Site-2-Site unable to reach specific destination at Remote Site (ASA5506 v9.6)

Robbert Tol · ‎02-24-2018

At an customer site i have an Site to Site VPN Tunnel. At the Main Office (SiteA) i also have an AnyConnect VPN solution. At Side A the Firewall has two WAN Connections. One connection is for normal internet access and the other is an specific Intranetconnection to an Dealer Network. At the dealernetwork there are some webservers etc, i have to reach.

Site A is working perfect. Internet traffic is going over WAN, while the dealersites requests are going over WAN_PON (second WAN port at Site A). At site A i can ping any host at Site B (and Vice Versa). I Also can manage and reach both ASA Firewall's.

The ony problem i have (and i cannot figure out why) is that at Site B, they have to be able to reach the dealernetwork (which is on site A) and i cannot see why.

Both configurations of the ASA's are attached.

Site A: ASA5506-X HQ.txt

Site B: ASA5506-X Branche

Please help to find the correct solution. Thank you so much for help...

Dennis Mink · ‎02-24-2018

Robbert can you confirm that you have a problem between:

192.168.1.254 255.255.255.0 site a

ip address 192.168.100.1 255.255.255.0 hq

if not state the subnets you have a problem with. can you ping LAN if ASA to LAn interface other ASA at all?

Groeten

Please remember to rate useful posts, by clicking on the stars below.

Robbert Tol · ‎02-24-2018

Dennis,

Site A (HQ) ASA: 192.168.100.1

Site B (Branche) ASA: 192.168.1.254

ASA 's can ping each other. Hosts on the internal networks can also ping/reach each other.

Site B (Remote site) has also internet access, but from site B users must be able to reach 10.0.0.0 255.0.0.0 network, which is connected at Site A on the WAN_PON port (Second WAN).

Users at Site A can reach this network already.

Dennis Mink · ‎02-24-2018

I cant spot an issue with your config, the NAT seems correct and the crypto maps have the right objects in them.

can you double check and run the packet tracer on both ASAs and see if the traffic passes through/ie isnt blockedn still

cheers

Please remember to rate useful posts, by clicking on the stars below.

Robbert Tol · ‎02-26-2018

Packet trace from brancheoffice ASA

ASA5506X-ZTM(config)# packet-tracer input inside tcp 192.168.1.110 80 10.200.153.29 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 145.131.166.97 using egress ifc outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Internal_LAN Internal_LAN destination static Waddinxveen_HQ_Group Waddinxveen_HQ_Group no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.200.153.29/80 to 10.200.153.29/80

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Internal_LAN Internal_LAN destination static Waddinxveen_HQ_Group Waddinxveen_HQ_Group no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.1.110/80 to 192.168.1.110/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Internal_LAN Internal_LAN destination static Waddinxveen_HQ_Group Waddinxveen_HQ_Group no-proxy-arp route-lookup
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12274, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow