Routing issue through GRE L2L Tunnel via ASA5510
I've a strange problem with the routing from internal network through a GRE Tunnel over an ASA5510:
The infrastructure design is as following:
Internal Network 192.168.1.x
ASA5510 as Internet Gateway with 192.168.1.1
Cisco 2600 Router for GRE L2L VPN Tunnel with 192.168.1.3 IP
SSL VPN LAN through ASA5510 with 10.1.1.x Subnet
L2L VPN Subnet through GRE L2L VPN Tunnel with 10.1.2.x Subnet
The tunnel is up and working, i can access the 10.1.2.x L2L VPN Subnet (inside) without any issue from SSL VPN 10.1.1.x Subnet (outside).
From the internal network 192.168.1.x (inside) i can only access the 10.1.2.x L2L VPN Subnet (inside) when i add on the local client a static routing "10.1.2.x MASK 255.255.255.0 192.168.1.3" - so if the packages go directly to L2L VPN Router it works, as soon there is just the ASA5510 as the default gateway in place it doesn't work.
I've added already a NAT Rule for 10.1.2.x (inside) to 192.168.1.x (inside) and back and in addition a static routing entry for 10.1.2.x Subnet through 192.168.1.3 gateway but it's still not working.
From the other side of the tunnel it's the same issue, as long there is no static routing entry on the server at 192.168.1.x subnet, you cannot access services there (e.g. AD, DNS, WWW, ...), as soon the entry is in place, it works.
It looks for me, that the ASA doesn't handle the traffic correct from 192.168.1.x Subnet to 10.1.2.x Subnet - maybe because both are "inside"?
The infrastructure design is as following:
Internal Network 192.168.1.x
ASA5510 as Internet Gateway with 192.168.1.1
Cisco 2600 Router for GRE L2L VPN Tunnel with 192.168.1.3 IP
SSL VPN LAN through ASA5510 with 10.1.1.x Subnet
L2L VPN Subnet through GRE L2L VPN Tunnel with 10.1.2.x Subnet
The tunnel is up and working, i can access the 10.1.2.x L2L VPN Subnet (inside) without any issue from SSL VPN 10.1.1.x Subnet (outside).
From the internal network 192.168.1.x (inside) i can only access the 10.1.2.x L2L VPN Subnet (inside) when i add on the local client a static routing "10.1.2.x MASK 255.255.255.0 192.168.1.3" - so if the packages go directly to L2L VPN Router it works, as soon there is just the ASA5510 as the default gateway in place it doesn't work.
I've added already a NAT Rule for 10.1.2.x (inside) to 192.168.1.x (inside) and back and in addition a static routing entry for 10.1.2.x Subnet through 192.168.1.3 gateway but it's still not working.
From the other side of the tunnel it's the same issue, as long there is no static routing entry on the server at 192.168.1.x subnet, you cannot access services there (e.g. AD, DNS, WWW, ...), as soon the entry is in place, it works.
It looks for me, that the ASA doesn't handle the traffic correct from 192.168.1.x Subnet to 10.1.2.x Subnet - maybe because both are "inside"?
ASKER
I did a static Inside-Inside NAT rule for L2L-VPN Network to Internal Network and vice-verse - so this shouldn't be in place?
the strange thing is, packet tracer on ASA doesn't show an error - packages run through without error - just from a client it's not working without the manual routing entry in place (and i've devices in LAN where i can't configure static routing - so they are not accessible now from L2L VPN).
the strange thing is, packet tracer on ASA doesn't show an error - packages run through without error - just from a client it's not working without the manual routing entry in place (and i've devices in LAN where i can't configure static routing - so they are not accessible now from L2L VPN).
Can you post a clean (no passwords, keys, etc) config from both ends?
You should have to put a static route into place.
You should have to put a static route into place.
you should to three things:
1. add static route to the 10.1.2.0 255.255.255.0 via 192.168.1.3
2. add an inspection policy that disable TCP STATE inspection between 192.168.1.0/24 and 10.1.2.0/24. This is because TCP SYN packets will flow trough the ASA, the ACK does not (goes from the 2600 straight to the client) but the SYN/ACK will flow again trough the ASA. This is confusing for the ASA and it will drop this kind of traffic. Disabling TCP State inspection will stop dropping this traffic.
3. allow intra interface traffic (same-security-traffic permit intra-interface)
1. add static route to the 10.1.2.0 255.255.255.0 via 192.168.1.3
2. add an inspection policy that disable TCP STATE inspection between 192.168.1.0/24 and 10.1.2.0/24. This is because TCP SYN packets will flow trough the ASA, the ACK does not (goes from the 2600 straight to the client) but the SYN/ACK will flow again trough the ASA. This is confusing for the ASA and it will drop this kind of traffic. Disabling TCP State inspection will stop dropping this traffic.
3. allow intra interface traffic (same-security-traffic permit intra-interface)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From the ASA, you should run packet-tracer to see where the errors lie.