Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
392
Views
0
Helpful
3
Replies
Jean Paul Enerst
Participant
Participant
‎10-17-2012 11:42 AM
‎10-17-2012 11:42 AM

Subnet Through VPN

Hi All,

             I can't reach one of your subnet through the VPN.... the design as per below

Site A(1.1.1.0/24) >> Site B(2.2.2.0) >>>> Site C(Data Center(3.3.3.0/24))

Site A  is connected to site B through L-2L VPN and everything works juste fine

Site  B and Site C also works as well.  To get to site C subnets from Site A  need to be Natted at Site B

When ping 3.3.3.1 at site A, the last hop is the VPN router at site A. Eventhough, there is a route and subnet is permited the ACL for interresting traffic. The routes in site A  send traffic to the other end of the VPN(Site B), but  the traffic never can there. And yes, there is a route back on site B to send traffic back to Site A, ACL for interresting traffic is also in place.

Thanks all, and any help will be greatly appreciate

Labels:
0 Helpful
3 REPLIES 3
Harish Balakrishnan
Enthusiast
Enthusiast
‎10-18-2012 09:23 AM
‎10-18-2012 09:23 AM

Hello Jean,

How  is Site A and Site C connected with Site B, Is it using same interface to terminate VPN on Site B or different interface,

Would you be able to post the configuration of all the firewalls, so that it will be easy to understand and troubleshoot

regards

Harish

0 Helpful
Jean Paul Enerst
Participant
Participant
In response to Harish Balakrishnan
‎10-18-2012 02:31 PM
‎10-18-2012 02:31 PM

Hi Harrish,

Before all thanks for your help... Site A is connected to site via L2L vpn tunnel and Site B has dedicated 50M link to site site. Therefore, site A and site C are not directly connected, traffic has to pas via Site B.

With tha being said, i have done fore troubleshooting in got the result below. Let says that i am trying to reach 1.1.1.1 from site A to site C. Site A just send the packet down to the IPSEC tunnel right?

Ping  from Site A FW to 1.1.1.1 is sucess full;

Ping from Site A Core router to 1.1.1.1 is successfull;

Ext Ping from the VPN the VPN router at site A from f0/1 is successfull. Howver, ping from the f0/0 on the same router is failling!! Log from Site A FW is below... with syslog code 106014

Deny inbound icmp src DMZ1:10.xxx.1.x dst inside:x.0.x.xx7 (type 8, code 0)

This DMZ1 is only between the VPN router and the FW, and there is a NAT in the FW to NAT  x.2 to global.

Now with one terface can ping successfully 1.1.1.1, it can't be neither a routing issue nor a ACL for interresting traffic in the Crypto map, could it ?

Thanks,

0 Helpful
Julio Carvajal
Advisor
Advisor
In response to Jean Paul Enerst
‎10-18-2012 08:00 PM
‎10-18-2012 08:00 PM

Hello Jean Paul,

So Site B has 2 VPN l2l tunnels ( one going to Site A and one going to Site C)

Can you share the 3 asas configuration, without that it would be hard to help you.

All you want to do is to be able to reach site C from Site A and backwards ( Of course that traffic will need to flow through site  B)

That being said post the configuration and from witch subnet to witch subnet the traffic needs to be allowed/......

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Latest Contents
Cisco Champion Radio:S9|E20 Protection for Your Enterprise-C...
Created by Amilee San Juan on 05-25-2022 02:54 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E20Follow us: https://twitter.com/CiscoChampion  With over one trillion email scams per year, more than 22 billion records were exposed by data breaches in 2021. Phishing attacks are clearly on the rise, and they’re e... view more
DOT1X IOS commands overview
Created by Meddane on 05-21-2022 03:14 PM
0
0
0
0
Radius server configuration for 802.1X   Server radius test1 Address ipv4 10.1.1.1 Key 1234 ! Server radius test2 Address ipv4 10.1.1.2 Key 1234 ! aaa group server radius TEST-gr  server name test1  server name test2 !      &... view more
Umbrella’s cloud-delivered firewall (CDFW)
Created by Meddane on 05-21-2022 03:04 PM
0
0
0
0
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To... view more
GRE over IPSec Crypto map versus Tunnel Protection (IPsec Pr...
Created by Meddane on 05-21-2022 03:01 PM
0
0
0
0
GRE over IPSec Crypto map   int tunnel 1ip add 172.16.1.1 255.255.255.0tunnel source G0/0tunnel destination 2.2.2.2!access-list 100 permit gre host 1.1.1.1 host 2.2.2.2!crypto ipsec transform-set TS esp-aes esp-sha-hmac!crypto map TESTset peer 2.2.2.... view more
ISE URL Redirection on IOS-XE
Created by Mohsin_Mohamed on 05-20-2022 01:04 PM
0
0
0
0
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad