Solved: can not ping between remote vpn site ???

Rico Hao · ‎02-12-2015

site A is l2l vpn, site B is network-extend vpn, both connect to same vpn device 5510 at central office and work well. I can ping from central office to both remote sites, But i can not ping between these two vpn sites ? Tried debug icmp, i can see the icmp from side A does reach central office but then disappeared! not sending to side B ?? Please help ...

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
!
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
!
access-list OUTSIDE extended permit icmp any any
access-list HOLT-VPN-ACL extended permit ip object-group CBO-NET object-group SITE-A
!
nat (outside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B
!
crypto map VPN-MAP 50 match address HOLT-VPN-ACL
crypto map VPN-MAP 50 set peer *.*.56.250
crypto map VPN-MAP 50 set ikev1 transform-set AES-256-SHA
crypto map VPN-MAP interface outside
!
group-policy REMOTE-NETEXTENSION internal
group-policy REMOTE-NETEXTENSION attributes
dns-server value *.*.*.*
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE-NET2
default-domain value *.org
nem enable
!
tunnel-group REMOTE-NETEXTENSION type remote-access
tunnel-group REMOTE-NETEXTENSION general-attributes
authentication-server-group (inside) LOCAL
default-group-policy REMOTE-NETEXTENSION
tunnel-group REMOTE-NETEXTENSION ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.56.250 type ipsec-l2l
tunnel-group *.*.56.250 ipsec-attributes
ikev1 pre-shared-key *****
!

!

ASA-5510# show route | include 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510# show route | include 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510#

!
Username : layson-ne Index : 10
Assigned IP : 192.168.46.0 Public IP : *.*.65.201
Protocol : IKEv1 IPsecOverNatT
License : Other VPN
Encryption : 3DES Hashing : SHA1
Bytes Tx : 11667685 Bytes Rx : 1604235
Group Policy : REMOTE-NETEXTENSION Tunnel Group : REMOTE-NETEXTENSION
Login Time : 08:19:12 EST Thu Feb 12 2015
Duration : 6h:53m:29s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
!
ASA-5510# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : *.*.56.250
Index : 6 IP Addr : *.*.56.250
Protocol : IKEv1 IPsec
Encryption : 3DES AES256 Hashing : SHA1
Bytes Tx : 2931026707 Bytes Rx : 256715895
Login Time : 02:02:41 EST Thu Feb 12 2015
Duration : 13h:10m:03s

rizwanr74 · ‎02-12-2015

Hi Rico,

You need to dynamic-nat (to available IP address) for both side for each remote subset to access the other remote side subnet and so they can access each other subnet as if both originating the traffic from your central location.

example:

Lets say this IP (10.10.10.254) is unused IP at central office, permitted to access remote tunnel "A" and site "B".

object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
!
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0

nat (outside,outside) source dynamic SITE-A 10.10.10.254 destination
static SITE-B SITE-B

nat (outside,outside) source dynamic SITE-B 10.10.10.254 destination
static SITE-A SITE-A

Hope this helps

Thanks

Rizwan Rafeek

View solution in original post

rizwanr74 · ‎02-12-2015