topic Re: Multisite VPN routing issue in Network Security

Multisite VPN routing issue

zharin — Fri, 21 Feb 2020 10:57:20 GMT

I have a client with several sites and have an interesting routing issue. At Site B, the subnet is 10.0.0.0/16, with an ASA 5505. Site A is 192.168.0.0/16, with an ASA5510, as well as a 2810 series router (managed by someone else). There is one vpn tunnel between the two ASA's that is working just fine, site A to site B communication is working perfectly. There is a second VPN at Site A from the 2810 router to a service provider (we'll call their site SiteC). I've been able to hairpin the 5510 at site A so it redirects traffic for SiteC to the 2810. However, at Site B, I can't seem to get the 5505 to take traffic destined for SiteC to get pushed through the VPN tunnel to Site A, and then on to the 2810.

So, from Site A, I can ping anything on Site B, and anything on Site C. From Site B, I can ping anything on SiteA, including the inside interface of the 2810 router. I cannot ping from Site B to Site C, and vice versa.

I really hope that makes sense to you guys. Ideas?

Re: Multisite VPN routing issue

Farrukh Haroon — Thu, 07 Aug 2008 07:01:44 GMT

Does your ISP know how to get to 10.0.0.0/16?

Regards

Farrukh

Re: Multisite VPN routing issue

zharin — Thu, 07 Aug 2008 11:25:20 GMT

Please forgive me if I am being dense, but I don't understand the relevance of whether the ISP knows how to route to my private subnet. The ASA's should be doing the routing through the VPN tunnel, not the ISP.

Re: Multisite VPN routing issue

Farrukh Haroon — Thu, 07 Aug 2008 12:32:44 GMT

On Site 'B', when you ping Site 'C', what do you see in the encrypted/decrypt?

show crypto ipsec sa

How many VPN peer's do you have at Site "B"?

You need to tell more detail about your setup. Is the ASA5510 the hub or the 2810? Spokes are SiteBASA,SiteC Isp Device AND?

Regards

Farrukh

Re: Multisite VPN routing issue

zharin — Thu, 07 Aug 2008 13:50:49 GMT

I'll check the encrypt/decrypt next time I'm onsite. The ASA5510 is the primary router at Site A. The 2810 belongs to another company hosting a timeclock app, and is only used for the vpn connection to said company. Site B's only VPN peer is to Site A.

Other spokes are not in place yet. Once we figure out how to make Site B talk to Site C, we'll be adding another 30 or so spokes at remote locations, with VPN connections back to Site A so the remote sites can communicate to Site C.

Re: Multisite VPN routing issue

zharin — Tue, 12 Aug 2008 12:20:06 GMT

Encrypt/Decrypt doesn't change. The 5505 doesn't appear to be directing the packets through the VPN tunnel.

Re: Multisite VPN routing issue

acomiskey — Tue, 12 Aug 2008 13:51:11 GMT

You need to add the interesting traffic to both ASA's at site A and B.

What is the network you are trying to reach on the other end of the vpn on the 2810? You need to add this network to the vpn between the ASA's. Let's say it's a.b.c.d/24.

Site B

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 a.b.c.d 255.255.255.0

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 a.b.c.d 255.255.255.0

Site A

access-list Outside_1_cryptomap extended permit ip a.b.c.d 255.255.255.0 10.0.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip a.b.c.d 255.255.255.0 10.0.0.0 255.255.0.0(assuming 2810 is inside asa)

Also need to know where the 2810 is in relation to Site A 5510.

Assuming the 2810 is inside the ASA it would require the following route.

ip route 10.0.0.0 255.255.0.0 192.168.0.1

Lastly, you would need to add the 10.0.0.0 network to the vpn traffic for the tunnel between 2810 and site c. Hope that helps.

Re: Multisite VPN routing issue

zharin — Tue, 12 Aug 2008 18:25:50 GMT

This ended up being a twofold issue. First, the interesting traffic needed to be defined on the ASA's as acomisky suggested, tyvm :). Second, the 2810 router managed by the ASP had their ACL's configured incorrectly, and were not permitting traffic to the 10.0.0.0/16 subnet.

Thanks all for your help.