Issue with VPN connection to multiple networks


(Peter D) #1

Hey Guys,

I’m having an issue and I’m not sure how to approach it. I have a Site to Site VPN setup between two locations which is working fine. On my side of the connection I’m working with an ASA 5512x running 9.9(1)2. I’m not sure what FW the customer is running, but it’s not Cisco.

As I mentioned the Tunnel is up and traffic is passing except for two hosts. On my end for the Local Network I’m allowing 6 IP addresses:

10.1.1.10
10.1.1.11
10.1.1.12
10.1.1.15
10.2.1.15
10.2.1.16

The Remote Network on the customer site the interesting traffic is:

172.16.16.50
172.16.16.51
172.16.16.60
172.16.17.16

The issue is with the 10.2.1.15 and 10.2.1.16 hosts. They are not on my local network. They are on a network I connect to through an MPLS line. The customer can connect to everything except them.

My question is how do I allow the 172.16.16.xx, 172.16.17.xx Hosts to access the 10.2.1.xx hosts through the VPN? On my network all the hosts on 10.1.1.x can access the hosts on 10.2.1.x with out any issues.

I assume I would have to do a NAT and possibly an ACL to get that to work? I would appreciate any help on this.


(Rene Molenaar) #2

Hello Peter,

This could be a routing and/or VPN problem. Couple of things I would check:

  1. The router that is the default gateway for your 10.2.1.15 and 10.2.1.16 hosts, does it know how to get to 172.16.16.x and 172.16.17.x? If not, you’ll need to add some routing or you need to use NAT on your ASA.

  2. Same thing for the remote customer site, does it know how to reach 10.2.1.15 and 10.2.1.15? If not, add a route or use NAT on your ASA.

  3. On your ASA, you might want to verify that traffic from 10.2.1.15 or 10.2.1.16 to 172.16.x.x is permitted and uses the VPN:

ASA# packet-tracer input MPLS_LINK tcp 10.2.1.15 54321 172.16.17.16 80

It should show that this traffic goes through the VPN and is allowed.

Rene


(Peter D) #3

Hey Rene,

Thanks for the reply. I used the packet-tracer command and it looks like the traffic was getting blocked by an ACL I had applied on the inside interface.

Upon inspection it was dropping all traffic except for specified 10.1.1.xx addresses. I created the entries to allow the 10.2.1.xx addresses I needed.

I can’t test now, it looks like the customer brought the VPN down. However this looks like it was the issue. I’ll update the thread when I test it.

Thanks

Pete


(Peter D) #4

I realized I had a typo for the “172.66” ip addresses. They are private IPs, not public. I corrected them to “172.16”.


(Rene Molenaar) #5

Hi Pete,

Good to hear you found something, hopefully it’s solved now.

Rene


(Peter D) #6

Hey Guys,

The issue has been identified as a routing issue with the MPLS. There was a work around implemented until that can be resolved.

Thanks for all your help!

Pete


(Rene Molenaar) #7

That’s good to hear Pete!