Announcement

Collapse
No announcement yet.

IP-SEC routing problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IP-SEC routing problem

    Hello I have a problem with ip-sec lan to lan tunnel

    Location A ASA5505 192.168.100.0/24
    Location B ASA5510 192.168.58.0/24

    I created a ipsec site to site vpn Also create the nat exempt rule

    Now i have also a second interface on Location B with subnet 192.168.100.0/24

    Now can i access from location a the devices on location b

    But when i wil connect from location b to location a i get no connection i think that the asa the traffic not send over the ipsec tunnel but it keeps in the asa

  • #2
    Re: IP-SEC routing problem

    I also added a network diagram
    Attached Files

    Comment


    • #3
      Re: IP-SEC routing problem

      Does the 5505's have a Base License? If so then you can only have 2 vlans configured (2 interfaces forwarding traffic) You can have a 3rd interface with the Base license but it will be restricted on where it can forward traffic.

      hostname(config-if)# no forward interface vlan number


      For example if the 3rd vlan is say the "DMZ", you could tell that interface not to forward to the inside interface. This means hosts on the inside can initiate connections toward the "DMZ" interface but the "DMZ" interface cannot initiate traffic towards the inside.

      For full functionality and full vlan support you need the Security Plus License.

      If you have security plus licensing then please post the following:

      1. Copy of running config (sanitized)
      2. show version



      But when i wil connect from location b to location a i get no connection i think that the asa the traffic not send over the ipsec tunnel but it keeps in the asa

      So you have overlapping networks on each side. You can nat the overlapping subnet on SiteB but in reality its just easier to renumber that network to something unique.
      Last edited by auglan; 6th September 2012, 11:22.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: IP-SEC routing problem

        Could be a NAT issue, look like you dont need NAT, so make sure everything in both directions is in the NO-NAT rules???

        Also does it work on the GUI packet tracer on the firewalls??? Pretty handy that tool that for finding these issues...

        Also if you have been tinkering away with the tunnel, maybe clear the phase1 SA, amazing how often it all comes alive after you clear that...

        Comment


        • #5
          Re: IP-SEC routing problem

          We need to see a config on the 5510. When your testing from B to A where are you sourcing the traffic from? I would also run some debugs.


          debug crypto isakmp


          debug crypto ipsec

          or for 8.3 and above

          debug crypto ikev1
          Last edited by auglan; 6th September 2012, 13:25.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment

          Working...
          X