Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
1
Helpful
7
Replies

ASA VPN not connecting

Go to solution
matthew2587
Level 1
Level 1

‎01-24-2024 08:50 AM - edited ‎01-24-2024 08:52 AM

I am new to configuring VPNs and have this topology.

Background: we just added site 3 and created the VPN connection and it is currently working.

site 3 ---VPN------- site 1------VPN----- site2

Site 1 can communicate with both site 2 and 3. However, site 2 cannot communicate with site 3 and vice-versa. I thought this would be a simple fix on an acl/nat rule, but I cannot seem to figure this out. I am happy to provide configurations to help.

edit: I should also include that I did a packet tracer on site 1 from the subnets of 2 to 3 and it showed that it was allowed.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎01-24-2024 08:55 AM

it simple but need correct steps 
1- Site1 to Site2 VPN 
in Site1 
ACL permit LAN-Site1 to LAN-Site2
ACL permit LAN-Site3 to LAN-Site2
in Site2
mirror of above ACL 

route in site2 toward site1 for site3LAN

2-Site1 to Site3 
in Site1
ACL permit LAN-Site1 to LAN-Site3
ACL permit LAN-Site2 to LAN-Site3 
in Site3 
mirror of above ACL 

route in site3 toward site1 for site2LAN 

that it 
MHM


View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎01-24-2024 08:55 AM

it simple but need correct steps 
1- Site1 to Site2 VPN 
in Site1 
ACL permit LAN-Site1 to LAN-Site2
ACL permit LAN-Site3 to LAN-Site2
in Site2
mirror of above ACL 

route in site2 toward site1 for site3LAN

2-Site1 to Site3 
in Site1
ACL permit LAN-Site1 to LAN-Site3
ACL permit LAN-Site2 to LAN-Site3 
in Site3 
mirror of above ACL 

route in site3 toward site1 for site2LAN 

that it 
MHM


0 Helpful

Go to solution
matthew2587
Level 1
Level 1
In response to MHM Cisco World

‎01-24-2024 09:07 AM

Are these ACEs going to be added to ACL that is matched by the crypto map?

Go to solution
MHM Cisco World
VIP
VIP
In response to matthew2587

‎01-24-2024 09:11 AM

yes friend 

MHM

0 Helpful

Go to solution
matthew2587
Level 1
Level 1
In response to MHM Cisco World

‎01-24-2024 10:00 AM

Thank you, I was applying the ACLs in the wrong spots.

0 Helpful

Go to solution
matthew2587
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 06:42 AM

Do you think you could help with one more connection issue?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to matthew2587

‎01-30-2024 06:53 AM

sure friend what is your issue 
MHM

0 Helpful

Go to solution
matthew2587
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 06:57 AM - edited ‎01-30-2024 07:00 AM

Your solution worked and we have connectivity, but our remote-access VPN users do not. They get a 192.168.252.0/24 address, so I thought it would be easy and just to add that network to ACLs, cryptomap, etc. But, that does not seem to be working, so I was wondering if you had any ideas?

I should mention that the users have connectivity to site-2 but not site-3, I tried to mirror the config on site 2 (changing the networks to reflect site) but it does not work or I missed something.

0 Helpful
Customers Also Viewed These Support Documents