×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Remote Access VPN stops traffic from another Site2Site VPN

Unanswered Question
Oct 10th, 2014
User Badges:

Hi,

 

we are facing some strange problems with a VPN connection.

 

We have three networks:
The destination network (172.16.0.0 /24), the network of our  headquarter (192.168.50.0/24) and the network of our branche (192.168.60.0/24).

In the headquarter we are using a ASA5515 and in the branche a ASA 5505. Unfortunately we don't have administrative access to the firewall of the destination.

Both, the headquarter and the destination, have static IPs and are connected with Site-2-Site VPN - everything works fine.

The branche has a dynamic IP and is connected with RemoteAccess VPN to the headquarter. This VPN also works without problems.

Now I'd like to give the branche access to the destination network.

On the branche ASA I added a new traffic selection to the existing VPN tunnel (Branche <-> Headquarter):

(Source: 192.168.60.0/24, Destination: 172.16.0.0 /24)

On the headquarter I also added a new traffic selection to the existing tunnel (Headquarter <-> Destination)

((Source: 192.168.60.0/24, Destination: 172.16.0.0 /24))

Now the strange thing happens:

I can ping the destination from the headquarter.

As soon as I start ping a device in the destination network from the branche, the headquarter ping stops. Now I can access the destination network from the branche but no more from the headquarter. Only when I delete the traffic selection in the headquarter ASA and apply the settings everthing is back to normal: The ping from the branche stops and the ping from the headquarter starts again.

Any ideas?

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rizwanr74 Wed, 10/15/2014 - 06:21
User Badges:
  • Gold, 750 points or more

Hi smiller_81,

 

Since you do not have administrative rights on destination firewall, you cannot modify tunnel configuration.

 

So you include a permit traffic from branch to destination lan segment and similarly you permit from headquarter's side permit destination to branch lan segment i.e. tunnel bound traffic normally would.

 

This where the magic take place.

Your need a dynamic policy-nat on your ASA, as such below.

 

object network branch-subnet

 subnet 192.168.60.0 255.255.255.0
 


object-group network destination-lan
 subnet 172.16.0.0 255.255.255.0


object network headquarter-unused-ip
 host 192.168.50.5

 


nat (outside,outside) source dynamic branch-subnet headquarter-unused-ip destination static destination-lan destination-lan

 

Let me know, if this make sense to you.

 

Thanks

Rizwan Rafeek

 

 

 

David_Che Wed, 10/15/2014 - 01:53
User Badges:

I suspect you did not configure symmetric traffic selector on headquarter, branch and destination.

on branch:

192.168.60.0/24---->192.168.50.0/24

192.168.60.0/24--->172.16.0.0 /24

 

on headquarter:

to branch:

192.168.50.0/24---->192.168.60.0/24

172.16.0.0 /24--->192.168.60.0/24

To destination:

192.168.50.0/24--->172.16.0.0 /24

192.168.60.0/24--->172.16.0.0 /24

 

On Destination:

172.16.0.0 /24--->192.168.50.0/24

172.16.0.0 /24--->192.168.60.0/24

Actions

This Discussion

Related Content