ALL l2l only works if stablished from remote endpoint

joseluis.pedrosa · ‎06-24-2011

I need tech help with Cisco ASA FW.

Could you try to help me? I'll be very greatful.

Here's the issue:

We are using
CISCO ASA 5510 ver. 8.4.1
CISCO ASDM 6.4.3

3 Public IP interfaces:
PIP1 - Default Route
PIP2 - Site2Site for B2B Connections
PIP3 - Backup Site2Site

Static Route for each Lan2Lan peer public IP.

Crypto Map on PIP2 & PIP3:
Crypto Local: Our DMZ Server.
Crypto Remote: Remote Private Network
Crypto peer: Remote Peer Public IP.

Static NAT from DMZ server to remote private Network on PIP2 IF.
Static NAT from DMZ server to remote private Network on PIP3 IF.

For the purpose, asume Firewall is ANY-ANY Allow.

This Scenario works:
1.- Remote peer Starts the connection.
2.- VPN is established.
3.- Dest IP is Private Server IP.
4.- Connection and sessions works fine.

This Scenario DOESN't Work
1.- OUR Network tries to connect the remote Private IP.
2.- The ASA sends the packet to the default route with NAT.
3.- therefore: ASA doesn't try to establish the VPN, nor sends the packet through it even if it is already stablished.

What We See here:
- The ASA doesn't check the crypto before sending the packet because its defined on the PIP2, but the packet is already being sent to PIP1
- ASA Ignores the static Route because Dest IP is Private IP and not the Public IP of the peer.
- ASA ignores the NAT because its defined on the PIP2, but the packet is already being sent to PIP1

Have you found this scenario before? Any Ideas?

marijaslov · ‎06-29-2011

Why don't you add a static route for remote site private LAN, so that packet from your network to private IP is sent through PIP2?