https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856078#M27271 <P>Hi all,</P><P>&nbsp;</P><P>I have an ASA L2L ASA connection (including VPN Dial-In on both ASAs) up and running. Additionally Internet connection works fine.</P><P>&nbsp;</P><P>LAN 1----- ASA1 --------IPSec-VPN-L2L----- ASA2 ----- LAN 2.</P><P>All works fine.</P><P>Now I added a cisco 2960-x switch with an SVI Interface an 2 vlan to LAN 1.</P><P>VLAN 10-----SVI ------LAN1(VLAN1) ------ASA1-----IPSecVPN-----ASA2-----LAN2.</P><P>VLAN20------!</P><P>&nbsp;</P><P>From VLAN 10, 20, 1 I can ping the Internet, but from VLAN 10,20 I can't reach LAN2 behind ASA2.</P><P>On ASA1 I extended my crypto-map ACL additionally to LAN1 with VLAN10,10 (Subnets) to allow it through the VPN Tunnel. Additionally I added to inside routes on ASA1 facing to the vlan10,20)</P><P>route inside 10.0.10.0 and 10.20.0 to VLAN1 interface Swicht-SVI-ASA1 transfer subnet. I think routing between switch and asa1 works because Internet access is ok. It seems to me that the source traffic doesn't enter the VPN-tunnel. Interesting. Ping from an host in vlan1-ASA1 through the VPN tunnel to LAN2 works?</P><P>Any ideas?</P><P>&nbsp;</P><P>many thx</P><P>&nbsp;</P><P>Peter</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 14 May 2019 15:35:54 GMT 1pdemharter 2019-05-14T15:35:54Z https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856078#M27271 <P>Hi all,</P><P>&nbsp;</P><P>I have an ASA L2L ASA connection (including VPN Dial-In on both ASAs) up and running. Additionally Internet connection works fine.</P><P>&nbsp;</P><P>LAN 1----- ASA1 --------IPSec-VPN-L2L----- ASA2 ----- LAN 2.</P><P>All works fine.</P><P>Now I added a cisco 2960-x switch with an SVI Interface an 2 vlan to LAN 1.</P><P>VLAN 10-----SVI ------LAN1(VLAN1) ------ASA1-----IPSecVPN-----ASA2-----LAN2.</P><P>VLAN20------!</P><P>&nbsp;</P><P>From VLAN 10, 20, 1 I can ping the Internet, but from VLAN 10,20 I can't reach LAN2 behind ASA2.</P><P>On ASA1 I extended my crypto-map ACL additionally to LAN1 with VLAN10,10 (Subnets) to allow it through the VPN Tunnel. Additionally I added to inside routes on ASA1 facing to the vlan10,20)</P><P>route inside 10.0.10.0 and 10.20.0 to VLAN1 interface Swicht-SVI-ASA1 transfer subnet. I think routing between switch and asa1 works because Internet access is ok. It seems to me that the source traffic doesn't enter the VPN-tunnel. Interesting. Ping from an host in vlan1-ASA1 through the VPN tunnel to LAN2 works?</P><P>Any ideas?</P><P>&nbsp;</P><P>many thx</P><P>&nbsp;</P><P>Peter</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 14 May 2019 15:35:54 GMT https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856078#M27271 1pdemharter 2019-05-14T15:35:54Z https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856096#M27272 <P>Hi there,</P> <P>Have you added VLANs 10 and 20 to the NAT exemption rule on ASA1?</P> <P>&nbsp;</P> <P>Can you share the running confg of ASA1 so we can confirm?</P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Tue, 14 May 2019 15:56:33 GMT https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856096#M27272 Seb Rupik 2019-05-14T15:56:33Z https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856162#M27275 <P>Hello&nbsp;<SPAN>Peter,</SPAN></P><P>&nbsp;</P><P>When you want new IP ranges or subnets to be a part of existing VPN setup, you have to update these new ranges/subnets into all relevant configuration parts at both ends (object groups, crypto-map ACL, interface ACL, NAT, routing and so on...).</P><P>&nbsp;</P><P>If it still does not work, please attach your configuration at both ends (in .txt files)</P><P>&nbsp;</P><P>I hope it helps.</P> Tue, 14 May 2019 17:00:26 GMT https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856162#M27275 Netlabbuilder 2019-05-14T17:00:26Z https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856543#M27278 <P>Many thx! I will check it</P><P>&nbsp;</P><P>Peter</P> Wed, 15 May 2019 08:03:34 GMT https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856543#M27278 1pdemharter 2019-05-15T08:03:34Z https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856546#M27279 <P>Hi,</P><P>&nbsp;</P><P>many thx! I will check it.</P><P>&nbsp;</P><P>Peter</P> Wed, 15 May 2019 08:04:18 GMT https://community.cisco.com/t5/network-security/routing-problem-behind-asa-vpn-lan2lan-asa-connection/m-p/3856546#M27279 1pdemharter 2019-05-15T08:04:18Z