Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
2
Replies

Route subnet across existing VPN tunnel

Charger1129
Level 1
Level 1

‎05-03-2016 07:36 AM - edited ‎03-12-2019 12:41 AM

Hi. I'm looking to accomplish exactly what's posted in this link.

https://supportforums.cisco.com/document/12110341/routing-traffic-between-two-site-site-vpn-tunnels

However, I can't seem to get traffic from point C back to point A. If i packet trace from A firewall to C firewall it works. If i try from B firewall to C firewall using the A IP as the source it works. If i try to trace from C to B it works, but C to A fails. 

Would I packet trace with the inside interface if i'm trying to trace from C to A? I tried that and I keep getting a drop at Phase 9 VPN, ACL denied by rule but can't seem to find the issue. 

Labels:
0 Helpful
2 Replies 2

Rishabh Seth
Level 7
Level 7

‎05-04-2016 10:35 AM

Hi,

In your problem description you have mentioned following "If i try to trace from C to B it works, but C to A fails. " , you are trying this on which device?

As per my understanding you should use the ip addresses mentioned in the crpto acl to test packet tracer.

Also share if you have tested vpn connectivity with real traffic or you are just testing the expected behaviour with packet tracer.

Thanks,

RS

Rate if the answer helps.

0 Helpful

Marius Gunnerud
VIP
VIP

‎05-05-2016 06:43 AM

So you aren't actually testing the traffic flow, you are just doing packet tracer?

In packet tracer you should be using an IP that is not associated with any of the interfaces on the ASA.  so if your ASA inside interface has an IP of 10.10.10.1 then you would use 10.10.10.2 as a source...if it is the 10.10.10.x network that is allowed over the VPN.

Now remember that packet tracer is just locally significant to the ASA you are running it on, and will not give an accurate test for the full path.  This will just confirm that the traffic will establish the VPN, and most likely pass traffic from A to B or from C to B.  On B you would need to enable hairpinning and possible identity NAT depending on how your network is setup. Routing for the remote sites might also be a factor again depending on how your network is setup.

If your packet tracer fails on C then you need to check to see if the tunnel is at all being established and if not where it is failing:

show crypto ikev1 sa

debug crypto condition peer x.x.x.x

debug crypto ikev1 127

debug crypto ipsec 127

If the tunnel is being established but traffic is not passing check the phase 2 parameters on both C and B.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card