Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1692
Views
0
Helpful
4
Replies

Routing problem behind ASA VPN (lan2lan) ASA connection?

Go to solution
1pdemharter
Level 1
Level 1

‎05-14-2019 08:35 AM

Hi all,

 

I have an ASA L2L ASA connection (including VPN Dial-In on both ASAs) up and running. Additionally Internet connection works fine.

 

LAN 1----- ASA1 --------IPSec-VPN-L2L----- ASA2 ----- LAN 2.

All works fine.

Now I added a cisco 2960-x switch with an SVI Interface an 2 vlan to LAN 1.

VLAN 10-----SVI ------LAN1(VLAN1) ------ASA1-----IPSecVPN-----ASA2-----LAN2.

VLAN20------!

 

From VLAN 10, 20, 1 I can ping the Internet, but from VLAN 10,20 I can't reach LAN2 behind ASA2.

On ASA1 I extended my crypto-map ACL additionally to LAN1 with VLAN10,10 (Subnets) to allow it through the VPN Tunnel. Additionally I added to inside routes on ASA1 facing to the vlan10,20)

route inside 10.0.10.0 and 10.20.0 to VLAN1 interface Swicht-SVI-ASA1 transfer subnet. I think routing between switch and asa1 works because Internet access is ok. It seems to me that the source traffic doesn't enter the VPN-tunnel. Interesting. Ping from an host in vlan1-ASA1 through the VPN tunnel to LAN2 works?

Any ideas?

 

many thx

 

Peter

 

 

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎05-14-2019 08:56 AM

Hi there,

Have you added VLANs 10 and 20 to the NAT exemption rule on ASA1?

 

Can you share the running confg of ASA1 so we can confirm?

 

cheers,

Seb.

View solution in original post

0 Helpful

Go to solution
1pdemharter
Level 1
Level 1
In response to Netlabbuilder

‎05-15-2019 01:03 AM

Many thx! I will check it

 

Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎05-14-2019 08:56 AM

Hi there,

Have you added VLANs 10 and 20 to the NAT exemption rule on ASA1?

 

Can you share the running confg of ASA1 so we can confirm?

 

cheers,

Seb.

0 Helpful

Go to solution
1pdemharter
Level 1
Level 1
In response to Seb Rupik

‎05-15-2019 01:04 AM

Hi,

 

many thx! I will check it.

 

Peter

0 Helpful

Go to solution
Netlabbuilder
Level 1
Level 1

‎05-14-2019 09:59 AM - edited ‎05-14-2019 10:00 AM

Hello Peter,

 

When you want new IP ranges or subnets to be a part of existing VPN setup, you have to update these new ranges/subnets into all relevant configuration parts at both ends (object groups, crypto-map ACL, interface ACL, NAT, routing and so on...).

 

If it still does not work, please attach your configuration at both ends (in .txt files)

 

I hope it helps.

0 Helpful

Go to solution
1pdemharter
Level 1
Level 1
In response to Netlabbuilder

‎05-15-2019 01:03 AM

Many thx! I will check it

 

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card