cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
392
Views
0
Helpful
3
Replies
Jean Paul Enerst
Participant

Subnet Through VPN

Hi All,

             I can't reach one of your subnet through the VPN.... the design as per below

Site A(1.1.1.0/24) >> Site B(2.2.2.0) >>>> Site C(Data Center(3.3.3.0/24))

Site A  is connected to site B through L-2L VPN and everything works juste fine

Site  B and Site C also works as well.  To get to site C subnets from Site A  need to be Natted at Site B

When ping 3.3.3.1 at site A, the last hop is the VPN router at site A. Eventhough, there is a route and subnet is permited the ACL for interresting traffic. The routes in site A  send traffic to the other end of the VPN(Site B), but  the traffic never can there. And yes, there is a route back on site B to send traffic back to Site A, ACL for interresting traffic is also in place.

Thanks all, and any help will be greatly appreciate

3 REPLIES 3
Harish Balakrishnan
Enthusiast

Hello Jean,

How  is Site A and Site C connected with Site B, Is it using same interface to terminate VPN on Site B or different interface,

Would you be able to post the configuration of all the firewalls, so that it will be easy to understand and troubleshoot

regards

Harish

Hi Harrish,

Before all thanks for your help... Site A is connected to site via L2L vpn tunnel and Site B has dedicated 50M link to site site. Therefore, site A and site C are not directly connected, traffic has to pas via Site B.

With tha being said, i have done fore troubleshooting in got the result below. Let says that i am trying to reach 1.1.1.1 from site A to site C. Site A just send the packet down to the IPSEC tunnel right?

Ping  from Site A FW to 1.1.1.1 is sucess full;

Ping from Site A Core router to 1.1.1.1 is successfull;

Ext Ping from the VPN the VPN router at site A from f0/1 is successfull. Howver, ping from the f0/0 on the same router is failling!! Log from Site A FW is below... with syslog code 106014

Deny inbound icmp src DMZ1:10.xxx.1.x dst inside:x.0.x.xx7 (type 8, code 0)

This DMZ1 is only between the VPN router and the FW, and there is a NAT in the FW to NAT  x.2 to global.

Now with one terface can ping successfully 1.1.1.1, it can't be neither a routing issue nor a ACL for interresting traffic in the Crypto map, could it ?

Thanks,

Hello Jean Paul,

So Site B has 2 VPN l2l tunnels ( one going to Site A and one going to Site C)

Can you share the 3 asas configuration, without that it would be hard to help you.

All you want to do is to be able to reach site C from Site A and backwards ( Of course that traffic will need to flow through site  B)

That being said post the configuration and from witch subnet to witch subnet the traffic needs to be allowed/......

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Create
Recognize Your Peers
Content for Community-Ad