Not passing traffic of 3 subnets through L2L tunnel out of 4 subnets

Praful Soni · ‎07-22-2015

I have two sites connected with L2L tunnel using Cisco PIX firewall as below ---

Site A : Local subnet 172.16.0.0/16

Site B : Local subnet 172.16.0.0/16, 192.168.11.0/24, 192.168.12.0, 192.168.13.0

To establish reacahbility of 1 duplicate subnet on both sites, I have done static nat @ both side as below ---

Site A : 172.16.0.0/16 NAT 10.39.0.0/16

Site B : 172.16.0.0/16 NAT 10.38.0.0/16

Now after establishing tunnel and access-list I am able to reach 10.39.0.0/16 from Site A and 10.38.0.0/16 from Site B and vase versa. At the same time I am able to reach Site A (10.39.0.0/16) from Site B (all 4 subnets) but I am not able to reach site B subnets (192.168.11.0/24, 192.168.12.0, 192.168.13.0) from Site A (172.16.0.0/16).

Can you please suggest me required solution. I guess I am missing something at Site A firewall.

Find below Tunnel configuration for your review.

Firewall : A

————————————————————————

object-group network AAA

network-object 192.168.11.0 255.255.255.0

network-object 192.168.12.0 255.255.255.0

network-object 192.168.13.0 255.255.255.0

network-object 10.38.0.0 255.255.0.0

access-list new extended permit ip 10.39.0.0 255.255.0.0 object-group AAA

access-list policy-nat extended permit ip 172.16.0.0 255.255.0.0 10.38.0.0 255.255.0.0

static (inside,outside) 10.39.0.0 access-list policy-nat

crypto ipsec transform-set CISCO esp-des esp-md5-hmac

crypto map outside_map 20 match address new

crypto map outside_map 20 set peer 88.85.x.x

crypto map outside_map 20 set transform-set CISCO

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 65535

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 88.85.x.x type ipsec-l2l

tunnel-group 88.85.x.x ipsec-attributes

pre-shared-key ****

Firewall : B

————————————————————————

object-group network AAA

network-object 192.168.11.0 255.255.255.0

network-object 192.168.12.0 255.255.255.0

network-object 192.168.13.0 255.255.255.0

network-object 10.38.0.0 255.255.0.0

access-list new extended permit ip object-group AAA 10.39.0.0 255.255.0.0

access-list policy-nat extended permit ip 172.16.0.0 255.255.0.0 10.39.0.0 255.255.0.0

static (inside,outside) 10.38.0.0 access-list policy-nat

crypto ipsec transform-set CISCO esp-des esp-md5-hmac

crypto map outside_map 20 match address new

crypto map outside_map 20 set peer 103.6.x.x

crypto map outside_map 20 set transform-set CISCO

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 65535

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 103.6.x.x type ipsec-l2l

tunnel-group 103.6.x.x ipsec-attributes

pre-shared-key ****

jan.nielsen · ‎07-22-2015

From your config it looks like you are not doing nat when trying to reach 192.168.11,12 and 13.0, so firewall b will receive a packet from a thought the vpn with 172.16.x.x as source, which is local to the b firewall as well, in which case the return packet won't be sent through the vpn tunnel. All traffic from firewall a to b will need to be nat'ed to something not known locally in firewall b

Praful Soni · ‎07-22-2015

Thanks Jan for your input.

But please note that only one subnet is duplicate (after NAT it is reachable) and other 3 subnets are unique in both sides. So I hope NAT for those subnets are not required.

One more input here is the firewall @ Site B is directly connected on 172.16.0.0/16 subnet where as other subnets are connected with MPLS router which is again connected to WAN port of firewall.

So as per my understanding traffic for 3 subnets are coming IN on WAN port and also going OUT with same port.

We are trying to put one switch and connecting 2 different physical ports of firewall and diverting traffic of unreachable subnets on ETH3 of firewall.

Please suggest if you find anything missing/wrong in config.

jan.nielsen · ‎07-23-2015

can you post the route table of both firewalls, would make this a lot easier. Also you say 3 other subnets are unique on both sides, but in your first post, you say there is only 172.16.0.0/16 on site A ?