topic Site to Site VPN internal host issue in Network Security

Site to Site VPN internal host issue

bchyka — Mon, 11 Mar 2019 23:48:37 GMT

I have a quick question regarding something I might be missing. We have a site to site VPN set up with an ASA 5510 on our end and a partner Cisco Router.

The VPN is live and our partner can ping across to my external interface and I can ping down the tunnel to their gateway but we can't ping any machines beyond of endpoints of the VPN tunnel.

We need communication between our 2 local lans, specifically between 2 machines for transactions on port 104.

Even without the access list to allow the 2 internal machines on each network to communicate, we can't ping or communicate with any machines beyond the endpoints.

Any help or suggestions is greatly appreciated. I want to establish communication between the 2 internal networks befor elocking down specific communications with access lists.

Thanks again.

Site to Site VPN internal host issue

Julio Carvajal — Fri, 31 Aug 2012 21:02:32 GMT

hello,

Do you see the tunnel up with the following comamnds:

-show crypto isakmp sa

-show crypto ipsec sa

If you want you can place the configuration of both devices on this topic so I can review it for you.

What are the 2 PC's that should communicate with each other.

Regards,

Julio

Site to Site VPN internal host issue

bchyka — Fri, 31 Aug 2012 21:08:51 GMT

Hi Julio,

Yes the tunnel is up with those 2 commands. LEt me grab the config and I will post it up.

Thanks.

Site to Site VPN internal host issue

bchyka — Fri, 31 Aug 2012 21:36:32 GMT

file attached. The tunnel we are having issues with is the zz.zz.zz.zz tunnel.

Site to Site VPN internal host issue

Julio Carvajal — Fri, 31 Aug 2012 22:19:20 GMT

Hello,

So what is the other side of the tunnel local range?

Can you let me know that as I can see something weird on the config?

Regards,

Site to Site VPN internal host issue

bchyka — Fri, 31 Aug 2012 22:24:32 GMT

sure. it is 172.28.40.0/24

Site to Site VPN internal host issue

Julio Carvajal — Fri, 31 Aug 2012 22:38:34 GMT

Hello,

That's it..

Check the Nat configuration

object network NETWORK_OBJ_172.16.30.0_27

subnet 172.16.30.0 255.255.255.224

nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_172.16.30.0_27 NETWORK_OBJ_172.16.30.0_27

nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24

You did it for the 172.16.30 instead of 172.16.40

Regards,

Remember to rate all of the post that help, for us that is more importan than a thanks

Julio

Site to Site VPN internal host issue

bchyka — Fri, 31 Aug 2012 22:42:30 GMT

well the 172.16.30.0 is my VPN address network for Cisco Ipsec client based vpn

the 172.28.40.0 is the internal on the other side of tunnel #2.

so do i still need the nat statements for the point to point vpn?

Site to Site VPN internal host issue

Julio Carvajal — Fri, 31 Aug 2012 22:45:22 GMT

Hello,

Of course you need

Remember to rate all of the post that help, for us that is more importan than a thanks

Site to Site VPN internal host issue

bchyka — Fri, 31 Aug 2012 22:47:42 GMT

yes makes sense now going through the logic. same statements just with the other network?

thanks for the help.

Site to Site VPN internal host issue

Julio Carvajal — Fri, 31 Aug 2012 22:54:45 GMT

That is correct,

If you do not have any other question please mark the question as answered.

Remember to rate all of the post that help, for us that is more importan than a thanks

Site to Site VPN internal host issue

bchyka — Fri, 31 Aug 2012 22:55:53 GMT

no problem. going to test then will close it out.