Site to Site VPN

Answered Question
Oct 17th, 2009

Hey folks,

I setup my first site-2-site vpn and to my suprise it worked!!!!!

I have a question reagrding access to another network at the remote site.

Here is the scenario:

192.168.1.1 is the inside local LAN address.

I carved out vlan 5 (Escrow) which is 192.168.5.1. I can access all local resource on the 1.1 network but not the 5.1 resources.

I created the following configurations on ASA1

ASA1

access-list VPN-TO-ASA2 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list VPN-TO-ASA2 extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list NONAT

Here is the ASA at my work:

ASA2

access-list VPN-TO-ASA1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list VPN-TO-ASA1 extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Escrow_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (Escrow) 0 access-list Escrow_nat0_outbound

From home I can ping the 1.1 network and RDP to machones on that network

I cannopt however ping the 5.1 netowir or access any of the desktops.

What did I miss, can I not access that network using site to site?

BTW, I am able to use my vpn client and access all the resources just fine.

What I am missing?

I have this problem too.
0 votes

The potential issue is on ASA1 - you have the below routes:-

C 192.168.0.0 255.255.255.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

it does not know where 192.168.5.0 is becuase you have a less specific

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

ADD

route outside 192.168.5.0 255.255.255.0 192.168.1.2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Herbert Baerten Sun, 10/18/2009 - 11:12

I believe you need to remove this line:

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

Since NONAT is used for NAT exemption on the inside interface, but 5.0 is not on the inside, if I understood correctly.

hth

Herbert

john.irizarry Mon, 10/19/2009 - 05:53

Thanks! Are you saying that I should NAT the 5 network? Technically the 5 network is inside, I just carved out a VLAN for it. No?

john.irizarry Mon, 10/19/2009 - 06:10

Yeah, I agree about No Nat on the 5. Network. I'll check the route on the remote ASA. I don't think it knows about the. 5. Network.

Thanks!

Herbert Baerten Mon, 10/19/2009 - 06:07

No I did not mean to imply that you should NAT the 5 network. I assume the 5 network is on the "Escrow" interface, not the "inside" interface, since you have:

access-list Escrow_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

nat (Escrow) 0 access-list Escrow_nat0_outbound

So these 2 lines above already define NAT exemption for anything on the Escrow interface (which I assumed includes the 5 network) to the 0 network.

But your description is somewhat confusing, and seeing only parts of the config doesn't help to make it any clearer :) so maybe I misunderstood.

If so, can you clarify what you mean with "carved out", how did you configure network 5?

Can you post your complete config? Or at least "show ip" & "show route"?

Herbert

john.irizarry Thu, 10/22/2009 - 18:31

Thanks for your patience. I was on a job this week and did not have Internet access.

Here is the sho ip and sho route from both ASA's

ASA1

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.0.1 255.255.255.0 CONFIG

Vlan2 outside 192.168.1.2 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.0.1 255.255.255.0 CONFIG

Vlan2 outside 192.168.1.2 255.255.255.0 CONFIG

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 192.168.0.0 255.255.255.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

S 0.0.0.0 0.0.0.0 [255/0] via 192.168.0.1, inside tunneled

ASA2

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG

Vlan2 outside 206.170.95.215 255.255.255.240 CONFIG

Vlan5 Escrow 192.168.5.1 255.255.255.0 CONFIG

Vlan10 Mortgage 192.168.10.1 255.255.255.0 CONFIG

Vlan15 MCA 192.168.15.1 255.255.255.0 CONFIG

Vlan20 Staff 192.168.20.1 255.255.255.0 CONFIG

Vlan30 Prop_Mgmt 192.168.40.1 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG

Vlan2 outside 206.170.95.215 255.255.255.240 CONFIG

Vlan5 Escrow 192.168.5.1 255.255.255.0 CONFIG

Vlan10 Mortgage 192.168.10.1 255.255.255.0 CONFIG

Vlan15 MCA 192.168.15.1 255.255.255.0 CONFIG

Vlan20 Staff 192.168.20.1 255.255.255.0 CONFIG

Vlan30 Prop_Mgmt 192.168.40.1 255.255.255.0 CONFIG

Gateway of last resort is 206.170.95.209 to network 0.0.0.0

C 192.168.15.0 255.255.255.0 is directly connected, MCA

C 192.168.10.0 255.255.255.0 is directly connected, Mortgage

C 192.168.40.0 255.255.255.0 is directly connected, Prop_Mgmt

C 206.170.95.208 255.255.255.240 is directly connected, outside

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 192.168.20.0 255.255.255.0 is directly connected, Staff

C 192.168.5.0 255.255.255.0 is directly connected, Escrow

C 192.168.1.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 206.170.95.209, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.1.1, inside

Sorry for using the term carved out. I simply meant, I created a vlan on the ASA for the 5 network.

Thanks again for looking at this and helping me out.

Correct Answer

The potential issue is on ASA1 - you have the below routes:-

C 192.168.0.0 255.255.255.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

it does not know where 192.168.5.0 is becuase you have a less specific

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

ADD

route outside 192.168.5.0 255.255.255.0 192.168.1.2

john.irizarry Fri, 10/23/2009 - 05:51

Wow! Thanks! That worked!! I thought I had the route covered with:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Thanks again!

Actions

This Discussion