IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
1 post • Page 1 of 1
Hello all, I have met a site to site vpn problem, for pinging nothing replied from machines from remote subnet.but the ipsec tunnel is ok, and i can ping the remote ASAs inside interfaces ip Here is my scenario:LAN1 -- ASA5510 -- ASA5505 -- LAN2 -- remote_machine LAN1: 192.168.x.0/24LAN2: 172.25.88.0/24remote_machine_ip: 172.25.87.30 LAN1 can ping ASA5505s inside interface 172.25.88.1but cannot ping remote_machine (172.25.87.30) ASA5505s inside interface can ping remote_machine LAN2 can ping ASA5510s inside interface and machines on LAN1 Is there something I missed? Thanks lot for reply
Hi,Does the remote machine has a default route or a route pointing to the ASA when going to the LAN through the tunnel?I think the remote machine is not returning the packets due to routing issues. Federico.
Hello, There is no route pointing to the ASA when going to the LAN through the tunnelBut is there a way to go to the LAN through the tunnel without adding a route to ASA? Thanks a lot
Hello all,I think i found the problem... the setting scenario:Lan1: 192.168.1.0/24 (ASA1: inside-2 interface, ip: 192.168.1.253)Lan2: 172.25.249.0/24 (ASA2: inside interface, ip: 172.25.249.1) while l2l tunnel established, Lan1 and Lan2 are like in the same subnetso in ASA1> ping inside-2 172.25.249.1 would return icmp reply correctly.but in ASA1> ping inside-2 172.25.249.x, nothing returned if machine 172.25.249.x doesn set default gateway to 172.25.249.1 Is there a way to nat 192.168.1.0/24 to 172.25.249.1 while pinging inside-2 172.25.249.x?Its conflicted with L2L tunnel tutorial....(from 192.168.1.0/24 to 172.25.249.0/24 need not to do nat translate) Thanks a lot
The problem is not NAT, but rather routing as already mentioned by federico. It seems you are saying the default gateway for hosts on 172.25.249.x is not the firewall 172.25.249.1. What you need to do on the actual default gateway for the hosts on 172.25.249.x subnet, is to configure a static route like the following: example, if it is a cisco router, issue the command >> ip route 192.168.1.0 255.255.2550 172.25.249.1 For the remote network for host 172.25.87.30, the routing will also have to be corrected, so that that network will also route the 192.168.1.0/24 towards the asa5505. If the defau lf gateway for 172.25.87.30 is the same router as what is on 172.25.248.x, then the static route command applied as above will be enough. If you still have problems, clarify what is the topology of lan 2 network behind asa5505, what are the default gateways, and what are the routes configured. Regards,