Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Site-to-Site VPN, pings being blocked by NAT/firewall?

ZoCaAdmin
Level 1
Level 1

‎07-29-2016 06:14 AM

Perhaps one of you can help me with the following challenge.

I'm setting up a site-to-site VPN, the router at SiteB says 'connected'. But I cannot connect pc's from SiteB to SiteA or viceversa.

Both sites have a cable modem in bridge/transparent-mode and a switch between the router and the PC's

Like so:

PC-A > SF200-48 Switch > 5525-x ASA 9.1 Routers > Cable modem > INTERNET > Cable modem > RV130W > Cisco 3550 switch > PC-B

I've configured a Site-to-site VPN on SiteA (ASA) with the setup wizard in the ASDM GUI-tool. After the official video walk-through: https://supportforums.cisco.com/videos/5933.
(With the 'Exempt ASA side host/network from address translation' enabled at the last step, because I don't want my NAT to block my VPN access)
SiteA uses the 172.16.x.x range for the VLAN's.
SiteA has multiple VLAN's configured, while SiteB has not.
SiteA has a long list of NAT-rules and access-rules for remote access and some servers. (Already configured before starting with the VPN.)

The RV130W at SiteB has no console access, i've configured a VPN to connect to SiteA via the somewhat limited webinterface.
SiteB has the IP range of 192.168.1.x.
After a while it said 'connected'. When I tried to ping a LAN ip address of a server at SiteA, I've got no response.
I've also tried pinging from SiteA to LAN IP's at SiteB, with no success.

Image, SiteB connected

In the ASA with ASDM, i've added a 'permit icmp from any to any' rule. But still no pings from the internal LAN at SiteA to B.
When I ping from 172.16.6.4 (SiteA) to 192.168.1.1 (The router at SiteB, INSIDE interface), I get:
"Reply from 192.168.1.1: Destination host unreachable." But most pings still time out with no reply at all. (So the router says that it cannot talk...?)

Image, VPN connection profile

Image ASDM dashboard

Image, allow icmp any-any

My ultimate goal is to connect the PC's at SiteB to the domain controller at SiteA.
And be able to remotely manage the SiteB network/pc's from SiteA. (Like with GPO's, wake on LAN, etc)
People working at SiteB need to be able to reach some internal webservers located at SiteA.

When this is working, i'm going to do the same to connect SiteC, which has a Cisco 870 ADSL modem/router.
I took a look at VTI (https://supportforums.cisco.com/blog/149426/advantages-vti-configuration-ipsec-tunnels), but I don't think the RV130W supports this.

Oh yeah, each site has its own VOIP running. I suppose that won't be a problem?

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic