06-12-2013 02:45 AM
Greetings,
I am practicing setting up VPN's and I seem to have ran into a small issue whos solution evades me. Everything is working in my current topology except for a multi-site vpn. I have 3 ASA's whos outside interface is connected through a switch. The inside interface is connected to a local network that contains one workstation on each subnet. I am trying to setup a solution where I can have all 3 ASA's connected to each other through a VPN's. The issue that I have is when I bring one tunnel up, by pinging a workstation behind the ASA, I can't bring up a second tunnel by pinging a different network. To explain better here is an explanation:
ASA #1
outside: 10.0.1.1/24
inside: 192.168.0.1/24
workstation: 192.168.0.100
ASA #2
outside: 10.0.1.2/24
inside: 192.168.1.1/24
workstation: 192.168.1.100
ASA #3
outside: 10.0.1.3/24
inside: 192.168.2.1/24
workstation: 192.168.2.100
If I ping 192.168.1.100 from 192.168.0.100, the tunnel opens fine and I get replies. If I then try and ping 192.168.2.100 from 192.168.0.100, the tunnel to 192.168.2.0 doesn't open. If I clear all sa's on ASA #1 and then ping 192.168.2.100 from 192.168.0.100, the tunnel opens fine and I get a reply. Then I try and ping 192.168.1.100 from 192.168.0.100 and the same thing happens, no tunnel and no reply. When I enabled logging on ASA #1 it seems as though it's sending the ping request for the different network over the tunnel that is open instead of opening a new tunnel to the correct network. Can anyone tell me what is going on here and if I just missed something simple with the routing? Or is this perhaps a VPN issue?
Solved! Go to Solution.
06-17-2013 02:56 AM
Craig,
You have default route configured wrong on all ASA's. Here is what you have configured
ASA1
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
This is sendning the packet meant for outside to inside IP address. Here is what you need to do on all ASA's
ASA1
no route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 0.0.0.0 0.0.0.0 10.0.1.2
ASA2
no route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside 0.0.0.0 0.0.0.0 10.0.1.1
ASA3
no route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route outside 0.0.0.0 0.0.0.0 10.0.1.1
Also remove icmp from crypto access list as you have allowed IP is same access list. Ip covers ICMP as well.
Kindly let me know changing default route helps.
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
06-12-2013 03:17 AM
Hi Criag,
Looks like it is an VPN issue. Hope you have your crypto map with correct access list in order. Can you send the show run of ASA 1 and 2?
Regards,
Varinder
06-17-2013 01:09 AM
06-17-2013 02:56 AM
Craig,
You have default route configured wrong on all ASA's. Here is what you have configured
ASA1
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
This is sendning the packet meant for outside to inside IP address. Here is what you need to do on all ASA's
ASA1
no route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 0.0.0.0 0.0.0.0 10.0.1.2
ASA2
no route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside 0.0.0.0 0.0.0.0 10.0.1.1
ASA3
no route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route outside 0.0.0.0 0.0.0.0 10.0.1.1
Also remove icmp from crypto access list as you have allowed IP is same access list. Ip covers ICMP as well.
Kindly let me know changing default route helps.
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide