Re: traffic on wan subnet not going over tunnel

sbantz · ‎11-01-2007

I have a problem that is best shown in an illustration, which I have attached. Basically, we have a site-site vpn that allows a few machines on our private wan network to access a vendor's ftp server on the other side of the tunnel. The tunnel itself works fine if I am connecting to the remote ftp host from a host on the same subnet as the inside interface on the ASA 5520. The ACLs for the vpn on both firewalls allow traffic from 192.168.3.0 and 150.1.1.237 to pass.

On the remote wan subnet, I have a machine at 150.1.1.237 that needs to connect to the vendor ftp server at the other side of the tunnel. On the router on that subnet, I added a route so that if 150.1.1.237 wants to get to 192.168.102.186, send the traffic to 192.168.3.254 (the asa inside interface). The problem is, the packet doesn't get there. If I do a traceroute from 150.1.1.237, the packet goes to the default gateway (150.1.1.1) and then to the fiber connected interface on the other subnet. It dies at 192.168.100.1.

Am I missing something in the VPN configuration to allow the host at 150.1.1.237 to access the tunnel? Any host of 192.168.3.0 can connect fine but 150.1.1.237 cannot. I just wasn't sure if it was a vpn issue or a router issue.

The ACl in the ASA looks like this:

access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.186

access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.189

access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.190

access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.186

access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.189

access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.190

I also have an access list for Nat0 that looks like this:

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.102.0 255.255.255.0

access-list nonat extended permit ip 150.1.1.0 255.255.255.0 192.168.102.0 255.255.255.0

Please see the attached diagram for a better representation than I can provide in words.

If the attachment is expired, it can also be viewed at: <A HREF="javascript:newWin('http://i22.photobucket.com/albums/b308/rmarcinko/vpn.jpg')">http://i22.photobucket.com/albums/b308/rmarcinko/vpn.jpg</A>

Thanks.

acomiskey · ‎11-01-2007

Shouldn't the route on the inside router be

ip route 192.168.102.186 255.255.255.255 192.168.100.1

Also, does the ASA have a route to the 150. network?

sbantz · ‎11-01-2007

Thanks for the reply. I have tried it both ways. Right now the route does read as you have listed. The ASA does have a route back to the 150 network. People on 150 can see the 192.168.3 subnet and browse the Internet just fine through the ASA. I just can't get them to that darn host on the other side of the tunnel. :(

sbantz · ‎11-01-2007

I updated my diagram since I can't edit my original msg now. :(

Attached or: http://i22.photobucket.com/albums/b308/rmarcinko/vpn.jpg

acomiskey · ‎11-01-2007

Config looks ok, what device is on the other end of the tunnel?

sbantz · ‎11-01-2007

The other end is the same model of ASA.

acomiskey · ‎11-01-2007

...and the acl's on that ASA are mirror images of what you have posted above?

sbantz · ‎11-01-2007

They tell me that they are. I have no way of verifying this myself, though. I think my config looks right, but something is not happening after it leaves the 192.168.100.1 interface. I just don't know what. grr..

sbantz · ‎11-05-2007

This has been resolved. The vendor site was not mirroring my ACLs, but they are now. :)