Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
2
Replies

Issues routing internal RA VPN network on ASA5505 across IPSec Tunnels

tcoreezpass
Level 1
Level 1

‎03-11-2010 12:10 PM - edited ‎02-21-2020 04:32 PM

I am creating a VPN network of  7 ASA5505 s.    One device is the central or hub device.( Attachmnent  Main5505)

All ASA5505 devices running  ver   7.2(4)

there will be site to site tunnels to 6 other 5505 s across the internet.

Currently there are 4 of the 6 tunnels migrated over and working fine in this basic scenerio.

The local networks for the main 5505  are:

10.64.50.0 /24  and

10.64.51.0 /24

I have included the config of one of the remote ASA5505.    (Remote5505)

This remote site has internal networks:

172.16.76.0 /24

172.16.77.0 /24

172.16.78.0 /24

172.16.79.0 /24

Currently traffic can be passed between  10.64.50 and 10.64.51 nets to  the remote 172.16.76 - 79  nets across the site to site IPSec tunnel.  No issues there.

I have also created a RA VPN access in the same main   5505.

RA VPN users get  addressed as   10.64.53.X  /24

I get connected to RA VPN and get the  10.64.53.X address.   I can also see and get to  other 10.64.50 and 10.64.51  devices that reside at the main site.  local networks of the ASA that the ra vpn net resides on are ok. 

My main issue is getting the RA vpn net of  10.64.53.0 /24 (that is defined locally on the 5505)   to route across the site to site tunnels in the same way that   10.64.50  and 10.64.51  do.

I cannot get from  10.64.53.X  net to   172.16.76.X  net,   when  10.64.50 and 10.64.51 are ok.    Since 10.64.53  RA net resides on the ASA it should not have to go anywhere else  but the ASA itself to route across the tunnels. essentialy it needs to route back out the interface it came in on.   Is this possible, if so what statements are needed.

both configs are included.   the main site gets very long but most is just cookie cutter statements for  all 6 remotes sites.

Can anyone offer any suggestions.     When looking at the main vpn system options in the gui.   I have the check box checked for  :  Enable inbound IPSec sessions to bypass internal acls.

Thanks

Labels:
62068-Remote5505.txt.zip
62069-Main5505.txt.zip
0 Helpful
2 Replies 2

tcoreezpass
Level 1
Level 1

‎03-11-2010 04:34 PM

I just added the:

same-security-traffic permit intra-interface

but still no go.  I thought for sure that is what I needed.  what else is needed to route your ra vpn in on your outside int and then go back through outside int to get to site to site tunnels

0 Helpful

busterswt
Level 1
Level 1
In response to tcoreezpass

‎03-11-2010 07:12 PM

Well, despite the hack job that the ASDM does to a VPN config, the hairpinning looks to be correct from what I can see.

However, on the remote ASA I did notice that the RA network was not defined within the 'inside_access_in' ACL. I only saw these two lines:

access-list inside_access_in extended permit ip any 10.64.50.0 255.255.255.0

access-list inside_access_in extended permit ip any 10.64.51.0 255.255.255.0
Perhaps the traffic from the RA client is getting there, but isn't allowed back through? Have you done any kind of packet capture or packet-tracer to see what's going on?
Plus, 'same-security-traffic permit intra-interface' will be needed on the MAIN ASA as well.
James

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents