Solved

Routing issue through GRE L2L Tunnel via ASA5510

Posted on 2013-12-02
7
325 Views
Last Modified: 2014-10-21
I've a strange problem with the routing from internal network through a GRE Tunnel over an ASA5510:

The infrastructure design is as following:

Internal Network 192.168.1.x
ASA5510 as Internet Gateway with 192.168.1.1
Cisco 2600 Router for GRE L2L VPN Tunnel with 192.168.1.3 IP
SSL VPN LAN through ASA5510 with 10.1.1.x Subnet
L2L VPN Subnet through GRE L2L VPN Tunnel with 10.1.2.x Subnet
 
The tunnel is up and working, i can access the 10.1.2.x L2L VPN Subnet (inside) without any issue from SSL VPN 10.1.1.x Subnet (outside).

From the internal network 192.168.1.x (inside) i can only access the 10.1.2.x L2L VPN Subnet (inside) when i add on the local client a static routing "10.1.2.x MASK 255.255.255.0 192.168.1.3" - so if the packages go directly to L2L VPN Router it works, as soon there is just the ASA5510 as the default gateway in place it doesn't work.

I've added already a NAT Rule for 10.1.2.x (inside) to 192.168.1.x (inside) and back and in addition a static routing entry for 10.1.2.x Subnet through 192.168.1.3 gateway but it's still not working.

From the other side of the tunnel it's the same issue, as long there is no static routing entry on the server at 192.168.1.x subnet, you cannot access services there (e.g. AD, DNS, WWW, ...), as soon the entry is in place, it works.

It looks for me, that the ASA doesn't handle the traffic correct from 192.168.1.x Subnet to 10.1.2.x Subnet - maybe because both are "inside"?
0
Comment
Question by:iamroot80
  • 2
  • 2
7 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39691287
Inside to inside works just fine.  It usually breaks when one or both ends do not exclude the inside network from NAT'g to the other inside network.

From the ASA, you should run packet-tracer to see where the errors lie.
0
 

Author Comment

by:iamroot80
ID: 39691303
I did a static Inside-Inside NAT rule for L2L-VPN Network to Internal Network and vice-verse - so this shouldn't be in place?

the strange thing is, packet tracer on ASA doesn't show an error - packages run through without error - just from a client it's not working without the manual routing entry in place (and i've devices in LAN where i can't configure static routing - so they are not accessible now from L2L VPN).
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39691306
Can you post a clean (no passwords, keys, etc) config from both ends?

You should have to put a static route into place.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39696644
you should to three things:

1. add static route to the 10.1.2.0 255.255.255.0 via 192.168.1.3
2. add an inspection policy that disable TCP STATE inspection between 192.168.1.0/24 and 10.1.2.0/24. This is because TCP SYN packets will flow trough the ASA, the ACK does not (goes from the 2600 straight to the client) but the SYN/ACK will flow again trough the ASA. This is confusing for the ASA and it will drop this kind of traffic. Disabling TCP State inspection will stop dropping this traffic.
3. allow intra interface traffic (same-security-traffic permit intra-interface)
0
 

Accepted Solution

by:
iamroot80 earned 0 total points
ID: 39703011
Finally i found the issue:

The MTU size inside the GRE tunnel was 1300, the ASA internal interface was still on default 1500 - after configuring the internal interface from ASA to 1300 too it worked :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now