10-10-2014 06:02 AM - edited 02-21-2020 07:52 PM
Hi,
we are facing some strange problems with a VPN connection.
We have three networks:
The destination network (172.16.0.0 /24), the network of our headquarter (192.168.50.0/24) and the network of our branche (192.168.60.0/24).
In the headquarter we are using a ASA5515 and in the branche a ASA 5505. Unfortunately we don't have administrative access to the firewall of the destination.
Both, the headquarter and the destination, have static IPs and are connected with Site-2-Site VPN - everything works fine.
The branche has a dynamic IP and is connected with RemoteAccess VPN to the headquarter. This VPN also works without problems.
Now I'd like to give the branche access to the destination network.
On the branche ASA I added a new traffic selection to the existing VPN tunnel (Branche <-> Headquarter):
(Source: 192.168.60.0/24, Destination: 172.16.0.0 /24)
On the headquarter I also added a new traffic selection to the existing tunnel (Headquarter <-> Destination)
((Source: 192.168.60.0/24, Destination: 172.16.0.0 /24))
Now the strange thing happens:
I can ping the destination from the headquarter.
As soon as I start ping a device in the destination network from the branche, the headquarter ping stops. Now I can access the destination network from the branche but no more from the headquarter. Only when I delete the traffic selection in the headquarter ASA and apply the settings everthing is back to normal: The ping from the branche stops and the ping from the headquarter starts again.
Any ideas?
10-15-2014 01:53 AM
I suspect you did not configure symmetric traffic selector on headquarter, branch and destination.
on branch:
192.168.60.0/24---->192.168.50.0/24
192.168.60.0/24--->172.16.0.0 /24
on headquarter:
to branch:
192.168.50.0/24---->192.168.60.0/24
172.16.0.0 /24--->192.168.60.0/24
To destination:
192.168.50.0/24--->172.16.0.0 /24
192.168.60.0/24--->172.16.0.0 /24
On Destination:
172.16.0.0 /24--->192.168.50.0/24
172.16.0.0 /24--->192.168.60.0/24
10-15-2014 06:21 AM
Hi smiller_81,
Since you do not have administrative rights on destination firewall, you cannot modify tunnel configuration.
So you include a permit traffic from branch to destination lan segment and similarly you permit from headquarter's side permit destination to branch lan segment i.e. tunnel bound traffic normally would.
This where the magic take place.
Your need a dynamic policy-nat on your ASA, as such below.
object network branch-subnet
subnet 192.168.60.0 255.255.255.0
object-group network destination-lan
subnet 172.16.0.0 255.255.255.0
object network headquarter-unused-ip
host 192.168.50.5
nat (outside,outside) source dynamic branch-subnet headquarter-unused-ip destination static destination-lan destination-lan
Let me know, if this make sense to you.
Thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide