cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

305
Views
9
Helpful
8
Replies
Beginner

Help!! ASA 5505 VPN to VPN traffic.....

I have an ASA 5505 (v8.2) at a site we'll call HQ, and another ASA 5505 at a site we'll call Colo.  The 2 sites are successfully connected via an IPSec Site to Site VPN.  I also have remote users sucessfully connecting to site HQ via IPSec Remote Access VPN (using Cisco client).

My issue:  I need to allow remote users connecting to HQ access to Colo through the existing Site to Site VPN.

Attached are my configs.  What am I missing?  Are my NAT statements incorrect?  Access Lists ?  As you can see, I've already done:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

8 REPLIES 8

Help!! ASA 5505 VPN to VPN traffic.....

Your config looks good, Try by adding below command on HQ. Also post the logs from your HQ ASA.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

With Regards,

Safwan

Beginner

Help!! ASA 5505 VPN to VPN traffic.....

Hi Safwan,

I tried that command on HQ, but still nothing.  Any other thoughts?  What is the best way to capture the logs for this issue?

Highlighted
Beginner

Help!! ASA 5505 VPN to VPN traffic.....

just run the logs? What I suspect is the issue that there is no translation rule configured for vpn pool on outside interface to outside interface and hence traffic is dropping.

Just check the log having source as 10.10.11.x to your colo network. IF it says no translation found, try adding

static (outside,outside) 10.10.11.0 10.10.11.0 netmask 255.255.255.0

Logging may be enabled by

logging enable

logging level 7

and then try to generate traffic from your client towards colo.

to stop do:

un all

Beginner

Re: Help!! ASA 5505 VPN to VPN traffic.....

Hi Nitin,  I tried adding that command as well...but no luck.  Here is a debugging log when I attempted to ping from VPN client (10.10.11.0) to Colo (172.16.16.0)

-------------------------------------

Beginner

Re: Help!! ASA 5505 VPN to VPN traffic.....

I see a mismatch in crypto acl:

On HQ:

access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Colospace_Network_172.16.16.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip Colospace_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.10.11.0 255.255.255.0 Colospace_Network_172.16.16.0 255.255.255.0

There is no need of the second line

access-list outside_1_cryptomap extended permit ip Colospace_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0

as Colospace network is remote and not local.

Beginner

Help!! ASA 5505 VPN to VPN traffic.....

Thanks for your help!  I had to grapple with a split-dns issue but it's up and running.  Thanks!

Re: Help!! ASA 5505 VPN to VPN traffic.....

Clear the crypto the tunnel using below command, because whatever change you are making its not applied untill you re initiate the tunnel.

clear crypto isakmp sa

clear crypto ipsec sa

note: do it for both HQ and colo

With Regards,

Safwan

Beginner

Help!! ASA 5505 VPN to VPN traffic.....

Got it, Thanks!