cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1045
Views
0
Helpful
1
Replies
muranskycotech
Beginner

VPN Tunnel Issue -- 881W and ASA5505

Greetings!

I seem to have an issue with access across subnets over my VPN when using an ASA 5505 at my corporate office and an 881W router at my remote office.

Here's the scenario...

At my home office, I have an ASA 5505 with VLAN 1 on a 172.24.0.0/16 subnet (wired), VLAN 110 172.25.0.0/16 subnet (wireless), and a VLAN 100 10.1.0.0/16 subnet (voice). These have access to each other, and it works fine. I have other remote offices with ASA 5505's that are on 172.2x.0.0/16 subnets, and they site-to-site VPN back to the home office. Everything is accessible to all subnets, and it works great with no issues.

I am in the process of rolling out 881W routers at smaller field offices, and they are each configured with VLAN 1 on 10.10.x.0/24 subnets. This is setup for a site-to-site VPN back to the home office, and it is supposed to have access to 172.24.0.0/16, 172.25.0.0/16, 10.1.0.0/16 subnets only (home office network only). I set this up on the ASA side with no issue... at least, I think so, since it's exactly the same as my other connections except without the additional subnets for remote offices.

However, I think I'm missing something in the 881W side of the configuration, because (being new to the devices) this is where the issue comes in...

The 881W and ASA 5505 establish their VPN tunnel successfully. From the 881, I can successfully ping all three subnets back home, and I can successfully NOT ping the other remote offices, so success-- that seems great. Unfortunately, from the home office, I can only ping the remote site's subnet from my VOICE subnet and not my wired or wireless subnets... UNLESS I first ping from remote to home first. Then I can successfully ping home to remote for a short period.

There is a phone on the remote side that connects back home, which I assume is why I can continually ping back from that home subnet. Since nothing there is "opening the door" to my wired and wireless subnets, I assume that's why I can't ping back from home to remote.

SO, after a very long-winded setup, the question I have is... why is it like this, and how do I "hold the door open" for my home subnets to access the remote subnet?

I'm attaching the configuration file for the 881W in hopes that it will help someone enlighten me.

--Aaron

1 REPLY 1
muranskycotech
Beginner

I was able to solve this with assistance from TAC:

IOS 15.1

ip sla 1

  icmp-echo 172.24.10.40 source-interface Vlan 1

  frequency 500

ip sla schedule 1 life forever start-time now

IOS 12.4

ip sla monitor 1

  type echo protocol ipIcmpEcho 172.24.10.40 source-interface Vlan 1

ip sla monitor schedule 1 life forever start-time now