cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1750
Views
0
Helpful
2
Replies
shawn
Beginner

ASA 5505 site-to-site vpn not passing traffic

Hello All,

I've setup a site-to-site vpn between 2 5505s, with 1 subnet per site directly behind the ASAs.

site1 192.168.10.0/24 --- asa 1.1.1.1/24 ------ ISP ------ asa 2.2.2.2/24 --- site2 192.168.3.0/24

The VPN establishes connection successfully, but i can only access resources from site2 to site 1. E.g. I can ping or rdp from a server in site2 at IP 192.168.3.250 to a site1 server at IP 192.168.10.250. I cannot make the opposite connection, i.e. 192.168.10.250 to 192.168.3.250. Configs and sho crypto out put attached, any ideas? I'm sure I'm just overlooking something simple but I'm not seeing it!

Thanks,

Shawn

2 REPLIES 2
Jennifer Halim
Cisco Employee

On site 1, maybe it's a typo when you tidy up the configuration, but this route statement seems incorrect:

route outside 192.168.3.0 255.255.255.0 2.2.2.2 1

Pls remove this route statement.

Similarly on site 2, this route statement is also incorrect:

route outside 192.168.10.0 255.255.255.0 139.142.53.18 1

Why does it have a different route to the default gateway (route outside 0.0.0.0 0.0.0.0 139.142.53.1 1).

The rest of the configuration looks fine to me.

You might want to check the host itself at site of 192.168.3.0/24 subnet. Check if it has the correct default gateway (ASA inside interface - 192.168.3.1) also on the host itself if there is any personal firewall enabled, it will typically block inbound connection from different subnets. Try to disable the personal firewall and see if you can access them.

Hope that helps.

Hi Jennifer,

Thanks for the reply, yes, i didn't do a very goog job sanatizing the config before posting it.

During my troubleshooting efforts, I found a post suggesting to add routes on each ASA to the remote subnet to using the outside interface ip as the gateway. I did that but it didn't help, I should of removed it from my config before posting.

WRT the hosts @ .3.350 & .10.250, they both Server 2003, no firewall and the default gateway for each is the local ASA inside int. I've posted the details below for confirmation.

Is seems to be that the site1 ASA does not identify traffic destine for the remote LAN. When I run a tracert from the .10.250 host to the .3.250 host, the traffic gets sent to the ASAs default gateway. I should point out that both ASAs are in the same ISP network and both have the same default gateway. Seems like a possible NAT ACL issue, but again, the config seems fine. Any other suggestions? I've attached ASDM traces while the vpn is up that suggest this is the issue, I think.

site1 host (192.168.10.250)

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...1c c1 de 0f 7c b4 ...... HP NC107i PCIe Gigabit Server Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1   192.168.10.250     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0   192.168.10.250   192.168.10.250     20
   192.168.10.250  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.10.255  255.255.255.255   192.168.10.250   192.168.10.250     20
        224.0.0.0        240.0.0.0   192.168.10.250   192.168.10.250     20
  255.255.255.255  255.255.255.255   192.168.10.250   192.168.10.250      1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  None

site2 host (192.168.3.250)

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...78 e7 d1 bd 1f 16 ...... HP NC107i PCIe Gigabit Server Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.3.1    192.168.3.250     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.3.0    255.255.255.0    192.168.3.250    192.168.3.250     20
    192.168.3.250  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.3.255  255.255.255.255    192.168.3.250    192.168.3.250     20
        224.0.0.0        240.0.0.0    192.168.3.250    192.168.3.250     20
  255.255.255.255  255.255.255.255    192.168.3.250    192.168.3.250      1
Default Gateway:       192.168.3.1
===========================================================================
Persistent Routes:
  None

Content for Community-Ad