07-06-2016 07:44 AM
Here is the situation. I have a PTP tunnel from Site A to Site B. At Site B I have a S2S VPN tunnel to Site C. I need to get traffic from Site A to Site C. I did find this thread below:
https://supportforums.cisco.com/discussion/12302901/how-pass-traffic-one-s2s-vpn-site-through-asa-another-s2s-vpn-site
I guess I would like to know if this is the only way to go about doing it or if there would be a better route to take. There is a diagram attached for visual.
Note: Site B to C requires NAT.
Site A - ASA5510
Site B - ASA5510
Site C - ASA5400
07-11-2016 09:33 AM
Running packet tracer for U-turn decrypted traffic would not be useful and the packet is not exactly treated as arrived from tunnel. Try to bring the tunnel up and then see if the traffic passes through.
You can see the traffic being encrypted/ decrypted using command : show crypto ipsec sa peer <peer ip> if the tunnel is up.
HTH,
Abaji.
07-11-2016 10:44 AM
Abaji,
Attached is a packet trace initiated on the HUB ASA using interface HUB-PUB (instead of SiteA_PTP interface) to simulate traffic from SiteA to Site C in order to bring up the tunnel. Below that is the crypto ipsec output. There is no traffic being encrypted because it's searching for input from HUB-PUB instead of SiteA_PTP.
When attempting the packet-trace through SiteA_PTP (after the tunnel is up) there is still no traffic.
Additionally, attempting a ping from SiteA server to SiteC Client continues to fail.
Any thoughts or what I should check next?
***EDIT***
After getting the tunnel up and attempting the packet trace from SiteA IP to SiteC on the SiteA ASA, it is now going through successfully. Odd thing is that the tunnel is showing as down on the HUB and the SiteA server still cannot ping the SiteC client.
07-11-2016 08:55 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide