10-17-2009 11:31 AM - edited 03-11-2019 09:27 AM
Hey folks,
I setup my first site-2-site vpn and to my suprise it worked!!!!!
I have a question reagrding access to another network at the remote site.
Here is the scenario:
192.168.1.1 is the inside local LAN address.
I carved out vlan 5 (Escrow) which is 192.168.5.1. I can access all local resource on the 1.1 network but not the 5.1 resources.
I created the following configurations on ASA1
ASA1
access-list VPN-TO-ASA2 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN-TO-ASA2 extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list NONAT
Here is the ASA at my work:
ASA2
access-list VPN-TO-ASA1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list VPN-TO-ASA1 extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Escrow_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (Escrow) 0 access-list Escrow_nat0_outbound
From home I can ping the 1.1 network and RDP to machones on that network
I cannopt however ping the 5.1 netowir or access any of the desktops.
What did I miss, can I not access that network using site to site?
BTW, I am able to use my vpn client and access all the resources just fine.
What I am missing?
Solved! Go to Solution.
10-23-2009 12:56 AM
The potential issue is on ASA1 - you have the below routes:-
C 192.168.0.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside
it does not know where 192.168.5.0 is becuase you have a less specific
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside
ADD
route outside 192.168.5.0 255.255.255.0 192.168.1.2
10-18-2009 10:55 AM
Your encryption domain & nat traffic look OK. Check your routing, dynamic & static.
Check the routing for the 5.x network, from your remote VPN also needs to have 5.x in the encryption list.
HTH>
10-18-2009 11:12 AM
I believe you need to remove this line:
access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0
Since NONAT is used for NAT exemption on the inside interface, but 5.0 is not on the inside, if I understood correctly.
hth
Herbert
10-19-2009 05:53 AM
Thanks! Are you saying that I should NAT the 5 network? Technically the 5 network is inside, I just carved out a VLAN for it. No?
10-19-2009 05:57 AM
I personally think you should NOT nat the .5.x network.
If the .5.x network is at the same site as the .1.x network, then NO NAT is required.
What you need to check is the ASA that connects to the .5 network knows how to route to it, and the remote end ASA needs to know the 5.x network is at the end of the VPN.
10-19-2009 06:10 AM
Yeah, I agree about No Nat on the 5. Network. I'll check the route on the remote ASA. I don't think it knows about the. 5. Network.
Thanks!
10-19-2009 06:07 AM
No I did not mean to imply that you should NAT the 5 network. I assume the 5 network is on the "Escrow" interface, not the "inside" interface, since you have:
access-list Escrow_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
nat (Escrow) 0 access-list Escrow_nat0_outbound
So these 2 lines above already define NAT exemption for anything on the Escrow interface (which I assumed includes the 5 network) to the 0 network.
But your description is somewhat confusing, and seeing only parts of the config doesn't help to make it any clearer :) so maybe I misunderstood.
If so, can you clarify what you mean with "carved out", how did you configure network 5?
Can you post your complete config? Or at least "show ip" & "show route"?
Herbert
10-22-2009 06:31 PM
Thanks for your patience. I was on a job this week and did not have Internet access.
Here is the sho ip and sho route from both ASA's
ASA1
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.0.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.1.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.0.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.1.2 255.255.255.0 CONFIG
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 192.168.0.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside
S 0.0.0.0 0.0.0.0 [255/0] via 192.168.0.1, inside tunneled
ASA2
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG
Vlan2 outside 206.170.95.215 255.255.255.240 CONFIG
Vlan5 Escrow 192.168.5.1 255.255.255.0 CONFIG
Vlan10 Mortgage 192.168.10.1 255.255.255.0 CONFIG
Vlan15 MCA 192.168.15.1 255.255.255.0 CONFIG
Vlan20 Staff 192.168.20.1 255.255.255.0 CONFIG
Vlan30 Prop_Mgmt 192.168.40.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG
Vlan2 outside 206.170.95.215 255.255.255.240 CONFIG
Vlan5 Escrow 192.168.5.1 255.255.255.0 CONFIG
Vlan10 Mortgage 192.168.10.1 255.255.255.0 CONFIG
Vlan15 MCA 192.168.15.1 255.255.255.0 CONFIG
Vlan20 Staff 192.168.20.1 255.255.255.0 CONFIG
Vlan30 Prop_Mgmt 192.168.40.1 255.255.255.0 CONFIG
Gateway of last resort is 206.170.95.209 to network 0.0.0.0
C 192.168.15.0 255.255.255.0 is directly connected, MCA
C 192.168.10.0 255.255.255.0 is directly connected, Mortgage
C 192.168.40.0 255.255.255.0 is directly connected, Prop_Mgmt
C 206.170.95.208 255.255.255.240 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 192.168.20.0 255.255.255.0 is directly connected, Staff
C 192.168.5.0 255.255.255.0 is directly connected, Escrow
C 192.168.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 206.170.95.209, outside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.1.1, inside
Sorry for using the term carved out. I simply meant, I created a vlan on the ASA for the 5 network.
Thanks again for looking at this and helping me out.
10-23-2009 12:56 AM
The potential issue is on ASA1 - you have the below routes:-
C 192.168.0.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside
it does not know where 192.168.5.0 is becuase you have a less specific
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.0.1, inside
ADD
route outside 192.168.5.0 255.255.255.0 192.168.1.2
10-23-2009 05:51 AM
Wow! Thanks! That worked!! I thought I had the route covered with:
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
Thanks again!
10-23-2009 06:16 AM
np - glad to help.
No that route covers all OTHER traffic. You had 192.168.0.0 255.255.0.0 to the inside.
The 192.168.5.0 255.255.255.0 is covered by 192.168.0.0 255.255.0.0 as this is a more specific than 0.0.0.0
10-23-2009 06:44 AM
That makes sense! Thanks again Andrew.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide