Solved: Remote Access & VPN with 5520

rgreenspon · ‎08-15-2010

We currently have two locations that are interconnected via a private connection. They are both connected using L3 switches. Site1 currently has an Internet feed off an ASA 5520 but that Internet feed is going away and all traffic will be routed over the private connection to Site2. I am trying to migrate all connections to Site2 which also has an ASA 5520. Currently both sites can get to and from the Internet and each other fine. If I VPN into Site1 I can access Site2, but if I VPN into Site2 I can not get to anything on Site1, just Site2 servers and the Internet. Also Site1 cannot ping/traceroute to the VPN'd PC. I also have a NAT'd device that sits on Site1's L2 network (no Site1 ASA involved) that can not be accessed via the Internet, the Site2 ASA logs show a timeout after 30 seconds.

Site1

Internal Subnets:192.168.0.0/23

DMZ: 192.168.2.0/24

VPN: 192.16.11.0/24

L3 Link: 172.16.99.1

Route: 172.16.0.0/16 172.16.99.2

0.0.0.0 Site1 ASA's internal IP

Site2:

Internal: 172.16.10.0/24

DMZ: 172.16.5.0/24

VPN: 172.16.12.0/24

L3 Switch

Link: 172.16.99.2

Internal: 172.16.10.1

Route: 192.168.0.0/16 172.16.99.1

0.0.0.0 172.16.10.2

ASA:

Internal: 172.16.10.2

Route: 0.0.0.0 External IP

192.168.0.0/16 172.16.10.1

Any suggestions on where to look would be appreciated.

rjwalani · ‎08-16-2010

Getting on a device in the 192.168.x.x subnet and do a traceroute to the VPN assigned IP address. This would help to confirm that it atleast reaches the L3 switch between the ASAs. You could also perform a packet capture on all of your ASAs using specfic access-lists to figure out if the packets reaching the ASA.

View solution in original post

Jennifer Halim · ‎08-15-2010

When you VPN to site 2, from your description, your VPN will be assigned ip address from 172.16.12.0/24.

If that is correct, you would have to make sure that the subnet of 172.16.12.0/24 is being routed correctly towards site 2. It seems that within site 1, the 172.16.12.0/24 has been incorrectly routed so you might want to double check on that.

You might want to check the route hop by hop between site 1 and site 2 internally.

rgreenspon · ‎08-16-2010

Thanks for responding, let me see if I can clarify better.

When I VPN to Site2, I do get an IP from the 172.16.12.0/24 subnet. I am able to access the Internet, 172.16.5.0/24 and 172.16.10.0/24, but am not able to access 192.168.0.0/16.

If I am on the 172.16.5.0/24 or 172.16.10.0/24 subnets I have no problems accessing 192.168.0.0/16 network or the Internet. If I am on the 192.168.0.0/16 subnet I can access 172.168.5.0/24 and 172.16.10.0/24 subnets, but not the 172.16.12.0/24 subnet.

ty.masse · ‎08-16-2010

On Site 2's ASA, you need to modify the static route so the destination is 172.16.99.1. Such as: route outside 192.168.0.0 255.255.0.0 172.16.99.1. From what I can tell it looks like you're routing the 192.168 network back to the inside direction. It needs to go to the outside direction. Actually, instead of 172.16.99.1 as the destination in the route statement, make it the remote ASA's (site 1) peer address.

Hope this helps.

rjwalani · ‎08-16-2010

Getting on a device in the 192.168.x.x subnet and do a traceroute to the VPN assigned IP address. This would help to confirm that it atleast reaches the L3 switch between the ASAs. You could also perform a packet capture on all of your ASAs using specfic access-lists to figure out if the packets reaching the ASA.

rgreenspon · ‎08-18-2010

Ok, I found part of the problem, we had a consultant who help setup the initial configuration and then left. He had enabled split-tunnelling on site2 which isn't enabled on the site1. Once I disabled that then I was able to VPN in and get to the 192.168.0.0/16 network from 172.16.12.0/24. No the only issue left has to do with NAT/PAT from the site2 external IPs to an internal site1 IP.

Thanks for everyone help