Cannot connect remote subnets via Cisco ASA to Draytek router VPN

ocucolimited · ‎06-20-2011

Hi,

my local site has Cisco 2811 router connecting locally to ASA 5520. Remote site A has Draytek Vigor2950. I have working vpn between local subnet 10.0.0.0/24 and remote site A 10.100.6.0/24.

I have remote sites B (10.100.7.0/24) and C (10.100.8.0/24).

I would like to route traffic from local site to remote sites B and C via the local-to-remote A vpn.

On Draytek routers B and C, I have added to subnet 10.0.0.0/24 to the remote network profile list.

On local router, I route traffic for subnets 10.100.7.x and 10.100.8.x to the ASA. On ASA I have added these subnets to the profile for local-to-remoteA vpn.

But the vpn will not establish when I attempt to ping from local to remote B or C.

Any assistance would be appreciated. I fear this could be an incompability between ASA and Draytek.

Colm.

Jennifer Halim · ‎06-20-2011

Sorry, but can you please advise how is the remote B and remote C currently connected?

Are they behind remote A?

Is the topology like this currently:

10.0.0.0/24 - ASA -- Internet (VPN to remote A) -- Remote A Draytek - 10.100.6.0/24 -- Remote B and Remote C

Is Remote B and Remote C network currently connected behind Remote A?

Can you please share a topology diagram on how they are all connected?

ocucolimited · ‎06-20-2011

Connection topology is:

Local subnet (10.0.0.0./24) router - ASA - VPN to remote A - Remote A Draytek (10.100.6.0/24) - VPN's to remote B - Remote B Draytek (10.100.7.0/24). Similar for remote C.

So Remote B and Remote C each have a Draytek Vigor 2950, with Lan-t-Lan vpn to Remote A.

Jennifer Halim · ‎06-22-2011

OK, this makes sense now, thanks.

So basically Remote A is the hub, and ASA, Remote B and Remote C are the spokes.

Here is the changes that you would need to configure:

On Remote A:

- crypto ACL towards the ASA should include the following:

from source: 10.100.7.0/24 to destination: 10.0.0.0/24

from source: 10.100.8.0/24 to destination 10.0.0.0/24

- crypto ACL towards remote B should include the following:

from source: 10.0.0.0/24 to destination: 10.100.7.0/24

- crypto ACL towards remote C should include the following:

from source: 10.0.0.0/24 to destination: 10.100.8.0/24

On the ASA:

- crypto ACL that you configure towards remote A needs to include the following:

access-list permit ip 10.0.0.0 255.255.255.0 10.100.7.0 255.255.255.0

access-list permit ip 10.0.0.0 255.255.255.0 10.100.8.0 255.255.255.0

- NAT exemption ACL also need to include the same ACL as above:

access-list permit ip 10.0.0.0 255.255.255.0 10.100.7.0 255.255.255.0

On Remote B:

- crypto ACL towards remote A should include the following:

from source: 10.100.7.0/24 towards 10.0.0.0/24

On Remote C:

- crypto ACL towards remote A should include the following:

from source: 10.100.8.0/24 towards 10.0.0.0/24

Hope this helps.

ocucolimited · ‎06-22-2011

Thanks Jennifer, I do already have the acl configured on the ASA. But the remote routers are Draytek's - they don't have ACL's. They seem to handle this spoke-to-spoke traffic in a different manner to Cisco. I guess I'm looking for someone who has experience with Draytek's to direct me.

On the Cisco side, I have already tried acl's for the VPN and also static routes, to no avail.

I do have spoke-to-spoke traffic working to another customer who has Cisco gear. And this customer here has spoke-to-spoke working across Drayteks. But we can't get spoke-to-spoke traffic to work across a combination of Cisco and Draytek.

Jennifer Halim · ‎06-22-2011

All you need to do in the Draytek router is to add in the corresponding remote subnet on the existing VPN connection.

For Remote B and C, add an extra subnet on the remote subnet for VPN towards Remote A.

For Remote A, it might slightly be more complicated, but the concept is the same as per my post earlier.

You might want to check at Draytek forum for futher assistance on Draytek router.