Solved: ASA vpn forward between tunnels

asen georgiev · ‎04-27-2017

Hi All,

I don`t have experience with ASA and my apologies that my question is may be stupid for anyone.

I have vpn infrastructure with one HQ and 2 branch offices. (star topology)

hq - 192.168.0.1/24

1office - 192.168.1.1/24

2office - 192.168.2.1/24

I have communication between hq and each of offices but there is not communication between offices.

Each network pair exists in every tunnel.

Hq (192.168.0.1/24, 192.168.1.1/24) <---> 2office (192.168.2.1/24)

Hq (192.168.0.1/24, 192.168.2.1/24) <---> 1office (192.168.1.0/24)

The configuration is built with ASDM

Every ACL is "permit all" - "any less secure network" in both directions and the nat rules are not including every of these networks.

There are no yellow rows in the dump - just a "Teardown ICMP connection for ..."

There is no connection between 192.168.2.xx/24 and 192.168.1.xx/24

I will be very grateful if anybody can help me.

Best regards,

Asen

p.s. if necessary I can provide more detailed info and the config, but I think my mistake is known by experts.

Karsten Iwen · ‎04-27-2017

Take a look at the following document: https://supportforums.cisco.com/document/12015091/cisco-asa-vpn-spoke-spoke-communication-hub

Perhaps ist's just a missing

same-security-traffic permit intra-interface

View solution in original post

asen georgiev · ‎04-27-2017

The ASA is 5510 with 9.1.7. Other routers are routers 881 and the configuration is fine. If I replace the ASA with router, everything works fine with the current configuration.

Karsten Iwen · ‎04-27-2017

Take a look at the following document: https://supportforums.cisco.com/document/12015091/cisco-asa-vpn-spoke-spoke-communication-hub

Perhaps ist's just a missing

same-security-traffic permit intra-interface

asen georgiev · ‎04-27-2017

Thank you very much. This is the fix of the problem. Too many hours lost and very simple solution. Thank you again