Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
3
Replies

[Site-to-Site VPN] Are explicit route to the remote LAN necessary?

Go to solution
Patrick Tran
Level 1
Level 1

‎06-10-2015 08:21 AM

Hi, 

I configured Site to Site VPN using inside interface of ASA (9.4.1)

 

 

  1. From computer in Zone 1 (192.168.1.1), I can access to all Intranet and it works without problem --> all traffic is going through VPN.

I can use remote desktop on 10.0.0.1 for example.

 

 2. In the other way, from 10.0.0.1, I try to use remote desktop on 192.168.1.1,  traffic is not routed on VPN.

Log : "Build inbound TCP connection for inside:10.0.0.1/1539 to outside:192.168.1.1/3389"

 

In case 1 (when it worked), it said "Build inbound TCP connection for inside:192.168.1.1/2039 to inside:10.0.0.1/3389"

To fix it, I had to add specific route on ASA : 192.168.1.0/24 on inside

Then it works on both ways.

 

Is that a normal behaviour? 

I thought that cryptomap and IPSec SPI would be enough.

 

Thanks,

Patrick

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcel Maeder
Level 4
Level 4

‎06-10-2015 12:07 PM

Yes, because the cryptomap is mapped to the egress interface. The route look-up happens before you hit the cryptomap. The reverse way works because you already have a connection (in which the interfaces to use are defined).

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-10-2015 06:43 PM

Adding to what Marcel correctly noted, almost all the configuration guides you will see (and 99%+ of the installed base I have seen) terminates the VPN on the outside interface. Int those cases the default route takes care of sending the traffic out encapsulated in the VPN.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcel Maeder
Level 4
Level 4

‎06-10-2015 12:07 PM

Yes, because the cryptomap is mapped to the egress interface. The route look-up happens before you hit the cryptomap. The reverse way works because you already have a connection (in which the interfaces to use are defined).

0 Helpful

Go to solution
Patrick Tran
Level 1
Level 1
In response to Marcel Maeder

‎06-10-2015 11:54 PM

Thanks to both of you for your quick answer ! 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-10-2015 06:43 PM

Adding to what Marcel correctly noted, almost all the configuration guides you will see (and 99%+ of the installed base I have seen) terminates the VPN on the outside interface. Int those cases the default route takes care of sending the traffic out encapsulated in the VPN.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents