Solved: Site to Site VPN

john.irizarry · ‎10-17-2009

Hey folks,

I setup my first site-2-site vpn and to my suprise it worked!!!!!

I have a question reagrding access to another network at the remote site.

Here is the scenario:

192.168.1.1 is the inside local LAN address.

I carved out vlan 5 (Escrow) which is 192.168.5.1. I can access all local resource on the 1.1 network but not the 5.1 resources.

I created the following configurations on ASA1

ASA1

access-list VPN-TO-ASA2 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list VPN-TO-ASA2 extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list NONAT

Here is the ASA at my work:

ASA2

access-list VPN-TO-ASA1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list VPN-TO-ASA1 extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list Escrow_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (Escrow) 0 access-list Escrow_nat0_outbound

From home I can ping the 1.1 network and RDP to machones on that network

I cannopt however ping the 5.1 netowir or access any of the desktops.

What did I miss, can I not access that network using site to site?

BTW, I am able to use my vpn client and access all the resources just fine.

What I am missing?

andrew.prince · ‎10-23-2009

The potential issue is on ASA1 - you have the below routes:-

C 192.168.0.0 255.255.255.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

it does not know where 192.168.5.0 is becuase you have a less specific

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

ADD

route outside 192.168.5.0 255.255.255.0 192.168.1.2

View solution in original post

andrew.prince · ‎10-18-2009

Your encryption domain & nat traffic look OK. Check your routing, dynamic & static.

Check the routing for the 5.x network, from your remote VPN also needs to have 5.x in the encryption list.

HTH>

Herbert Baerten · ‎10-18-2009

I believe you need to remove this line:

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

Since NONAT is used for NAT exemption on the inside interface, but 5.0 is not on the inside, if I understood correctly.

hth

Herbert

john.irizarry · ‎10-19-2009

Thanks! Are you saying that I should NAT the 5 network? Technically the 5 network is inside, I just carved out a VLAN for it. No?

andrew.prince · ‎10-19-2009

I personally think you should NOT nat the .5.x network.

If the .5.x network is at the same site as the .1.x network, then NO NAT is required.

What you need to check is the ASA that connects to the .5 network knows how to route to it, and the remote end ASA needs to know the 5.x network is at the end of the VPN.

john.irizarry · ‎10-19-2009

Yeah, I agree about No Nat on the 5. Network. I'll check the route on the remote ASA. I don't think it knows about the. 5. Network.

Thanks!

Herbert Baerten · ‎10-19-2009

No I did not mean to imply that you should NAT the 5 network. I assume the 5 network is on the "Escrow" interface, not the "inside" interface, since you have:

access-list Escrow_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

nat (Escrow) 0 access-list Escrow_nat0_outbound

So these 2 lines above already define NAT exemption for anything on the Escrow interface (which I assumed includes the 5 network) to the 0 network.

But your description is somewhat confusing, and seeing only parts of the config doesn't help to make it any clearer :) so maybe I misunderstood.

If so, can you clarify what you mean with "carved out", how did you configure network 5?

Can you post your complete config? Or at least "show ip" & "show route"?

Herbert

john.irizarry · ‎10-22-2009

Thanks for your patience. I was on a job this week and did not have Internet access.

Here is the sho ip and sho route from both ASA's

ASA1

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.0.1 255.255.255.0 CONFIG

Vlan2 outside 192.168.1.2 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.0.1 255.255.255.0 CONFIG

Vlan2 outside 192.168.1.2 255.255.255.0 CONFIG

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 192.168.0.0 255.255.255.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

S 0.0.0.0 0.0.0.0 [255/0] via 192.168.0.1, inside tunneled

ASA2

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG

Vlan2 outside 206.170.95.215 255.255.255.240 CONFIG

Vlan5 Escrow 192.168.5.1 255.255.255.0 CONFIG

Vlan10 Mortgage 192.168.10.1 255.255.255.0 CONFIG

Vlan15 MCA 192.168.15.1 255.255.255.0 CONFIG

Vlan20 Staff 192.168.20.1 255.255.255.0 CONFIG

Vlan30 Prop_Mgmt 192.168.40.1 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG

Vlan2 outside 206.170.95.215 255.255.255.240 CONFIG

Vlan5 Escrow 192.168.5.1 255.255.255.0 CONFIG

Vlan10 Mortgage 192.168.10.1 255.255.255.0 CONFIG

Vlan15 MCA 192.168.15.1 255.255.255.0 CONFIG

Vlan20 Staff 192.168.20.1 255.255.255.0 CONFIG

Vlan30 Prop_Mgmt 192.168.40.1 255.255.255.0 CONFIG

Gateway of last resort is 206.170.95.209 to network 0.0.0.0

C 192.168.15.0 255.255.255.0 is directly connected, MCA

C 192.168.10.0 255.255.255.0 is directly connected, Mortgage

C 192.168.40.0 255.255.255.0 is directly connected, Prop_Mgmt

C 206.170.95.208 255.255.255.240 is directly connected, outside

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 192.168.20.0 255.255.255.0 is directly connected, Staff

C 192.168.5.0 255.255.255.0 is directly connected, Escrow

C 192.168.1.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 206.170.95.209, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.1.1, inside

Sorry for using the term carved out. I simply meant, I created a vlan on the ASA for the 5 network.

Thanks again for looking at this and helping me out.

andrew.prince · ‎10-23-2009

The potential issue is on ASA1 - you have the below routes:-

C 192.168.0.0 255.255.255.0 is directly connected, inside

C 192.168.1.0 255.255.255.0 is directly connected, outside

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

it does not know where 192.168.5.0 is becuase you have a less specific

S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside

ADD

route outside 192.168.5.0 255.255.255.0 192.168.1.2

john.irizarry · ‎10-23-2009

Wow! Thanks! That worked!! I thought I had the route covered with:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Thanks again!

andrew.prince · ‎10-23-2009

np - glad to help.

No that route covers all OTHER traffic. You had 192.168.0.0 255.255.0.0 to the inside.

The 192.168.5.0 255.255.255.0 is covered by 192.168.0.0 255.255.0.0 as this is a more specific than 0.0.0.0

john.irizarry · ‎10-23-2009

That makes sense! Thanks again Andrew.