?
Solved

Site to Site VPN and Point to Point routing help . 500 pts to the winner

Posted on 2007-07-25
2
Medium Priority
?
278 Views
Last Modified: 2011-09-20
Hello, I have an ASA5510 for a firewall, and it also terminates a site to site vpn and client vpns.  The corporate office also has a point to point with another office via a Cisco 2800 series router.  At the corporate office all end user devices are given the point to point router IP address as the D/G. That router has a route in it that pushes traffic over to the ASA5510 if it is not destined for the other side of the point to point.  The info is as follows:

Coroprate office ASA5510 IP address 192.168.0.1 /24 subnet
Corporate office C2800 router (point to point with office 2) internal IP 192.168.0.254
Office 2  (other side of point to point) - C2800 series router internal IP 192.168.1.254
Office 3 (other side of site to site vpn) ASA5505 - Internal network of 192.168.2.0 /24

Right now, Office 3 can ping to the corporate office accross the VPN tunnel.  It cannot ping to office 2.  I.e., I can not ping 192.168.1.20 from 192.168.2.10

Office 2 can ping corporate via the point to point T1, but it cannot ping to Office 3 by going through corporate and then the site to site.  

Lastly, remote access clients who VPN into the ASA5510 can access corporate resources, but they cannot access the office at the other end of the site to site or the point to point T1.

My questions are as follows:

1.  How can I make it so that Office 3 can communicate to office 2.  The path would be through the vpn tunnel to the point to point ethernet interface at corporate, then through the T1 to the remote office.

2.  How can I make it so that remote users can VPN into Corporate but still be able to access the office accross the point to point T1?  

I believe I just need a couple of route statements on my firewall and possibly something to bypass nat?  Help would be greatly appreciated.
0
Comment
Question by:ddftech
2 Comments
 
LVL 3

Expert Comment

by:Adrien de Croy
ID: 19573364
Looks like the problem would be in the ASA5510.

If it terminates the VPN connections for the remote offices and the remote workers, and is providing access for these remote offices to the corporate office but not each other, then it must be some setting in the device which is prohibiting different remote nodes from communicating with each other.

This is commonly done for security reasons - I'm not familiar with that device, but it may be possible to turn on a setting which would allow it to forward packets received on one tunnel back out another one.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19573617
ASA needs a route statement like this:
 route inside 192.168.1.0 255.255.255.0 192.168.0.254

And the VPN tunnel information needs to have 192.168.1.0/24 in the ipsec defined acls. Site 3 vpn tunnel definition acls also need to have site 2's subnet.
Example:
 access-list nat_zero permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
 access-list nat_zero permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list tunnel_to_site3 permit ip192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list tunnel_to_site3 permit ip192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto map MYMAP 10 match address tunnel_to_site3

Site 3's configuration would be mirror image.
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question