06-10-2015 08:21 AM
Hi,
I configured Site to Site VPN using inside interface of ASA (9.4.1)
I can use remote desktop on 10.0.0.1 for example.
2. In the other way, from 10.0.0.1, I try to use remote desktop on 192.168.1.1, traffic is not routed on VPN.
Log : "Build inbound TCP connection for inside:10.0.0.1/1539 to outside:192.168.1.1/3389"
In case 1 (when it worked), it said "Build inbound TCP connection for inside:192.168.1.1/2039 to inside:10.0.0.1/3389"
To fix it, I had to add specific route on ASA : 192.168.1.0/24 on inside
Then it works on both ways.
Is that a normal behaviour?
I thought that cryptomap and IPSec SPI would be enough.
Thanks,
Patrick
Solved! Go to Solution.
06-10-2015 12:07 PM
Yes, because the cryptomap is mapped to the egress interface. The route look-up happens before you hit the cryptomap. The reverse way works because you already have a connection (in which the interfaces to use are defined).
06-10-2015 06:43 PM
Adding to what Marcel correctly noted, almost all the configuration guides you will see (and 99%+ of the installed base I have seen) terminates the VPN on the outside interface. Int those cases the default route takes care of sending the traffic out encapsulated in the VPN.
06-10-2015 12:07 PM
Yes, because the cryptomap is mapped to the egress interface. The route look-up happens before you hit the cryptomap. The reverse way works because you already have a connection (in which the interfaces to use are defined).
06-10-2015 11:54 PM
Thanks to both of you for your quick answer !
06-10-2015 06:43 PM
Adding to what Marcel correctly noted, almost all the configuration guides you will see (and 99%+ of the installed base I have seen) terminates the VPN on the outside interface. Int those cases the default route takes care of sending the traffic out encapsulated in the VPN.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: