Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
6
Replies

DMZ to GCP VPN Not Working on Cisco 5545

Dan1heMan
Level 1
Level 1

‎10-25-2022 06:18 AM

Hi all, First time poster.

I have a VPN into GCP and from my normal LAN I can traverse the VPN fine and from other MPLS connected sites which also connects via the LAN interface from a Nexus. However from the DMZ interface on the same ASA which the VPN is hosted from I cannot ping or connect via any ports up the VPN into GCP even though I have put the access-list statements in on the DMZ interface. The strange thing is, I can connect from GCP back to the on premise DMZ networks, but the initiation of that needs to come from GCP, starting the connection from the DMZ on premise doesn't work. Does anyone have any ideas? I'm struggling to figure it out.

Thanks

Dan

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎10-25-2022 07:39 AM

@Dan1heMan it could a couple of things, the GCP VPN could be configured to "initiate" a VPN only, therefore would not respond if you initiated traffic from the DMZ. Or your ASA could be configured to "respond" only when establishing a VPN tunnel.

Provide the relevant information from the output of "show run crypto" on your ASA. Double check the configuration of the GCP VPN and determine whether both peers can establish a VPN tunnel.

Can you run packet-tracer from the CLI to simulate traffic from DMZ to GCP, do this twice and provide the output for review.

0 Helpful

Dan1heMan
Level 1
Level 1
In response to Rob Ingram

‎10-26-2022 02:02 AM

@Rob Ingram Thanks for the reply but the issue doesn't appear to be with the VPN as that works fine and hasn't dropped since configuring it back in March and is passing traffic both ways to the on premises datacentre. The issue only seems to be traffic originating from the on premise DMZ going outbound to Google but traffic inbound from Google gets to the DMZ fine. The VPN stays up at all times. I was wondering if it could be a rule missing but I've allowed traffic from the DMZ to the Google subnets but the traffic still doesn't get there. I'm also in a strange situation where the firewall is managed by a third party and I have to tell them how to do changes on it so I can't even interrogate the ASA to diagnose where the packet is getting dropped.

0 Helpful

Rob Ingram
VIP
VIP
In response to Dan1heMan

‎10-26-2022 03:38 AM

@Dan1heMan ok, so yes it could be a missing rule to permit traffic from DMZ to AWS over the VPN.

Packet-tracer would confirm were the issue is, including if the ACL needs modifying.

0 Helpful

MHM Cisco World
VIP
VIP

‎10-26-2022 06:10 AM

I think you missing add exception NAT from DMZ subnet  into remote LAN. 

0 Helpful

Dan1heMan
Level 1
Level 1

‎10-27-2022 05:50 AM

Thanks both for the suggestions, I will report back as to what the fix will be ASAP.

0 Helpful

Dan1heMan
Level 1
Level 1

‎11-03-2022 02:03 AM

Hi all,

Just an update, turns out it was an issue with a route, the non DMZ traffic was following the 0.0.0.0/0 to the VPN subnets which allowed in and out traffic but the DMZ interface was trying to push traffic destined for the VPN back onto the normal LAN in which the traffic was dropped. I had to add a route to the ASA's to send traffic destined for the VPN to send it out the internet interface. All sorted now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card