Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1594
Views
0
Helpful
9
Replies

asa 5505 site to site VPN between A to B site, then B site MPLS to internal network

Go to solution
alan-wong
Level 1
Level 1

‎09-30-2012 05:04 AM

Dear all

I am setting up site to site VPN between two site A to B site.  Two local site of A and B are connected fine.  however for my site B have another internal MPLS to other site.  The connection fine from LAN A all the way to LAN B MPLS router, but it cannot be connect to other MPLS site.  If I did the MPLS traceroute from other site.  It can be reached of LAN B internal router.  Therefore, I am confusing which part of my configuration go wrong and any document for my reference.  Thank you very much.

Local LAN A (5505 ASA)---------(5505 ASA) Local LAN B-----------B Internal router---------B MPLS router-------------other site.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to Harish Balakrishnan

‎10-01-2012 10:33 AM

Hello Alan

after going through the configuration I understood that the issue was with main campus network was not included in the no nat list in branch ASA's . after adding that, everthing is working

Thanks

Please rate helpful posts!

Harish

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Harish Balakrishnan
Spotlight
Spotlight

‎09-30-2012 05:56 AM

Hello Alan,

couple of things i usually check in this scenario are

1. Intrestting traffic to match other site network in both ASA's

2.routing on internal router for Local LAN A subnet and ( Towards LAN B ASA) and the subnet used in 'other site'

regards

Harish.

0 Helpful

Go to solution
alan-wong
Level 1
Level 1
In response to Harish Balakrishnan

‎09-30-2012 07:48 AM

Dear Harish

Thank you for help.

1) LAN A ASA internal 11.20.0.0/16 site to site VPN to LAN B ASA internal 11.14.0.0/16

11.20.128.250 - LAN A ASA

11.14.128.223 - LAN B ASA

11.14.128.253 - LAN B MPLS router

11.0.0.0 255.0.0.0 - this is the subnet range used in other site.

2)

routing on LAN A internal router

ip route 0.0.0.0 0.0.0.0 11.20.128.250

ip route 11.14.0.0 255.255.0.0 11.20.128.250

ip route 11.0.0.0 255.0.0.0 11.20.128.250

routing on LAN B internal router

ip route 0.0.0.0 0.0.0.0 11.14.128.223

ip route 11.20.0.0 255.255.0.0 11.14.128.223

ip route 11.0.0.0 255.0.0.0 11.14.128.253

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to alan-wong

‎09-30-2012 08:46 AM

Hello Allan

the above routing seems fine. how is the routing in LAN B MPLS router and the routing on other sites reverse route.. \

also if possible can you post the config if asa to make sure that we are not missing anything in VPN front

regards

Harish.

0 Helpful

Go to solution
alan-wong
Level 1
Level 1
In response to Harish Balakrishnan

‎09-30-2012 08:58 AM

Dear Harish

for LAN B MPLS.  All 11.20.0.0/16 will route to LAN B internal router 10.14.128.252

If traceroute from other 11.0.0.0 site to 11.20.128.250, it can reach until LAN B ASA 11.14.127.223

11.20.128.250                        11.14.128.223                           11.14.128.252           11.14.128.253              11.0.0.0

Local LAN A (5505 ASA)---------(5505 ASA) Local LAN B-----------B Internal router---------B MPLS router-------------other site.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxx

if traceroute from 10.20.0.0, it can reach until LAN B MPLS router 11.14.128.253

For config file post.  Can I have your email address to direct send to you.  Thank you very much.

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to alan-wong

‎09-30-2012 09:05 AM

Hello Alan,

i sent you a private message for my email

regards

Harish

0 Helpful

Go to solution
alan-wong
Level 1
Level 1
In response to Harish Balakrishnan

‎10-01-2012 03:56 AM

Dear Harish

I have sent you config file last night, any update for my issue?  Thank you.

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to alan-wong

‎10-01-2012 04:15 AM

Hello Alan,

Sorry I havent received the config. Could you send me again to harishab@gmail.com

regards

Harish

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to Harish Balakrishnan

‎10-01-2012 10:33 AM

Hello Alan

after going through the configuration I understood that the issue was with main campus network was not included in the no nat list in branch ASA's . after adding that, everthing is working

Thanks

Please rate helpful posts!

Harish

0 Helpful

Go to solution
alan-wong
Level 1
Level 1
In response to Harish Balakrishnan

‎10-01-2012 10:35 AM

Excellent help from Harish.  Thank you so so much.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents