on Site C. From Site B, I can ping anything on SiteA, including the inside interface of the 2810 router. I cannot ping from Site B to Site C, and vice versa.

I really hope that makes sense to you guys. Ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 08/07/2008 - 05:32

On Site 'B', when you ping Site 'C', what do you see in the encrypted/decrypt?

show crypto ipsec sa

How many VPN peer's do you have at Site "B"?

You need to tell more detail about your setup. Is the ASA5510 the hub or the 2810? Spokes are SiteBASA,SiteC Isp Device AND?



I'll check the encrypt/decrypt next time I'm onsite. The ASA5510 is the primary router at Site A. The 2810 belongs to another company hosting a timeclock app, and is only used for the vpn connection to said company. Site B's only VPN peer is to Site A.

Other spokes are not in place yet. Once we figure out how to make Site B talk to Site C, we'll be adding another 30 or so spokes at remote locations, with VPN connections back to Site A so the remote sites can communicate to Site C.

acomiskey Tue, 08/12/2008 - 06:51

You need to add the interesting traffic to both ASA's at site A and B.

What is the network you are trying to reach on the other end of the vpn on the 2810? You need to add this network to the vpn between the ASA's. Let's say it's a.b.c.d/24.

Site B

access-list inside_nat0_outbound extended permit ip a.b.c.d

access-list outside_cryptomap extended permit ip a.b.c.d

Site A

access-list Outside_1_cryptomap extended permit ip a.b.c.d

access-list inside_nat0_outbound extended permit ip a.b.c.d 2810 is inside asa)

Also need to know where the 2810 is in relation to Site A 5510.

Assuming the 2810 is inside the ASA it would require the following route.

ip route

Lastly, you would need to add the network to the vpn traffic for the tunnel between 2810 and site c. Hope that helps.


This Discussion