Sorry for the redundant question; I have read the other posts but I need to get this straight before I proceed. I have 2 SA520 appliances with the latest firmware that I need to set up to do site-to-site vpn. SA520 #1 is at the main office and has a single subnet directly attached (192.168.100.x). There are also 2 additional subnets; .145.x and .212.x that are indirectly connected to SA520 #1 via a separate router. Static routes are set on SA520 #1 and I can ping both of the indirectly connected subnets from the diagnostic interface.
There are also inbound firewall rules set on SA520 #1 that allow SMTP and HTTPS forwarding to servers on the directly-attached .100.x subnet.
SA520 #2 is at a remote office and has a single subnet attached to it (192.168.90.x). I need the computers that are on the .90.x subnet behind SA520 #2 to be able to reach all of the subnets that are behind SA520 #1 and vice-versa.
I saw a post from last year about setting multiple VPN policies, etc so I tried that but I'm not sure if I did it correctly and I had some weird side effects. If I understood the post, I was supposed to set a VPN policy for each indirectly-connected subnet behind SA520 #1 on both SA's and on SA520 #1 I was supposed to set the remote traffic to "ANY". Doing this did allow me to ping hosts on the SA520 #1's subnets but it also seems to cut off (or incorrectly routed, not sure which yet) the inbound traffic (from the Internet) for SMTP and HTTPS that passes through SA520 #1. I could no longer access the KVM/IP or PDU via HTTPS and test email messages from external domains were not being forwarded to the mail server. I did find references to the SMTP traffic in the SA520 #1's log but the packets never made it to the server. Turning off the tunnels restored inbound functionality.
So, when you have multiple subnets behind a SA520 both directly connected and connected to a downstream router, what is the correct way to set policies, etc so that access across the tunnel is there and inbound traffic from the Internet can still pass where appropriate (based on ipv4 inbound rules)?
Thanks in advance...
Could you send me the configuration files of your SA500s ?
I don't quite understand why remote traffic is set to 'Any'.
I actually got this figured out - seems I was transposing parts of the settings. All works now but thanks anyway for the reply.
Actually If I may, I have almost identical issue and I can't get it to work. The only thing I think I am doing diferent than you is one of my routed networks is NATed. But overall I can't get it going. If you want me to start my own thread, please say so (but these are so close that I'm not sure if I should).
SA520#1 - 192.168.50.253
Local LAN 192.168.50.0
WAN - Internet
RVL200 - 192.168.50.254
WAN - 172.16.201.6
dedicated connection to remote site (172.16.2.0). All 192.168.50.0 traffic going over to 172.16.2.0 is NATed with
the WAN address.
Notes: All is working at the HQ site. Static route in SA520 routes 172.16.2.0 traffic to 192.168.50.254.
All local computers can access SSL and Citrix apps just fine.
SA520#2 - 192.168.51.253
Local LAN 192.168.51.0
WAN - Internet
IPSEC VPN established between both SA's. Traffic to and from the 192.168.50.0 and 192.168.51.0 networks is fine.
Remote office computers can connect to servers at HQ, print, etc.
I did add 2 more VPN policies to both SA520's
Enabled allowToLocal None Auto Policy 192.168.50.0 / 255.255.255.0 192.168.51.0 / 255.255.255.0 SHA-1 3DES
Enabled allowToLocal2 None Auto Policy 172.16.201.0 / 255.255.255.252 192.168.51.0 / 255.255.255.0 SHA-1 3DES
Enabled allowToLocal3 None Auto Policy 172.16.2.0 / 255.255.254.0 192.168.51.0 / 255.255.255.0 SHA-1 3DES
Polices ALL match, every option except the local/remote LANs.
Enabled OutMain None Auto Policy 192.168.51.0 / 255.255.255.0 192.168.50.0 / 255.255.255.0 SHA-1 3DES
Enabled OutMain2 None Auto Policy 192.168.51.0 / 255.255.255.0 172.16.201.0 / 255.255.255.252 SHA-1 3DES
Enabled OutMain3 None Auto Policy 192.168.51.0 / 255.255.255.0 172.16.2.0 / 255.255.254.0 SHA-1 3DES
The IKE policy is identical for each VPN policy.
If I watch the VPN status, it shows 3 different VPN connections now. All "Etablished" except #2 was not, so I hit
connect and it connected. All three show connection but only the primary shows alot of packets transferred - the
other 2 show almost none (even after many ping attempts). If I attempt to ping the WAN interface of the RVL200
router (172.16.201.6) I get nothing on packets or kb transferred over VPN. If I ping 172.16.2.14 I get packet and
kb updates on the VPN tunnel for that network, but still no connections can be made over it.
?? Ideas ??
The remote site has no route technically to know to pass traffic destined to the 172.16 network to the other router at 192.168.50.254. It won't allow me to add one either since the "gateway" isn't on the local network.
The other issue I think Im seening is traffic from remote site is going out to HQ as 192.168.51.0 network. I think the RVL is seeing traffic hit from that address (and it has a route statement telling it to pass back to SA520#1) but it isn't passing it off to the WAN. Not sure if the RVL is dropping it since it isn't part of it's network or what (so it won't NAT it outbound to the WAN connection).
By default there already is a NAT rule in place. The RVL is setup as just a simply, basic router and it thinks the private connection behind it is like the "internet". I just have a static rule on the SA520#1 that saus anything destined to 172.16.2.0 (255.255.254.0) is to be routed to 192.168.50.254. Locally that works fine and everything works.
It's the 192.168.51.0 traffic that comes across the VPN tunnel that I'm having an issue getting to route. I'm also not even sure what the RVL is doing when it gets a packet from a 192.168.51.x device and thinks it has to NAT it over it's WAN connection. The logging is so caveman like that I can't tell if its dropping it or what. Not even sure it's getting to it.
Great my boss just escalated this issue so now it has tobe completed today (don't you love your boss too?).
I will probably have to call in to support.
Once again I'm told that it can't be done. Never even was givena ticket so level 1 basically shot me down.
If anyone from Cisco Support reads this and understands what I'm doing let me know.
In the middle of all this, I did confirm a few things before I called support.
My tunnel traffic IS going over the tunnel and being forwarded to the RVL200.
Traffic from the SA520#1 network is passing to the RVL200 and being NATed to the destination network.
So, example, 192.168.50.x passes through SA520#1, gets passed on the 192.168.50.254 (RVL) and then gets NATed out the WAN port as 172.16.201.6 and destination network sees me as a NAT address and all is happy.
Traffic from the SA520#2 network is passing through the ipsec tunnel as 192.168.51.x to the SA52#1, it then passes it to the RVL and then it is NOT getting NATed to the destination network (destination then drops me because it sees me as 192.168.51.x). So the in example..
192.168.51.13 -> ipsec tunnel -> SA520#1 passes on to RVL at 192.168.50.254 and then passed out the WAN side 172.16.201.6 but destination network at other end sees me as 192.168.51.13 instead of the NAT address on the RVL.
Does ths make any sense?
Hi Eric -- Thanks for participating in the Small Business Support Community. Did you contact the Small Business Support Center? Were you able to resolve the issue?
Please let us know.
Cisco Small Business
Do you have a topology? If you can draw something up and call Small Business Support again I think you will get a better response. It is much easier to "see" what you are looking to do than to read or hear it. Give us some time to review your topology and possibly set it up in our lab and we can tell you how to set it up if it is in fact possible.
Yeah i was trying to put together the topology on paper, but kind confusing the way it's worded. If you provide a topology view of your network. Should be able to see if this configuration would work. A free tool you can use is
Going by the way it's worded don't think it possible, but i could be getting your topology confused.
Cisco Support Engineer