Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
244
Views
0
Helpful
2
Replies

Remote Access VPN stops traffic from another Site2Site VPN

smiller_81
Level 1
Level 1

‎10-10-2014 06:02 AM - edited ‎02-21-2020 07:52 PM

Hi,

 

we are facing some strange problems with a VPN connection.

 

We have three networks:
The destination network (172.16.0.0 /24), the network of our  headquarter (192.168.50.0/24) and the network of our branche (192.168.60.0/24).

In the headquarter we are using a ASA5515 and in the branche a ASA 5505. Unfortunately we don't have administrative access to the firewall of the destination.

Both, the headquarter and the destination, have static IPs and are connected with Site-2-Site VPN - everything works fine.

The branche has a dynamic IP and is connected with RemoteAccess VPN to the headquarter. This VPN also works without problems.

Now I'd like to give the branche access to the destination network.

On the branche ASA I added a new traffic selection to the existing VPN tunnel (Branche <-> Headquarter):

(Source: 192.168.60.0/24, Destination: 172.16.0.0 /24)

On the headquarter I also added a new traffic selection to the existing tunnel (Headquarter <-> Destination)

((Source: 192.168.60.0/24, Destination: 172.16.0.0 /24))

Now the strange thing happens:

I can ping the destination from the headquarter.

As soon as I start ping a device in the destination network from the branche, the headquarter ping stops. Now I can access the destination network from the branche but no more from the headquarter. Only when I delete the traffic selection in the headquarter ASA and apply the settings everthing is back to normal: The ping from the branche stops and the ping from the headquarter starts again.

Any ideas?

 

Labels:
0 Helpful
2 Replies 2

David_Che
Level 1
Level 1

‎10-15-2014 01:53 AM

I suspect you did not configure symmetric traffic selector on headquarter, branch and destination.

on branch:

192.168.60.0/24---->192.168.50.0/24

192.168.60.0/24--->172.16.0.0 /24

 

on headquarter:

to branch:

192.168.50.0/24---->192.168.60.0/24

172.16.0.0 /24--->192.168.60.0/24

To destination:

192.168.50.0/24--->172.16.0.0 /24

192.168.60.0/24--->172.16.0.0 /24

 

On Destination:

172.16.0.0 /24--->192.168.50.0/24

172.16.0.0 /24--->192.168.60.0/24

0 Helpful

rizwanr74
Level 7
Level 7

‎10-15-2014 06:21 AM

Hi smiller_81,

 

Since you do not have administrative rights on destination firewall, you cannot modify tunnel configuration.

 

So you include a permit traffic from branch to destination lan segment and similarly you permit from headquarter's side permit destination to branch lan segment i.e. tunnel bound traffic normally would.

 

This where the magic take place.

Your need a dynamic policy-nat on your ASA, as such below.

 

object network branch-subnet

 subnet 192.168.60.0 255.255.255.0
 


object-group network destination-lan
 subnet 172.16.0.0 255.255.255.0


object network headquarter-unused-ip
 host 192.168.50.5

 


nat (outside,outside) source dynamic branch-subnet headquarter-unused-ip destination static destination-lan destination-lan

 

Let me know, if this make sense to you.

 

Thanks

Rizwan Rafeek

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents