05-08-2020 03:14 PM
Hello I have an older ASA5520 in CA that has a L2L VPN to a Juniper SRX in NC. I am trying to get my network on vlan 10 labeled dmz1 in the 10.0.4.0/24 network to talk to a network in NC 10.34.0.0/16 but I can't seem to get them to talk. I have a network in CA that can reach 10.34.0.0/16 in NC without a problem already. I have allowed the networks to talk in my ACL in the ASA and the Security settings in the SRX. Also there is another network 172.18.5.0/24 in NC that 10.0.4.0/24 can reach.
What I think is the problem is the routing.
when I look at show route dmz1 10.34.9.109 (the specific host my systems people are trying to reach)
I get this.
CiscoASA# show route dmz1 10.34.9.109
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
......
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is (public address) to network 0.0.0.0
C 10.0.4.0 255.255.255.0 is directly connected, dmz1
CiscoASA#
When I do show route to 172.18.5.231 another host that they can reach I get this.
CiscoASA# show route dmz1 172.18.5.231
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
...
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is public IP to network 0.0.0.0
CiscoASA#
Also from my inside network that can reach 10.34.0.0/16 I get this
CiscoASA# show route inside 10.34.9.109
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
......
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is public IP to network 0.0.0.0
CiscoASA#
It appears the ASA thinks its route to 10.34.0.0/16 from dmz1 is through dmz1. I looked for any routes for dmz1 or 10.34.0.0/16 and I found none in the configuration. I'm at a bit of loss as to how to get this to work. Verison is 8.2(5)
05-13-2020 07:44 AM
Have you checked your NAT exemptions for that flow. NAT needs to exempt or nat to itself when going from and to the VPN remote side. Unless there are overlapping ip subnets, then you need to source nat where the overlap is.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide