Cisco ASA 5505 site to site IPSEC VPN won't route from multiple LANs

cisco routing cisco-asa cisco-vpn route
15,378

The crypto map access-list (outside_1_cryptomap) is only going to match direct subnet traffic. You probably need to add more entries to this access-list to match the other subnets that should traverse the tunnel. If you want to support any network on one side to any network on the other side, you might find it easier to declare some network object-groups and then make your access-list read something like:

object-group site1_nets
  network-object 192.168.144.0 255.255.255.252
  network-object 10.1.0.0 255.255.255.0
object-group site2_nets
  network-object 192.168.145.0 255.255.255.252
  network-object 10.2.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group site1_nets object-group site2_nets

The nat 0 access-list (inside_nat0_outbound) is also not matching traffic from the other subnets, so the ASA will want to translate the IP address to your outside WAN address.

access-list inside_nat0_outbound extended permit ip object-group site1_nets object-group site2_nets

I'm not 100% positive this second change is necesssary; try the first and test to see if you need it.

Share:
15,378

Related videos on Youtube

JuanR
Author by

JuanR

Updated on September 17, 2022

Comments

  • JuanR
    JuanR over 1 year

    I've set up a standard site to site VPN between 2 ASA 5505s (using the wizard in ASDM) and have the VPN working fine for traffic between Site A and Site B on the directly connected LANs.

    But this VPN is actually to be used for data originating on LAN subnets that are one hop away from the directly connected LANs. So actually there is another router connected to each ASA (LAN side) that then route to two completely different LAN ranges, where the clients and servers reside.

    At the moment, any traffic that gets to the ASA that has not originated from the directly connected LAN gets sent straight to the default gateway, and not through the VPN.

    I've tried adding the additional subnets to the "Protected Networks" on the VPN, but that has no effect. I have also tried adding a static route to each ASA trying to point the traffic to the other side, but again this hasn't worked.

    Here is the config for one of the sites. This works for traffic to/from the 192.168.144.x subnets perfectly. What I need is to be able to route traffic from 10.1.0.0/24 to 10.2.0.0/24 for example. 

    ASA Version 8.0(3)  
!  
hostname Site1  
enable password **** encrypted  
names  
name 192.168.144.4 Site2  
!  
interface Vlan1  
nameif inside  
security-level 100  
ip address 192.168.144.2 255.255.255.252  
!  
interface Vlan2  
nameif outside  
security-level 0  
ip address 10.78.254.70 255.255.255.252 (this is a private WAN circuit)  
!  
interface Ethernet0/0  
switchport access vlan 2  
!  
interface Ethernet0/1  
!  
interface Ethernet0/2  
!  
interface Ethernet0/3  
!  
interface Ethernet0/4  
!  
interface Ethernet0/5  
!  
interface Ethernet0/6  
!  
interface Ethernet0/7  
!  
passwd ****** encrypted  
ftp mode passive  
access-list inside_access_in extended permit ip any any  
access-list outside_access_in extended permit icmp any any echo-reply  
access-list outside_1_cryptomap extended permit ip 192.168.144.0 255.255.255.252 
Site2 255.255.255.252  
access-list inside_nat0_outbound extended permit ip 192.168.144.0 
255.255.255.252 Site2 255.255.255.252  
pager lines 24  
logging enable  
logging asdm informational  
mtu inside 1500  
mtu outside 1500  
icmp unreachable rate-limit 1 burst-size 1  
asdm image disk0:/asdm-603.bin  
no asdm history enable  
arp timeout 14400  
global (outside) 1 interface  
nat (inside) 0 access-list inside_nat0_outbound  
nat (inside) 1 0.0.0.0 0.0.0.0  
access-group inside_access_in in interface inside  
access-group outside_access_in in interface outside  
route outside 0.0.0.0 0.0.0.0 10.78.254.69 1  
timeout xlate 3:00:00  
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02  
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00  
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00  
timeout uauth 0:05:00 absolute  
dynamic-access-policy-record DfltAccessPolicy  
aaa authentication ssh console LOCAL  
http server enable  
http 0.0.0.0 0.0.0.0 outside  
http 192.168.1.0 255.255.255.0 inside  
no snmp-server location  
no snmp-server contact  
snmp-server enable traps snmp authentication linkup linkdown coldstart  
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  
crypto map outside_map 1 match address outside_1_cryptomap  
crypto map outside_map 1 set pfs  
crypto map outside_map 1 set peer 10.78.254.66  
crypto map outside_map 1 set transform-set ESP-3DES-SHA  
crypto map outside_map interface outside  
crypto isakmp enable outside  
crypto isakmp policy 10  
authentication pre-share  
encryption 3des  
hash sha  
group 2  
lifetime 86400  
no crypto isakmp nat-traversal  
telnet timeout 5  
ssh 0.0.0.0 0.0.0.0 outside  
ssh timeout 5  
console timeout 0  
management-access inside  


threat-detection basic-threat  
threat-detection statistics port  
threat-detection statistics protocol  
threat-detection statistics access-list  
group-policy DfltGrpPolicy attributes  
vpn-idle-timeout none  
username enadmin password ***** encrypted privilege 15  
tunnel-group 10.78.254.66 type ipsec-l2l  
tunnel-group 10.78.254.66 ipsec-attributes  
pre-shared-key *  
!  
!  
prompt hostname context

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is it possible to configure a Cisco AnyConnect VPN to use two separate LDAP authentication methods simultaneously?
Recently I configured a Site-2-Site VPN Tunnel and I'm getting this errors:
Cisco ASA: How to route PPPoE-assigned subnet?
Phase 2 Mismatch when connecting Windows 7 to ASA5505 VPN
Problem routing between directly connected Subnets w/ ASA-5510
Cleanest, quickest way to generate a Cisco VPN .pcf file?
Cisco ASA Site-to-Site VPN Dropping
Cisco VPN Client Behind ASA 5505
default route with linkdown
Only routing certain traffic through VPN