Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
4
Replies

how to route over site to site vpn?

Go to solution
action711
Level 1
Level 1

‎03-09-2015 06:03 AM

Hi All,

I have built a site-to-site vpn between a 5505 and 5510 (headend). I am on site at the 5505 end.

 

I can see the tunnel is up. The network statements used to build the tunnel were the /16 networks for each site, so 10.203.0.0/16 for the remote site, and 10.200.0.0/16 for the headend.

But I cannot ping across the tunnel. How does it work? There is no route on either ASA to the other side of the tunnel, so how does traffic know how to get to the other side?

 

I tried creating a static route pointing to the 5505's next hop (outside interface), and on the 5510 a route outside 10.203.0.0 pointing to it's outside interface next hop, but still no ping response.

 

Then I thought there must be some internal invisible secret route inherent to a vpn tunnel, so I pointed traffic to the remote site from the core switch to the inside interface of the headend firewall, but still no ping response.

 

It's driving me crazy. I've spent a week trying to get this up over a 4G connection with no success, then the PSTN DSL line arrived, and got the VPN up over that, but now I can't route.....

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
zackmci
Cisco Employee
Cisco Employee

‎03-09-2015 07:53 AM

Have you added nat exemptions for those networks you are trying to send across the tunnel?

 

Is there any way you could include the configs you are using?

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html

 

Thanks,

 

Zack

View solution in original post

0 Helpful
4 Replies 4

Go to solution
zackmci
Cisco Employee
Cisco Employee

‎03-09-2015 07:53 AM

Have you added nat exemptions for those networks you are trying to send across the tunnel?

 

Is there any way you could include the configs you are using?

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html

 

Thanks,

 

Zack

0 Helpful

Go to solution
action711
Level 1
Level 1
In response to zackmci

‎03-09-2015 08:50 AM

Yes, there is a NAT exempt statement, it was created as I went through the wizard to create the vpn. It states anything on the inside interface going to the remote subnet is exempt from NAT.

 

0 Helpful

Go to solution
zackmci
Cisco Employee
Cisco Employee
In response to action711

‎03-09-2015 10:15 AM

What devices are you trying to ping from and to?

Could you include the output from show crypto isakmp sa and show crypto ipsec sa.

 

0 Helpful

Go to solution
Scott Reu
Cisco Employee
Cisco Employee
In response to action711

‎03-09-2015 11:04 AM

Do you have any ACLs in place on either the 5505 or the 5510? If so, then is there any chance that they are explicitly or implicitly denying ICMP traffic across the tunnel?

0 Helpful
Customers Also Viewed These Support Documents