Solved: asa 5505 site to site VPN between A to B site, then B site MPLS to internal network

alan-wong · ‎09-30-2012

Dear all

I am setting up site to site VPN between two site A to B site. Two local site of A and B are connected fine. however for my site B have another internal MPLS to other site. The connection fine from LAN A all the way to LAN B MPLS router, but it cannot be connect to other MPLS site. If I did the MPLS traceroute from other site. It can be reached of LAN B internal router. Therefore, I am confusing which part of my configuration go wrong and any document for my reference. Thank you very much.

Local LAN A (5505 ASA)---------(5505 ASA) Local LAN B-----------B Internal router---------B MPLS router-------------other site.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxx

Harish Balakrishnan · ‎10-01-2012

Hello Alan

after going through the configuration I understood that the issue was with main campus network was not included in the no nat list in branch ASA's . after adding that, everthing is working

Thanks

Please rate helpful posts!

Harish

View solution in original post

Harish Balakrishnan · ‎09-30-2012

Hello Alan,

couple of things i usually check in this scenario are

1. Intrestting traffic to match other site network in both ASA's

2.routing on internal router for Local LAN A subnet and ( Towards LAN B ASA) and the subnet used in 'other site'

regards

Harish.

alan-wong · ‎09-30-2012

Dear Harish

Thank you for help.

1) LAN A ASA internal 11.20.0.0/16 site to site VPN to LAN B ASA internal 11.14.0.0/16

11.20.128.250 - LAN A ASA

11.14.128.223 - LAN B ASA

11.14.128.253 - LAN B MPLS router

11.0.0.0 255.0.0.0 - this is the subnet range used in other site.

2)

routing on LAN A internal router

ip route 0.0.0.0 0.0.0.0 11.20.128.250

ip route 11.14.0.0 255.255.0.0 11.20.128.250

ip route 11.0.0.0 255.0.0.0 11.20.128.250

routing on LAN B internal router

ip route 0.0.0.0 0.0.0.0 11.14.128.223

ip route 11.20.0.0 255.255.0.0 11.14.128.223

ip route 11.0.0.0 255.0.0.0 11.14.128.253

Harish Balakrishnan · ‎09-30-2012

Hello Allan

the above routing seems fine. how is the routing in LAN B MPLS router and the routing on other sites reverse route.. \

also if possible can you post the config if asa to make sure that we are not missing anything in VPN front

regards

Harish.

alan-wong · ‎09-30-2012

Dear Harish

for LAN B MPLS. All 11.20.0.0/16 will route to LAN B internal router 10.14.128.252

If traceroute from other 11.0.0.0 site to 11.20.128.250, it can reach until LAN B ASA 11.14.127.223

11.20.128.250 11.14.128.223 11.14.128.252 11.14.128.253 11.0.0.0

Local LAN A (5505 ASA)---------(5505 ASA) Local LAN B-----------B Internal router---------B MPLS router-------------other site.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxx

if traceroute from 10.20.0.0, it can reach until LAN B MPLS router 11.14.128.253

For config file post. Can I have your email address to direct send to you. Thank you very much.

Harish Balakrishnan · ‎09-30-2012

Hello Alan,

i sent you a private message for my email

regards

Harish

alan-wong · ‎10-01-2012

Dear Harish

I have sent you config file last night, any update for my issue? Thank you.

Harish Balakrishnan · ‎10-01-2012

Hello Alan,

Sorry I havent received the config. Could you send me again to harishab@gmail.com

regards

Harish

Harish Balakrishnan · ‎10-01-2012

Hello Alan

after going through the configuration I understood that the issue was with main campus network was not included in the no nat list in branch ASA's . after adding that, everthing is working

Thanks

Please rate helpful posts!

Harish

alan-wong · ‎10-01-2012

Excellent help from Harish. Thank you so so much.