If I am correct in

h.estigarribia · ‎03-16-2016

Greetings I have the following scenario: FW1 -> ASA1 -> ASA2

ASA 1 has a working ipsec vpn with ASA2, I can access the remote LANs with no problem.

FW1 also has a working vpn with ASA1 and I can access those LANs without issues.

When from a client located behind FW1 I try to access a device on the LAN behind ASA2 I see the packets in the ASDM Syslog but with messages like:

6|Mar 16 2016|15:00:12|106015|192.168.2.6|22|10.9.2.2|44960|Deny TCP (no connection) from 192.168.2.6/22 to 10.9.2.2/44960 flags SYN ACK on interface VPN
6|Mar 16 2016|15:00:12|302013|10.9.2.2|44960|192.168.2.6|22|Built inbound TCP connection 15475256 for VPN:10.9.2.2/44960 (10.9.2.2/44960) to inside:192.168.2.6/22 (192.168.2.6/22)

10.9.2.0/24 is the LAN behind FW1

192.168.2.0/24 is the LAN behind ASA2

I have looked into asymmetrical routing but cannot confirm if that's the issue, I was wondering if someone could tell me what's the best configuration for this scenario?

Using show conn from ASA1 I see this:

TCP outside 192.168.2.6:22 vpn 10.9.2.2:44966, idle 0:00:17, bytes 0, flags saA

and from ASA2 this:

TCP VPN 10.9.2.2:44968 inside 192.168.2.6:22, idle 0:00:07, bytes 0, flags aB

TCP VPN 10.9.2.2:44968 inside 192.168.2.6:22, idle 0:00:25, bytes 0, flags SaAB

Richard Burts · ‎03-16-2016

If I am correct in understanding your description then I believe that on the VPN between ASA1 and ASA2 you need to add the traffic from FW1 to the interesting traffic to be carried through the VPN. And on the VPN between FW1 and ASA1 you need to add the traffic from ASA2.

Depending on the topology and how the devices are connected you might also need to configure same security level access permission especially on ASA1.

HTH

Rick

HTH

Rick

Access remote LAN passing through VPN with ASA in the middle