Solved: Site to Site VPN internal host issue

bchyka · ‎08-31-2012

I have a quick question regarding something I might be missing. We have a site to site VPN set up with an ASA 5510 on our end and a partner Cisco Router.

The VPN is live and our partner can ping across to my external interface and I can ping down the tunnel to their gateway but we can't ping any machines beyond of endpoints of the VPN tunnel.

We need communication between our 2 local lans, specifically between 2 machines for transactions on port 104.

Even without the access list to allow the 2 internal machines on each network to communicate, we can't ping or communicate with any machines beyond the endpoints.

Any help or suggestions is greatly appreciated. I want to establish communication between the 2 internal networks befor elocking down specific communications with access lists.

Thanks again.

Julio Carvajal · ‎08-31-2012

That is correct,

If you do not have any other question please mark the question as answered.

Remember to rate all of the post that help, for us that is more importan than a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎08-31-2012

hello,

Do you see the tunnel up with the following comamnds:

-show crypto isakmp sa

-show crypto ipsec sa

If you want you can place the configuration of both devices on this topic so I can review it for you.

What are the 2 PC's that should communicate with each other.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bchyka · ‎08-31-2012

Hi Julio,

Yes the tunnel is up with those 2 commands. LEt me grab the config and I will post it up.

Thanks.

bchyka · ‎08-31-2012

file attached. The tunnel we are having issues with is the zz.zz.zz.zz tunnel.

Julio Carvajal · ‎08-31-2012

Hello,

So what is the other side of the tunnel local range?

Can you let me know that as I can see something weird on the config?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bchyka · ‎08-31-2012

sure. it is 172.28.40.0/24

Julio Carvajal · ‎08-31-2012

Hello,

That's it..

Check the Nat configuration

object network NETWORK_OBJ_172.16.30.0_27

subnet 172.16.30.0 255.255.255.224

nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_172.16.30.0_27 NETWORK_OBJ_172.16.30.0_27

nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24

You did it for the 172.16.30 instead of 172.16.40

Regards,

Remember to rate all of the post that help, for us that is more importan than a thanks

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bchyka · ‎08-31-2012

well the 172.16.30.0 is my VPN address network for Cisco Ipsec client based vpn

the 172.28.40.0 is the internal on the other side of tunnel #2.

so do i still need the nat statements for the point to point vpn?

Julio Carvajal · ‎08-31-2012

Hello,

Of course you need

Remember to rate all of the post that help, for us that is more importan than a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bchyka · ‎08-31-2012

yes makes sense now going through the logic. same statements just with the other network?

thanks for the help.

Julio Carvajal · ‎08-31-2012

That is correct,

If you do not have any other question please mark the question as answered.

Remember to rate all of the post that help, for us that is more importan than a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

bchyka · ‎08-31-2012

no problem. going to test then will close it out.