Showing results for 
Search instead for 
Did you mean: 

How to pass traffic from a PTP VPN tunnel to a L2L VPN tunnel co-located at 1 site.

Here is the situation. I have a PTP tunnel from Site A to Site B. At Site B I have a S2S VPN tunnel to Site C. I need to get traffic from Site A to Site C. I did find this thread below:

I guess I would like to know if this is the only way to go about doing it or if there would be a better route to take. There is a diagram attached for visual.

Note: Site B to C requires NAT. 

Site A - ASA5510

Site B - ASA5510

Site C - ASA5400


Running packet tracer for U-turn decrypted traffic would not be useful and the packet is not exactly treated as arrived from tunnel. Try to bring the tunnel up and then see if the traffic passes through.

You can see the traffic being encrypted/  decrypted using command : show crypto ipsec sa peer <peer ip> if the tunnel is up.




Attached  is a packet trace initiated on the HUB ASA using interface HUB-PUB (instead of SiteA_PTP interface) to simulate traffic from SiteA to Site C in order to bring up the tunnel. Below that is the crypto ipsec output. There is no traffic being encrypted because it's searching for input from HUB-PUB instead of SiteA_PTP. 

When attempting the packet-trace through SiteA_PTP (after the tunnel is up) there is still no traffic. 
Additionally, attempting a ping from SiteA server to SiteC Client continues to fail. 

Any thoughts or what I should check next?

After getting the tunnel up and attempting the packet trace from SiteA IP to SiteC on the SiteA ASA, it is now going through successfully. Odd thing is that the tunnel is showing as down on the HUB and the SiteA server still cannot ping the SiteC client.


Attached is the SiteB (HUB) config if you wouldn't mind taking a look at it. Please let me know if you are unclear on anything I was trying to get it done as soon as I could.

Content for Community-Ad