I have a client with several sites and have an interesting routing issue. At Site B, the subnet is 10.0.0.0/16, with an ASA 5505. Site A is 192.168.0.0/16, with an ASA5510, as well as a 2810 series router (managed by someone else). There is one vpn tunnel between the two ASA's that is working just fine, site A to site B communication is working perfectly. There is a second VPN at Site A from the 2810 router to a service provider (we'll call their site SiteC). I've been able to hairpin the 5510 at site A so it redirects traffic for SiteC to the 2810. However, at Site B, I can't seem to get the 5505 to take traffic destined for SiteC to get pushed through the VPN tunnel to Site A, and then on to the 2810.
So, from Site A, I can ping anything on Site B, and anything on Site C. From Site B, I can ping anything on SiteA, including the inside interface of the 2810 router. I cannot ping from Site B to Site C, and vice versa.
I really hope that makes sense to you guys. Ideas?
Please forgive me if I am being dense, but I don't understand the relevance of whether the ISP knows how to route to my private subnet. The ASA's should be doing the routing through the VPN tunnel, not the ISP.
I'll check the encrypt/decrypt next time I'm onsite. The ASA5510 is the primary router at Site A. The 2810 belongs to another company hosting a timeclock app, and is only used for the vpn connection to said company. Site B's only VPN peer is to Site A.
Other spokes are not in place yet. Once we figure out how to make Site B talk to Site C, we'll be adding another 30 or so spokes at remote locations, with VPN connections back to Site A so the remote sites can communicate to Site C.
This ended up being a twofold issue. First, the interesting traffic needed to be defined on the ASA's as acomisky suggested, tyvm :). Second, the 2810 router managed by the ASP had their ACL's configured incorrectly, and were not permitting traffic to the 10.0.0.0/16 subnet.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :