Site to Site VPN Routing question

Murray Bown · ‎09-29-2013

I am trying to trouble shoot a Site-To-Site VPN routing issue. I am trying to understand how the routing process works for Site-To-Site VPN traffic to and from the local LAN and the rest of the corporate network. For instance, looking at the attached drawing, how dose the traffic from the network 10.184.2.x local network route to the 10.252.x.x on the remote site and back again? Again, how will the traffic from the 10.150.x.x get to the 10.252.x.x site.

Thanks for any help.

Murray

Marvin Rhoads · ‎09-29-2013

No drawing is attached, but...

Generally how site-site VPN routing works is the local site present traffic to the ASA inside interface, usually as the default route. The ASA does not have a specific route for the remote subnets but rather an access-list that is called in a cryptomap with the associated remote site peer public IP defined. It's that public peer IP that the ASA routes to, usually via its default route (via its outside interface and public IP address).

The remote site's ASA has the obverse (mirror-image access list called by its cryptomap)

Murray Bown · ‎09-29-2013

Marvin, thanks for the explaination. Below is a layout of the network I am working on.

here is the output showning the Cryptomap

access-list site2site_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object net-DC_10.252.0.0_16

crypto map site2site_map1 1 match address site2site_cryptomap

How can I add access for the 10.15.x.x and the 10.64.x.x networks?

Running a packet-tracer from the 10.184.x.x to 10.252.x.x works fine but not from 10.150.x.x or 10.64.x.x

Marvin Rhoads · ‎09-29-2013

What networks comprise your object-group DM_INLINE_NETWORK_1? I assume that's from the right-hand ASA.

Do you have the 10.252.0.0/16 destination included in the left-hand ASA's access-list?

(BTW the DM_INLINE objects are created when you simply add the subnets in ASDM GUI access-list entry (ACE) without first defining the groups. It's easier in the long term - if you ever inspect the configuration file directly - to create object groups with more self-explanatory human readable names and then use them in the ACE.)

Murray Bown · ‎09-29-2013

This is the config of the DM_INLINE_NETWORK_1

object-group network DM_INLINE_NETWORK_1

network-object object NETWORK_OBJ_10.184.0.0_24

I guess I should add an entry for the 10.150.x.x and the 10.64.x.x networks to the DM_INLINE_NETWORK_1 object?

"Do you have the 10.252.0.0/16 destination included in the left-hand ASA's access-list?" Sorry I should have said that the Left-hand firewall is a checkpoint device and yes the 10.252.0.0/16 destination is included.

Marvin Rhoads · ‎09-29-2013

Yes, the networks behind the Checkpoint that come in via that site-site VPN will need to "hairpin" back into the other site-site VPN leading to the 10.252.0.0/16 network.

Of course the firewall at the 10.252.0.0/16 site also needs to have the 10.150.x.x/26 and 10.64.x.x/26 networks in its cryptomap / access-list (plus they should be exempted from NAT) associated with the ASA peer at your corporate network site. There should already be a NAT exemption for those networks in your corporate ASA based on the corporate-remote site VPN but I mention that just for completeness sake.

Murray Bown · ‎09-29-2013

Marvin, you've been a great help with your answers. I do to admit that I may not have given you the full picture.

You mention that the "Checkpoint that come in via that site-site VPN will need to "hairpin" back into the other site-site VPN leading to the 10.252.0.0/16 network." the fact is that the CheckPoint and the Site-Site come into the ASA on different interfaces and the CheckPoint is connected via a small LAN, so I would think that would change the configuration somewhat?