Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
3
Replies

Subnet Through VPN

Jean Paul Enerst
Level 3
Level 3

‎10-17-2012 11:42 AM

Hi All,

             I can't reach one of your subnet through the VPN.... the design as per below

Site A(1.1.1.0/24) >> Site B(2.2.2.0) >>>> Site C(Data Center(3.3.3.0/24))

Site A  is connected to site B through L-2L VPN and everything works juste fine

Site  B and Site C also works as well.  To get to site C subnets from Site A  need to be Natted at Site B

When ping 3.3.3.1 at site A, the last hop is the VPN router at site A. Eventhough, there is a route and subnet is permited the ACL for interresting traffic. The routes in site A  send traffic to the other end of the VPN(Site B), but  the traffic never can there. And yes, there is a route back on site B to send traffic back to Site A, ACL for interresting traffic is also in place.

Thanks all, and any help will be greatly appreciate

Labels:
0 Helpful
3 Replies 3

Harish Balakrishnan
Spotlight
Spotlight

‎10-18-2012 09:23 AM

Hello Jean,

How  is Site A and Site C connected with Site B, Is it using same interface to terminate VPN on Site B or different interface,

Would you be able to post the configuration of all the firewalls, so that it will be easy to understand and troubleshoot

regards

Harish

0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Harish Balakrishnan

‎10-18-2012 02:31 PM

Hi Harrish,

Before all thanks for your help... Site A is connected to site via L2L vpn tunnel and Site B has dedicated 50M link to site site. Therefore, site A and site C are not directly connected, traffic has to pas via Site B.

With tha being said, i have done fore troubleshooting in got the result below. Let says that i am trying to reach 1.1.1.1 from site A to site C. Site A just send the packet down to the IPSEC tunnel right?

Ping  from Site A FW to 1.1.1.1 is sucess full;

Ping from Site A Core router to 1.1.1.1 is successfull;

Ext Ping from the VPN the VPN router at site A from f0/1 is successfull. Howver, ping from the f0/0 on the same router is failling!! Log from Site A FW is below... with syslog code 106014

Deny inbound icmp src DMZ1:10.xxx.1.x dst inside:x.0.x.xx7 (type 8, code 0)

This DMZ1 is only between the VPN router and the FW, and there is a NAT in the FW to NAT  x.2 to global.

Now with one terface can ping successfully 1.1.1.1, it can't be neither a routing issue nor a ACL for interresting traffic in the Crypto map, could it ?

Thanks,

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Jean Paul Enerst

‎10-18-2012 08:00 PM

Hello Jean Paul,

So Site B has 2 VPN l2l tunnels ( one going to Site A and one going to Site C)

Can you share the 3 asas configuration, without that it would be hard to help you.

All you want to do is to be able to reach site C from Site A and backwards ( Of course that traffic will need to flow through site  B)

That being said post the configuration and from witch subnet to witch subnet the traffic needs to be allowed/......

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents