VPN IPSec l2l and routing problem

na26 · ‎08-21-2012

Hi all,

i've set up a vpn between a c877 router and a third party linux box. The tunnel works fine and i'm able to reach both directly connected remote lans.

In adds behind the 877 i've an ASA with the outside interface connected directly to 877 router and an inside interface connected to a switch with another lan. From this lan (192.168.0.0/24) i'm unable to reach the remote network behind the linux box.

On the asa i've added a static route to my remote net (192.168.14.0/24) through the c877 pub ip (i.e 1.1.1.1) and on c877 i've a static route for 192.168.0.0/24 pointing to asa outside interface.

i attach a simple layout of my labs environment

Thank you, kind regards,

Nicola

Julio Carvajal · ‎08-21-2012

Hello,

Does both side of the Tunnel include on the crypto ACL the traffic from the LAN behind the ASA and the LAN behind the linux box as well?

Do you also have on the no nat configuration that traffic (from the LAN behind the ASA and the LAN behind the linux box as well) ?

Regards,

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

na26 · ‎08-22-2012

Yes, on the 877 i've:

ip access-list extended Crypto-list

permit ip 172.16.255.0 0.0.0.255 192.168.14.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 192.168.14.0 0.0.0.255

and on asa for no nat:

nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static obj_MBC_LAN obj_MBC_LAN no-proxy-arp route-lookup

object network obj_MBC_LAN

subnet 192.168.14.0 255.255.255.0

thank you, regards,

Julio Carvajal · ‎08-22-2012

Hello,

Can you run a packet tracer from the ASA side

packet-tracer input inside tcp 192.168.0.10 1025 192.168.14.10 80

Do it twice and post the output from the second try

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC