Unable to pass traffic between sites

Jon Dunsmore · ‎01-28-2015

I've read through dozens of posts and so far have had no luck getting any of the suggestions to work - combined with many of these posts being multiple years old...so I'm going to try posting something current and see if I get anywhere.

Scenario:

Site A - Cisco ASA 5510 running 8.4(4)1 with two interface connections to a Cisco ME 6500 (which I do not manage), one for internet and one for a MPLS connection.

Site B – connecting to an unknown switch which is connected to the MPLS network.

Site C – Cisco ASA 5505 running 7.2(3) with one connection to an unknown switch (which I do not manage) for internet access.

Site A to Site B traffic flows between the two without issue.

Site A to Site C is a site-to-site VPN connection. Traffic flows between the two without issue.

The main issue I’m having is that Site B cannot talk to Site C and vice versa. Also my client VPN connections to Site A cannot get to Site B or Site C.

My first question is; is this even possible? (I sure expected it to be). And if so, what the heck am I doing wrong???

I’ve included a config from Site A which is where I’m guessing the problem is. Any insight is appreciated.

rizwanr74 · ‎01-28-2015

Hi Jon

changes at Site A needed are below.

object network inside-network
subnet your-subnet belong to Site B.

Add static route to on ASA at Site A, to push Site-B's subnet to inside's nexthop address.

Change at Site C:

permit site-B's subnet traversal-able via Site A, as if site-B is located at Site-A.
At Site C, allow VPN-pool range located at A, traversal-able via the tunnel between site A and C.

Add static route on Site C, to push Site-B subnet and site-A's-VPN-pool-range to its local default-gateway address, so that it will be caught by crypto engine for tunnel encryption.

---------------------------------------

Site A:

nat (outside,outside) source static VPN-pool VPN-pool destination static SiteC-network SiteC-network

Thanks

Rizwan Rafeek.

Jon Dunsmore · ‎01-28-2015

object network inside-network
subnet your-subnet belong to Site B.

I'm not following what you mean by that.

Add static route to on ASA at Site A, to push Site-B's subnet to inside's nexthop address.

I may be misunderstanding, but isn't that what this is: "route MPLS 10.17.0.0 255.255.0.0 10.17.250.2 1". If this wasn't in place traffic would not be flowing between Site A and Site B currently.

permit site-B's subnet traversal-able via Site A, as if site-B is located at Site-A.
At Site C, allow VPN-pool range located at A, traversal-able via the tunnel between site A and C.

You completely lost me there :)

Add static route on Site C, to push Site-B subnet and site-A's-VPN-pool-range to its local default-gateway address, so that it will be caught by crypto engine for tunnel encryption.

I think I understand this and have tried many variations of it to no avail. Should the route be applied to the inside or the outside interface? I've tried both.

rizwanr74 · ‎01-29-2015

"I'm not following what you mean by that."

Your Site "A" and "B" connected through MPLS cloud and they are not connected through vpn-connection, right? I assume that your site "B" cannot communicate to site "C", therefore you must permit site-B's subnet traffic transit between site "A" and site "C" i.e. Site-B should have access to "C", right ?

"I may be misunderstanding, but isn't that what this is: "route MPLS 10.17.0.0 255.255.0.0 10.17.250.2 1"."

Great 10.17.0.0/16 route meant for site "B", that is fine, you wouldn't need an additional one.

"You completely lost me there :)"

I presume that your Site "B" and "C" does not have direct MPLS connection, therefore Site "A" becomes a transit path for site "B" and "C". You allow site-B's transit through the vpn-tunnel between site "A" and "C". Your site "C" assumes that subnet belong to site "B" is directly connected at site "A" but in reality it connects via a MPLS cloud and one last thing is that a route needed at site-B to push site-C's traffic to Site "A", a static route would do that.

As you would permit site-B's traffic to pass through vpn-tunnel site "A" and "C", in other words your "A" become a hub for traffic flowing between site "B" and "C".

"Should the route be applied to the inside or the outside interface?"

Outside. Your tunnel terminated on the outside interface, right? If so then it must point to outside's default-gateway address.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

object network SiteB-network
subnet 10.17.2.0 255.255.255.0

this would allow you to access site-c subnet when you are remote-in to Site-A.

nat (outside,outside) source static VPN-pool VPN-pool destination static SiteC-network SiteC-network

this is to allow Site-B to access site-C subnet via the tunnel between site A and C.

nat (MPLS,outside) source static SiteB-network SiteB-network destination static SiteC-network SiteC-network

object network inside-network
subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static inside-network inside-network destination static SiteC-network SiteC-network

access-list outside_cryptomap extended permit ip object inside-network object SiteC-network

this is allow Site-B to access site-C subnet via the tunnel between site A and C.
access-list outside_cryptomap extended permit ip object SiteB-network object SiteC-network

Thanks

Rizwan Rafeek