05-03-2012 11:00 AM - edited 02-21-2020 04:38 AM
I'm having some issues trying to get the Site 3: VPN Client to be able to ping to the Site 2: Server. I have Just built the tunnel from Site1 to Site 2 and now have traffic flowing great from Site 1 to Site 2. Site 3 clients can get to Site 1 clients with no issues at all. But Site 3 clients can NOT get to Site 2 clients at all.
I'm guessing it has something to do with coming in on the outside (int 0) and then going back out the outside (int 0) interface. I have enabled/used the following lines but I still can not get it to work.
1) same-security-traffic permit intra-interface (on the Site 1 ASA only)
2) I have my NAT exempt rules in places for both Site 1 and Site 2. Site 2 is using IOS 8.2(1) and Site 1 is using the newer IOS 8.4(2). So the Site 1 ASA is using the route-lookup switch to simulate the EXEMPT.
Any ideas why it would not be working for me?
05-03-2012 11:08 AM
Hi Arvo,
Shouldnt you do nat exempt also for Site3 - Site2 on both ASAs Site 1 and Site 2 ?
As I see it in order for packet from Site3 to go on the IPsec tunnel between Site1 and Site2 , the source site3 - that I suppose that connects to Site 1 - should not be nated going to Site2 and back.
Does this make sense - or you already made that on point 2 ?
Dan
05-03-2012 11:33 AM
Dan,
So I should have 2 NAT EXEMPT rules on Site 1's ASA and 1 NAT EXEMPT rule on Site 2's ASA?
05-03-2012 11:37 AM
Hi Arvo,
As I see it on
site 1 you should have 2 nat exempts :
source 10.71.1.0/24 destination 10.50.6.0/24
source 10.71.2.0/24 destination 10.50.6.0/24
site 2 you should exempt the same traffic from nat but the other way around :
source 10.50.6.0/24 destination 10.71.1.0/24
source 10.50.6.0/24 destination 10.71.2.0/24
And also the IPSEC traffic should match this traffic also
Dan
05-03-2012 11:57 AM
Note:
Just to stay on a single issue all I care about is getting from the Site 3:VPN Client to Site 2: Server ... In saying that We can ignore all the 10.71.1.0/24 rules as they do not apply to the Site 2: 10.50.6.0/24 Subnet or the Site 3: 10.71.2.0/24 Subnet.
So just dealing with the 10.71.2.0/24 subnet (VPN Clients) and the 10.50.6.0/24 subnet (Site 2) I should only need 1 EXEMPT NAT for each ASA right? Or am I wrong?
05-03-2012 12:08 PM
Yes , you are right.
Dan
05-03-2012 01:02 PM
OK so this is what I currently have on Site 1's ASA...
object network LAN-INSIDE
subnet 10.71.1.0 255.255.255.0
description local area network
object network LAN-FULTON
subnet 10.50.6.0 255.255.255.0
description Fulton's Network
nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-FULTON LAN-FULTON route-lookup description Exempt NAT rule for traffic from the inside network to the Fulton network
Then on Site 2's ASA...
access-list inside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Does that look right?
05-04-2012 03:50 AM
That's right. Also please check the VPN access-list.
Dan
05-04-2012 11:44 AM
"But Site 3 clients can NOT get to Site 2 clients at all."
Can you please explain Site3 RA VPN client are being terminated Site1 or Site2 ASA ? If you answer it is to Site1.
Then you need no-nat for these segments i.e. Site3-RA-VPN client and Site2 on Site1's outside interface, so you understanding is correct, with regards to this issue.
Solution as follows, I assume you are using mask /24 on your networks.
access-list outside_nonat extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0
access-list outside_nonat extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0
nat (outside) 0 outside_nonat
Now, incorporate "10.71.2.0 255.255.255.0" in the tunnel between site1 and site2, i.e. in the crypto ACL.
One site2 please make sure, you have a static route as shown below.
route outside 10.71.2.0 255.255.255.0 xxx.xxx.xxx.xxx <-default-gateway on Site2 ASA.
Let me know, how this coming along.
Thanks
Rizwan Rafeek.
Message was edited by: Rizwan Mohamed
05-14-2012 12:58 PM
Thanks for the VERY informative responce! Below are some config entries that I have made still yeilding no results...
To answer your first question, Yes the VPN clients connect to the Site 1: ASA and once connected should have access to the Site 2: ASA LAN. Second clearification is YES to everything is /24 masks. Please keep in mind below I'm using the ASDM for everything so the names are auto created.
Site 2: ASA Version 8.2(1)
nat (inside) 1 0.0.0.0 0.0.0.0 dns nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 148.242.77.54 1 route outside 10.71.2.0 255.255.255.0 148.242.77.54 1
access-list outside_nat0_outbound extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0 access-list outside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0
Does that look right?
05-15-2012 09:43 AM
"Does that look right?"
Yes for Site1 and please make sure that you have a static-route exists on Site2 as shown below.
route outside 10.71.2.0 255.255.255.0 xxx.xxx.xxx.xxx <-default-gateway at Site2 ASA.
You also need the below config copied on the Site2 ASA as well.
nat (outside) 0 access-list outside_nat0_outboundn
access-list outside_nat0_outbound extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0
Please be sure to include below networks segment in the crypto ACL for site-to-site vpn between Site1 and Site2.
ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0
ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0
Look forward to hear from you.
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: