cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7702
Views
0
Helpful
9
Replies

Cannot ping machines on remote subnet while site to site vpn established

chenbc
Level 1
Level 1

Hello all,

I have met a site to site vpn problem, for pinging nothing replied from machines from remote subnet.

but the ipsec tunnel is ok, and i can ping the remote ASA's inside interface's ip

Here is my scenario:

LAN1 -- ASA5510  --  ASA5505 -- LAN2 -- remote_machine

LAN1: 192.168.x.0/24

LAN2: 172.25.88.0/24

remote_machine_ip: 172.25.87.30

LAN1 can ping ASA5505's inside interface (172.25.88.1)

but cannot ping remote_machine (172.25.87.30)

ASA5505's inside interface can ping remote_machine

LAN2 can ping ASA5510's inside interface and machines on LAN1

Is there something I missed?

Thanks lot for reply

1 Accepted Solution

Accepted Solutions

I don't think that is something you want to really do.

If you PAT the whole subnet LAN1's ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach specific host on LAN1, cause now, you are representing the LAN1 network, with a single ip.

So traffic will become one way only from LAN1 being able to reach LAN2, and get response from LAN2 through the PAT on 172.25.249.1

But LAN2, can no longer do traffic to specific LAN1 hosts ip, since you only have 172.25.249.1, to represent LAN1 subnet.

If you still want to PAT the whole subnet of LAN1's ip (192.168.1.0/24) to 172.25.249.1, then you have to do outside NAT.

http://www.cisco.com/en/US/customer/docs/security/asa/asa80/command/reference/no.html#wp1737858

Regards,

View solution in original post

9 Replies 9

Hi,


Does the remote machine has a default route or a route pointing to the ASA when going to the LAN through the tunnel?

I think the remote machine is not returning the packets due to routing issues.

Federico.

Hello,

There is no route pointing to the ASA when going to the LAN through the tunnel

But is there a way to go to the LAN through the tunnel without adding a route to ASA?

Thanks a lot

Hello all,

I think i found the problem...

the setting scenario:

Lan1: 192.168.1.0/24 (ASA1: inside-2 interface, ip: 192.168.1.253)

Lan2: 172.25.249.0/24 (ASA2: inside interface, ip: 172.25.249.1)

while l2l tunnel established, Lan1 and Lan2 are like in the same subnet

so in ASA1> ping inside-2 172.25.249.1 would return icmp reply correctly.

but in ASA1> ping inside-2 172.25.249.x, nothing returned if machine 172.25.249.x doesn't set default gateway to 172.25.249.1

Is there a way to nat 192.168.1.0/24 to 172.25.249.1 while pinging inside-2 172.25.249.x?

It's conflicted with L2L tunnel tutorial....(from 192.168.1.0/24 to 172.25.249.0/24 need not to do nat translate)

Thanks a lot

The problem is not NAT, but rather routing as already mentioned by federico.

It seems you are saying the default gateway for hosts on 172.25.249.x is not the firewall 172.25.249.1.

What you need to do on the actual default gateway for the hosts on 172.25.249.x subnet, is to configure a static route like the following:

example, if it is a cisco router, issue the command >> ip route 192.168.1.0 255.255.2550 172.25.249.1

For the remote network for host 172.25.87.30, the routing will also have to be corrected, so that that network will also route the 192.168.1.0/24 towards the asa5505. If the defau

lf gateway for 172.25.87.30 is the same router as what is on 172.25.248.x, then the static route command applied as above will be enough.

If you still have problems, clarify what is the topology of lan 2 network behind asa5505, what are the default gateways, and what are the routes configured.

Regards,

Hello all,

LAN2 is configured as below:

default gateway: 172.25.249.254 (a router)

ASA5505's inside interface: 172.25.249.1

for machines in LAN2, take 172.25.203.7 for example,

it would be accessible by 172.25.249.1 through the router from default gateway

i.e., 172.25.249.1 <-> 172.25.249.254 <-> 172.25.203.254 <-> 172.25.203.7

Though i could add the static route on the router like "ip route 192.168.1.0 172.25.249.1" to access LAN2 from LAN1

but is there a way to nat LAN1's ip (192.168.1.0/24) to 172.25.249.1 without adding this route?

Thanks a lot

I don't think that is something you want to really do.

If you PAT the whole subnet LAN1's ip (192.168.1.0/24) to 172.25.249.1, then LAN2, will not be able to reach specific host on LAN1, cause now, you are representing the LAN1 network, with a single ip.

So traffic will become one way only from LAN1 being able to reach LAN2, and get response from LAN2 through the PAT on 172.25.249.1

But LAN2, can no longer do traffic to specific LAN1 hosts ip, since you only have 172.25.249.1, to represent LAN1 subnet.

If you still want to PAT the whole subnet of LAN1's ip (192.168.1.0/24) to 172.25.249.1, then you have to do outside NAT.

http://www.cisco.com/en/US/customer/docs/security/asa/asa80/command/reference/no.html#wp1737858

Regards,

Hello all,

but LAN1 (192.168.1.0/24) and LAN2 (172.25.0.0/16) should be in the Non-NAT list after Site-to-Site VPN setuped,

how could i do NAT to make LAN2 accessible from LAN1?

Thanks a lot

The Non NAT you are talking about is for outgoing traffic.

The outside NAT is for traffic coming from outside coming in.

This will mean as traffic from LAN1 is coming into  LAN2 through the 5505, it gets translated into the inside ip of 5505.

So you will have something like this on ther 5505

access-list  101 permit ip 192.168.x.0 255.255.255.0 172.25.0.0 255.255.0.0

nat (outside) 1 access-list 101 outside

global (inside) 1 interface

In any case, as mentioned previously, this is not what you want, as this will make LAN 2, not be able to access specific host in LAN1. The traffic will be only from Lan1 to Lan2, and reply packets.

You can not initiate from LAN2 to Lan1.

Yes, It did a trick, and now it works fine

Thank you very much

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: