Solved: VPN to different VLAN

rschember1 · ‎01-19-2015

Hello -- I've searched for hours and looked through tons of answers, but I just can't seem to get this to work. Due to an unfortunate situation, I've suddenly become the Administrator of our entire network instead of our domain servers. There's a problem I've been struggling with and I'm hoping you can help me out. I don't know anything about Cisco ASAs.

We have a multi-location network, all hooked up via VPN through multiple Cisco ASA 5505 devices. One of our sites has 2 VLANs going to 2 different subnets. The second site has just a single VLAN. The 2 sites are able to communicate with each other across the VPN, but site 2 can't ping any devices on the 2nd VLAN of the first site. I hope that's not too confusing. Here's a breakdown:

Site 1:

VLAN1 is the internal 10.10.1.0 subnet.

VLAN2 is the external LAN.

VLAN12 is the internal 10.10.12.0 subnet.

Site2:

VLAN1 is the internal 10.10.20.0 subnet

VLAN2 is the external LAN.

Site2 VLAN1 (10.10.20.1) is connected via VPN to Site1 VLAN1 (10.10.1.5). Site1 can ping 10.10.12.0 without issue. Site2 can ping 10.10.1.0 without issue. Site2 CANNOT ping 10.10.12.0. How can I get Site2 to be able to ping the 10.10.12.0 subnet at Site1?

Attached are my configurations -- I'm unsure if they're correct. I inherited this job unexpectedly. Thank you in advance for your help.

rizwanr74 · ‎01-19-2015

Add this to site one:

access-list 101 extended permit ip 10.10.12.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list 150 extended permit ip 10.10.12.0 255.255.255.0 10.10.20.0 255.255.255.0

- - - - - - - - - - - - - - - - - - - - - - -- - - - - -

FYI...

remove this line from site two:

No private address traverse via the public cloud, without going via the tunnel, therefore your private permit lines have no use on outside_access_in.
access-list outside_access_in extended permit ip 10.10.12.0 255.255.255.0 any

- - - - - - - - - - - - - - - - - - - - - - -- - - - - -

Add these lines on site two.

access-list 109 extended permit ip 10.10.20.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list 110 extended permit ip 10.10.20.0 255.255.255.0 10.10.12.0 255.255.255.0

Thanks

Rizwan Rafeek

View solution in original post

Marvin Rhoads · ‎01-19-2015

The good news is that with a working VPN, the hard part is already done. You just need to tweak it a bit to allow the additional subnets across the tunnel.

A site-site VPN relies on a numbered access-list to determine what traffic is "interesting" and put into the tunnel for the distant end. We also exempt that traffic from NAT using an access list (which may or may not be the same one - yours do it both ways - see below).

So we determine the access list being used at each end and make sure the necessary subnet pairs appear in both of them. Site 2 should mirror site 1.

At site 1 you have:

access-list 150 extended permit ip 10.10.1.0 255.255.255.0 10.10.20.0 255.255.255.0

so you need to add:

access-list 150 extended permit ip 10.10.12.0 255.255.255.0 10.10.20.0 255.255.255.0

Also add that same line to access-list 101 since site 1 has multiple site-site VPNs that use a common access list for NAT exemptions:

nat (inside) 0 access-list 101

At site 2 you have :

access-list 109 extended permit ip 10.10.20.0 255.255.255.0 10.10.1.0 255.255.255.0 
access-list 109 extended permit ip 10.10.20.0 255.255.255.0 10.10.80.0 255.255.255.0 
access-list 109 extended permit ip 10.10.20.0 255.255.255.0 10.10.50.0 255.255.255.0 
access-list 109 extended permit ip 10.10.20.0 255.255.255.0 10.10.14.0 255.255.255.0 
access-list 109 extended permit ip 10.10.20.0 255.255.255.0 10.10.2.0 255.255.255.0

So just add:

access-list 109 extended permit ip 10.10.20.0 255.255.255.0 10.10.12.0 255.255.255.0

The NAT exemption will automatically be taken care of since it is using the same access-list already:

nat (inside) 0 access-list 109

rizwanr74 · ‎01-19-2015

Add this to site one:

access-list 101 extended permit ip 10.10.12.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list 150 extended permit ip 10.10.12.0 255.255.255.0 10.10.20.0 255.255.255.0

- - - - - - - - - - - - - - - - - - - - - - -- - - - - -

FYI...

remove this line from site two:

No private address traverse via the public cloud, without going via the tunnel, therefore your private permit lines have no use on outside_access_in.
access-list outside_access_in extended permit ip 10.10.12.0 255.255.255.0 any

- - - - - - - - - - - - - - - - - - - - - - -- - - - - -

Add these lines on site two.

access-list 109 extended permit ip 10.10.20.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list 110 extended permit ip 10.10.20.0 255.255.255.0 10.10.12.0 255.255.255.0

Thanks

Rizwan Rafeek

rschember1 · ‎01-20-2015

Excellent! It worked immediately! Thank you so much for your help.