Cannot ping machines on remote subnet while site to site vpn established

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Post Reply
Guest

Cannot ping machines on remote subnet while site to site vpn established

Post by Guest » Mon Nov 22, 2010 5:13 am

Hello all,

 

I have met a site to site vpn problem, for pinging nothing replied from machines from remote subnet.

but the ipsec tunnel is ok, and i can ping the remote ASAs inside interfaces ip

 

Here is my scenario:

LAN1 -- ASA5510  --  ASA5505 -- LAN2 -- remote_machine

 

LAN1: 192.168.x.0/24

LAN2: 172.25.88.0/24

remote_machine_ip: 172.25.87.30

 

LAN1 can ping ASA5505s inside interface 172.25.88.1

but cannot ping remote_machine (172.25.87.30)

 

ASA5505s inside interface can ping remote_machine

 

LAN2 can ping ASA5510s inside interface and machines on LAN1

 

Is there something I missed?

 

Thanks lot for reply


Guest

Re:Cannot ping machines on remote subnet while site to site vpn established

Post by Guest » Mon Nov 22, 2010 6:09 am

Hi,


Does the remote machine has a default route or a route pointing to the ASA when going to the LAN through the tunnel?

I think the remote machine is not returning the packets due to routing issues.

 

Federico.


Guest

Re:Cannot ping machines on remote subnet while site to site vpn established

Post by Guest » Mon Nov 22, 2010 7:32 am

Hello,

 

There is no route pointing to the ASA when going to the LAN through the tunnel

But is there a way to go to the LAN through the tunnel without adding a route to ASA?

 

Thanks a lot


Guest

Re:Cannot ping machines on remote subnet while site to site vpn established

Post by Guest » Mon Nov 22, 2010 8:07 am

Hello all,

I think i found the problem...

 

the setting scenario:

Lan1: 192.168.1.0/24 (ASA1: inside-2 interface, ip: 192.168.1.253)

Lan2: 172.25.249.0/24 (ASA2: inside interface, ip: 172.25.249.1)

 

while l2l tunnel established, Lan1 and Lan2 are like in the same subnet

so in ASA1> ping inside-2 172.25.249.1 would return icmp reply correctly.

but in ASA1> ping inside-2 172.25.249.x, nothing returned if machine 172.25.249.x doesn set default gateway to 172.25.249.1

 

Is there a way to nat 192.168.1.0/24 to 172.25.249.1 while pinging inside-2 172.25.249.x?

Its conflicted with L2L tunnel tutorial....(from 192.168.1.0/24 to 172.25.249.0/24 need not to do nat translate)

 

Thanks a lot


Guest

Re:Cannot ping machines on remote subnet while site to site vpn established

Post by Guest » Mon Nov 22, 2010 9:17 am

The problem is not NAT, but rather routing as already mentioned by federico.

 

It seems you are saying the default gateway for hosts on 172.25.249.x is not the firewall 172.25.249.1.

 

What you need to do on the actual default gateway for the hosts on 172.25.249.x subnet, is to configure a static route like the following:

 

example, if it is a cisco router, issue the command >> ip route 192.168.1.0 255.255.2550 172.25.249.1

 

 

For the remote network for host 172.25.87.30, the routing will also have to be corrected, so that that network will also route the 192.168.1.0/24 towards the asa5505. If the defau

 

lf gateway for 172.25.87.30 is the same router as what is on 172.25.248.x, then the static route command applied as above will be enough.

 

If you still have problems, clarify what is the topology of lan 2 network behind asa5505, what are the default gateways, and what are the routes configured.

 

Regards,


Post Reply