Cisco Pix 501 to Cisco ASA 5510 Site to Site VPN Private IP Network Issues
Posted on 2006-03-26
Our company has recently given the go ahead for a new server farm to be build and designed by myself and hosted out of a carrier collocate in SLC, UT. I have finished building the new servers and implementing the new network devices. I decided to setup a test site to site vpn tunnel to my home where I am using a Cisco PIX 501 while the web farm is using a Cisco ASA 5510. After configuring the IKE parameters, NAT 0, Access-lists, transform-sets, and crypto-maps I was up going. The Cisco Pix is running OS 6.3(5) and the ASA is running 7.1(1). Now let me give some detail on the networks behind the ASA. I have two networks off of the ASA, one network is 172.x.10.x 255.255.255.0 and the second network is 172.x.20.x 255.255.255.0. Now the 172.x.20.x network hosts our app servers and database server while the 172.x.10.x network hosts our web servers along with a F5 Big-IP 2000 loadbalancer. The Loadbalancer has a private ip address of 172.x.10.50. The two web servers that we have uplink directly into the loadbalancer. There is a seperate internal vlan off of the loadbalancer that the web servers run on. That network is 172.x.60.x 255.255.255.0. The IP address of the first web server is 172.x.60.5 and the second web server is 172.x.60.7. The loadbalancer uses NAT to convert the 172.x.10.x network to the appropriate 172.x.60.x nodes. For example, the web server according to the ASA is 172.x.10.5 while the loadbalancer NATs the address to 172.x.60.5. We have a static NAT setup on the ASA to translate a public IP to a loadbalanced 172.x.10.70 address to be balanced between the two web servers. If I ping the 172.x.10.5 web server from the ASA i receive replies back, but for some reason when I am connected from home using the VPN tunnel I can't communicate with the 172.x.10.x network. Both the 172.x.20.x and the 172.x.10.x networks have been allowed on the access-lists so I can't figure it out. Especially since the ASA can get replies, but my VPN connection can't. What am I doing wrong?? I can talk to everything perfectly on the 172.x.20.x network using the VPN tunnel, but nothing on the 172.x.10.x network. Do I need to add to the access-list a permit statement to network 172.x.60.x??