I am trying to trouble shoot a Site-To-Site VPN routing issue. I am trying to understand how the routing process works for Site-To-Site VPN traffic to and from the local LAN and the rest of the corporate network. For instance, looking at the attached drawing, how dose the traffic from the network 10.184.2.x local network route to the 10.252.x.x on the remote site and back again? Again, how will the traffic from the 10.150.x.x get to the 10.252.x.x site.
Generally how site-site VPN routing works is the local site present traffic to the ASA inside interface, usually as the default route. The ASA does not have a specific route for the remote subnets but rather an access-list that is called in a cryptomap with the associated remote site peer public IP defined. It's that public peer IP that the ASA routes to, usually via its default route (via its outside interface and public IP address).
The remote site's ASA has the obverse (mirror-image access list called by its cryptomap)
What networks comprise your object-group DM_INLINE_NETWORK_1? I assume that's from the right-hand ASA.
Do you have the 10.252.0.0/16 destination included in the left-hand ASA's access-list?
(BTW the DM_INLINE objects are created when you simply add the subnets in ASDM GUI access-list entry (ACE) without first defining the groups. It's easier in the long term - if you ever inspect the configuration file directly - to create object groups with more self-explanatory human readable names and then use them in the ACE.)
I guess I should add an entry for the 10.150.x.x and the 10.64.x.x networks to the DM_INLINE_NETWORK_1 object?
"Do you have the 10.252.0.0/16 destination included in the left-hand ASA's access-list?" Sorry I should have said that the Left-hand firewall is a checkpoint device and yes the 10.252.0.0/16 destination is included.
Yes, the networks behind the Checkpoint that come in via that site-site VPN will need to "hairpin" back into the other site-site VPN leading to the 10.252.0.0/16 network.
Of course the firewall at the 10.252.0.0/16 site also needs to have the 10.150.x.x/26 and 10.64.x.x/26 networks in its cryptomap / access-list (plus they should be exempted from NAT) associated with the ASA peer at your corporate network site. There should already be a NAT exemption for those networks in your corporate ASA based on the corporate-remote site VPN but I mention that just for completeness sake.
Marvin, you've been a great help with your answers. I do to admit that I may not have given you the full picture.
You mention that the "Checkpoint that come in via that site-site VPN will need to "hairpin" back into the other site-site VPN leading to the 10.252.0.0/16 network." the fact is that the CheckPoint and the Site-Site come into the ASA on different interfaces and the CheckPoint is connected via a small LAN, so I would think that would change the configuration somewhat?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...