Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 348
  • Last Modified:

Routing issue through GRE L2L Tunnel via ASA5510

I've a strange problem with the routing from internal network through a GRE Tunnel over an ASA5510:

The infrastructure design is as following:

Internal Network 192.168.1.x
ASA5510 as Internet Gateway with 192.168.1.1
Cisco 2600 Router for GRE L2L VPN Tunnel with 192.168.1.3 IP
SSL VPN LAN through ASA5510 with 10.1.1.x Subnet
L2L VPN Subnet through GRE L2L VPN Tunnel with 10.1.2.x Subnet
 
The tunnel is up and working, i can access the 10.1.2.x L2L VPN Subnet (inside) without any issue from SSL VPN 10.1.1.x Subnet (outside).

From the internal network 192.168.1.x (inside) i can only access the 10.1.2.x L2L VPN Subnet (inside) when i add on the local client a static routing "10.1.2.x MASK 255.255.255.0 192.168.1.3" - so if the packages go directly to L2L VPN Router it works, as soon there is just the ASA5510 as the default gateway in place it doesn't work.

I've added already a NAT Rule for 10.1.2.x (inside) to 192.168.1.x (inside) and back and in addition a static routing entry for 10.1.2.x Subnet through 192.168.1.3 gateway but it's still not working.

From the other side of the tunnel it's the same issue, as long there is no static routing entry on the server at 192.168.1.x subnet, you cannot access services there (e.g. AD, DNS, WWW, ...), as soon the entry is in place, it works.

It looks for me, that the ASA doesn't handle the traffic correct from 192.168.1.x Subnet to 10.1.2.x Subnet - maybe because both are "inside"?
0
iamroot80
Asked:
iamroot80
  • 2
  • 2
1 Solution
 
Jan SpringerCommented:
Inside to inside works just fine.  It usually breaks when one or both ends do not exclude the inside network from NAT'g to the other inside network.

From the ASA, you should run packet-tracer to see where the errors lie.
0
 
iamroot80Author Commented:
I did a static Inside-Inside NAT rule for L2L-VPN Network to Internal Network and vice-verse - so this shouldn't be in place?

the strange thing is, packet tracer on ASA doesn't show an error - packages run through without error - just from a client it's not working without the manual routing entry in place (and i've devices in LAN where i can't configure static routing - so they are not accessible now from L2L VPN).
0
 
Jan SpringerCommented:
Can you post a clean (no passwords, keys, etc) config from both ends?

You should have to put a static route into place.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
you should to three things:

1. add static route to the 10.1.2.0 255.255.255.0 via 192.168.1.3
2. add an inspection policy that disable TCP STATE inspection between 192.168.1.0/24 and 10.1.2.0/24. This is because TCP SYN packets will flow trough the ASA, the ACK does not (goes from the 2600 straight to the client) but the SYN/ACK will flow again trough the ASA. This is confusing for the ASA and it will drop this kind of traffic. Disabling TCP State inspection will stop dropping this traffic.
3. allow intra interface traffic (same-security-traffic permit intra-interface)
0
 
iamroot80Author Commented:
Finally i found the issue:

The MTU size inside the GRE tunnel was 1300, the ASA internal interface was still on default 1500 - after configuring the internal interface from ASA to 1300 too it worked :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now