cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1692
Views
0
Helpful
4
Replies

Routing problem behind ASA VPN (lan2lan) ASA connection?

1pdemharter
Level 1
Level 1

Hi all,

 

I have an ASA L2L ASA connection (including VPN Dial-In on both ASAs) up and running. Additionally Internet connection works fine.

 

LAN 1----- ASA1 --------IPSec-VPN-L2L----- ASA2 ----- LAN 2.

All works fine.

Now I added a cisco 2960-x switch with an SVI Interface an 2 vlan to LAN 1.

VLAN 10-----SVI ------LAN1(VLAN1) ------ASA1-----IPSecVPN-----ASA2-----LAN2.

VLAN20------!

 

From VLAN 10, 20, 1 I can ping the Internet, but from VLAN 10,20 I can't reach LAN2 behind ASA2.

On ASA1 I extended my crypto-map ACL additionally to LAN1 with VLAN10,10 (Subnets) to allow it through the VPN Tunnel. Additionally I added to inside routes on ASA1 facing to the vlan10,20)

route inside 10.0.10.0 and 10.20.0 to VLAN1 interface Swicht-SVI-ASA1 transfer subnet. I think routing between switch and asa1 works because Internet access is ok. It seems to me that the source traffic doesn't enter the VPN-tunnel. Interesting. Ping from an host in vlan1-ASA1 through the VPN tunnel to LAN2 works?

Any ideas?

 

many thx

 

Peter

 

 

 

 

 

2 Accepted Solutions

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Have you added VLANs 10 and 20 to the NAT exemption rule on ASA1?

 

Can you share the running confg of ASA1 so we can confirm?

 

cheers,

Seb.

View solution in original post

Many thx! I will check it

 

Peter

View solution in original post

4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Have you added VLANs 10 and 20 to the NAT exemption rule on ASA1?

 

Can you share the running confg of ASA1 so we can confirm?

 

cheers,

Seb.

Hi,

 

many thx! I will check it.

 

Peter

Netlabbuilder
Level 1
Level 1

Hello Peter,

 

When you want new IP ranges or subnets to be a part of existing VPN setup, you have to update these new ranges/subnets into all relevant configuration parts at both ends (object groups, crypto-map ACL, interface ACL, NAT, routing and so on...).

 

If it still does not work, please attach your configuration at both ends (in .txt files)

 

I hope it helps.

Many thx! I will check it

 

Peter

Review Cisco Networking for a $25 gift card