Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site-to-Site VPN Assistance between ASA

Hi Experts,

Recently i have established VPN connection between our Head Office and Branch Office ASA firewalls. But we are facing some issues as well as one more requirement is pending to do. Please find attached config for your kind reference.

Issues facing

One way Ping Issue: Branch office connectivity to Head Office connectivity(LAN to LAN) is fine. But from Head Office to Branch office LAN connectivity is not happening to particular subnet (172.16.20.X). Because ping from remote subnets at branch office to head office subnets are fine but ping from Head office LAN(172.16.10.X) to branch office LAN (172.16.20.X) is not happening. From HO ASA also its not pinging

New requirement to do

Only Users at remote subnet (172.16.20.X) should use the internet of Head Office. The reason why we try to implement this is because there is no proxy set at Remote office at the moment, so we would like to use the same proxy located in the HO LAN(172.26.10.X) for remote location users as well.

Any Help is appreciated.

Thanks and Regards,

Sihanu N


  • VPN
1 REPLY
Super Bronze

Re: Site-to-Site VPN Assistance between ASA

Hi,

Lets first take a look ar your Encryption Domain. It states that the networks participating on the L2L VPN Connection are

Head Office

  • 172.16.10.0/24
  • 172.16.60.0/24
  • 172.16.80.0/24
  • 172.26.0.0/16

Branch Office

  • 172.16.20.0/24
  • 172.36.0.0/16

The Branch Site is easy to check as it only has one local interface and all the source networks behind that interface. Your Crypto ACL and the NAT0 ACL match eachother on the Branch Office site so that should be fine. Also you dont have an internal interface ACL configured so all traffic should be allowed.

On the Head Office it seems to me that you have not allowed the traffic to be initiated to the remote site network 172.16.20.0/24

You can test this with "packet-tracer" on the Head Office ASA

packet-tracer input inside tcp 12345 172.16.20.100 80

See if it gets blocked by the ACL

Or you could simply allow all traffic from the Head Office local LAN networks to the Branch Office in the ACL

access-list ACL-inside line 1 remark Allow traffic to L2L VPN

access-list ACL-inside line 2 permit ip 172.16.10.0 255.255.255.0 172.16.20.0 255.255.255.0

- Jouni

117
Views
4
Helpful
1
Replies