Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1925
Views
0
Helpful
2
Replies

ASA 5505 site-to-site vpn not passing traffic

shawn
Level 1
Level 1

‎02-05-2011 02:03 PM

Hello All,

I've setup a site-to-site vpn between 2 5505s, with 1 subnet per site directly behind the ASAs.

site1 192.168.10.0/24 --- asa 1.1.1.1/24 ------ ISP ------ asa 2.2.2.2/24 --- site2 192.168.3.0/24

The VPN establishes connection successfully, but i can only access resources from site2 to site 1. E.g. I can ping or rdp from a server in site2 at IP 192.168.3.250 to a site1 server at IP 192.168.10.250. I cannot make the opposite connection, i.e. 192.168.10.250 to 192.168.3.250. Configs and sho crypto out put attached, any ideas? I'm sure I'm just overlooking something simple but I'm not seeing it!

Thanks,

Shawn

Labels:
79907-site2shoCryptoIPSecSA.txt.zip
79935-site2config.txt.zip
79937-site1config.txt.zip
79936-site1shoCryptoIPSecSA.txt.zip
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-05-2011 10:25 PM

On site 1, maybe it's a typo when you tidy up the configuration, but this route statement seems incorrect:

route outside 192.168.3.0 255.255.255.0 2.2.2.2 1

Pls remove this route statement.

Similarly on site 2, this route statement is also incorrect:

route outside 192.168.10.0 255.255.255.0 139.142.53.18 1

Why does it have a different route to the default gateway (route outside 0.0.0.0 0.0.0.0 139.142.53.1 1).

The rest of the configuration looks fine to me.

You might want to check the host itself at site of 192.168.3.0/24 subnet. Check if it has the correct default gateway (ASA inside interface - 192.168.3.1) also on the host itself if there is any personal firewall enabled, it will typically block inbound connection from different subnets. Try to disable the personal firewall and see if you can access them.

Hope that helps.

0 Helpful

shawn
Level 1
Level 1
In response to Jennifer Halim

‎02-06-2011 12:43 PM

Hi Jennifer,

Thanks for the reply, yes, i didn't do a very goog job sanatizing the config before posting it.

During my troubleshooting efforts, I found a post suggesting to add routes on each ASA to the remote subnet to using the outside interface ip as the gateway. I did that but it didn't help, I should of removed it from my config before posting.

WRT the hosts @ .3.350 & .10.250, they both Server 2003, no firewall and the default gateway for each is the local ASA inside int. I've posted the details below for confirmation.

Is seems to be that the site1 ASA does not identify traffic destine for the remote LAN. When I run a tracert from the .10.250 host to the .3.250 host, the traffic gets sent to the ASAs default gateway. I should point out that both ASAs are in the same ISP network and both have the same default gateway. Seems like a possible NAT ACL issue, but again, the config seems fine. Any other suggestions? I've attached ASDM traces while the vpn is up that suggest this is the issue, I think.

site1 host (192.168.10.250)

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...1c c1 de 0f 7c b4 ...... HP NC107i PCIe Gigabit Server Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1   192.168.10.250     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0   192.168.10.250   192.168.10.250     20
   192.168.10.250  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.10.255  255.255.255.255   192.168.10.250   192.168.10.250     20
        224.0.0.0        240.0.0.0   192.168.10.250   192.168.10.250     20
  255.255.255.255  255.255.255.255   192.168.10.250   192.168.10.250      1
Default Gateway:      192.168.10.1
===========================================================================
Persistent Routes:
  None

site2 host (192.168.3.250)

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...78 e7 d1 bd 1f 16 ...... HP NC107i PCIe Gigabit Server Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.3.1    192.168.3.250     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.3.0    255.255.255.0    192.168.3.250    192.168.3.250     20
    192.168.3.250  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.3.255  255.255.255.255    192.168.3.250    192.168.3.250     20
        224.0.0.0        240.0.0.0    192.168.3.250    192.168.3.250     20
  255.255.255.255  255.255.255.255    192.168.3.250    192.168.3.250      1
Default Gateway:       192.168.3.1
===========================================================================
Persistent Routes:
  None

110 KB
0 Helpful
Customers Also Viewed These Support Documents