07-24-2014 01:49 AM
We have an issue where we are using public ip addresses on our lan and have setup a site to site vpn to out data center, we wish internet traffic to breakout at data center using the original ip addresses on our pc's. we are able to get to internet if we pat behind the outside interface of the data center interface but cant get it to work using the original addressing, does anybody have any suggestions? this worked ok when we were using a gre tunnel but not with ipsec vpn.
Thanks.
07-24-2014 02:02 AM
Hi,
So you are saying that you have a public subnet on your central site and the central site has a connection to a datacenter with a L2L VPN connection (that the public subnet on the central site is using) and you want all traffic from the public subnet on your central site to first use the L2L VPN and then head out to the Internet through the datacenter?
My first question with regards to this would be related to the routing of the public subnet. Does the ISP as the datacenter site have the public subnet routed towards the datacenter VPN device? I would imagine that the actual central site ISP was adverticing this public subnet to be found on your central site?
You say doing Dynamic PAT on the datacenter for the central sites public subnet makes the connection to Internet work through the L2L VPN? This would again point to a problem that the actual public subnet is not adverticed on the Internet to be found throgh your datacenter ISP and the VPN device located there?
Naturally there is a slight change that a NAT configuration or lack of a NAT configuration on a datacenter site might cause the connections to fail towards the Internet. Though usually there is no NAT configuration that applies to traffic from "outside" to "outside" so that traffic should usually pass without NAT. But again we dont know what devices are being used and if they are ASAs we dont know the exact software levels running on those units.
So at first it seems to me to be a routing problem but I can't really say for sure on the basis of the above.
- Jouni
07-24-2014 02:15 AM
Thanks Jouni,
So you are saying that you have a public subnet on your central site and the central site has a connection to a datacenter with a L2L VPN connection (that the public subnet on the central site is using) and you want all traffic from the public subnet on your central site to first use the L2L VPN and then head out to the Internet through the datacenter?
This is correct, dont ask why we do this i just know i need to make it work :)
My first question with regards to this would be related to the routing of the public subnet. Does the ISP as the datacenter site have the public subnet routed towards the datacenter VPN device? I would imagine that the actual central site ISP was adverticing this public subnet to be found on your central site?
Yes the isp is routing the LAN(Public ip addresses) to the Data Center internet connection which terminates on our ASA. this worked with our old gre tunnel but when we upgraded to a site to site it stopped. the link between the central site and the data centre uses a different set of public addresses.
You say doing Dynamic PAT on the datacenter for the central sites public subnet makes the connection to Internet work through the L2L VPN? This would again point to a problem that the actual public subnet is not adverticed on the Internet to be found throgh your datacenter ISP and the VPN device located there?
As above the isp is routing our lan addresses to the data centre site and we are using a different subnet to communicate between the site and the data center.
Naturally there is a slight change that a NAT configuration or lack of a NAT configuration on a datacenter site might cause the connections to fail towards the Internet. Though usually there is no NAT configuration that applies to traffic from "outside" to "outside" so that traffic should usually pass without NAT. But again we dont know what devices are being used and if they are ASAs we dont know the exact software levels running on those units.
We are using Cisco ASA's at each site and are running 9.1.5 or newer.
So at first it seems to me to be a routing problem but I can't really say for sure on the basis of the above.
I can confirm we can reach the data center asa using the original addressing across the vpn but internet bound traffic is failing.
07-24-2014 02:41 AM
Hi,
Since we are talking about a L2L VPN connection and the fact that the traffic is coming from "outside" to "outside" its probably not an option to use the "packet-tracer" command as the ASA can not really simulate a packet that is incoming from a VPN connection.
But it seems to me that if just adding Dynamic PAT on the datacenter site makes it work then you probably have the L2L VPN portion correctly configured. I presume that part of the Crypto ACL is configured like this on the ASAs
access-list CENTRAL-TO-DC permit ip <public subnet> <mask> any
access-list DC-TO-CENTRAL permit ip any <public subnet> <mask>
As the above should make sure that all public IP addresses should be reached through the L2L VPN. I am actually not sure can you have "deny" statements on a Crypto ACL to rule out any possible private/local networks.
I guess I would personally start troubleshooting this by
The above should be something to start with.
Hope this helps :)
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: