cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
361
Views
9
Helpful
8
Replies
Highlighted
Beginner

Help!! ASA 5505 VPN to VPN traffic.....

I have an ASA 5505 (v8.2) at a site we'll call HQ, and another ASA 5505 at a site we'll call Colo.  The 2 sites are successfully connected via an IPSec Site to Site VPN.  I also have remote users sucessfully connecting to site HQ via IPSec Remote Access VPN (using Cisco client).

My issue:  I need to allow remote users connecting to HQ access to Colo through the existing Site to Site VPN.

Attached are my configs.  What am I missing?  Are my NAT statements incorrect?  Access Lists ?  As you can see, I've already done:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

8 REPLIES 8
Highlighted

Your config looks good, Try by adding below command on HQ. Also post the logs from your HQ ASA.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

With Regards,

Safwan

Highlighted

Hi Safwan,

I tried that command on HQ, but still nothing.  Any other thoughts?  What is the best way to capture the logs for this issue?

Highlighted

just run the logs? What I suspect is the issue that there is no translation rule configured for vpn pool on outside interface to outside interface and hence traffic is dropping.

Just check the log having source as 10.10.11.x to your colo network. IF it says no translation found, try adding

static (outside,outside) 10.10.11.0 10.10.11.0 netmask 255.255.255.0

Logging may be enabled by

logging enable

logging level 7

and then try to generate traffic from your client towards colo.

to stop do:

un all

Highlighted

Hi Nitin,  I tried adding that command as well...but no luck.  Here is a debugging log when I attempted to ping from VPN client (10.10.11.0) to Colo (172.16.16.0)

-------------------------------------

Highlighted

I see a mismatch in crypto acl:

On HQ:

access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Colospace_Network_172.16.16.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip Colospace_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.10.11.0 255.255.255.0 Colospace_Network_172.16.16.0 255.255.255.0

There is no need of the second line

access-list outside_1_cryptomap extended permit ip Colospace_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0

as Colospace network is remote and not local.

Highlighted

Thanks for your help!  I had to grapple with a split-dns issue but it's up and running.  Thanks!

Highlighted

Clear the crypto the tunnel using below command, because whatever change you are making its not applied untill you re initiate the tunnel.

clear crypto isakmp sa

clear crypto ipsec sa

note: do it for both HQ and colo

With Regards,

Safwan

Highlighted

Got it, Thanks!