Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Routing issue through GRE L2L Tunnel via ASA5510

Posted on 2013-12-02
7
Medium Priority
?
341 Views
Last Modified: 2014-10-21
I've a strange problem with the routing from internal network through a GRE Tunnel over an ASA5510:

The infrastructure design is as following:

Internal Network 192.168.1.x
ASA5510 as Internet Gateway with 192.168.1.1
Cisco 2600 Router for GRE L2L VPN Tunnel with 192.168.1.3 IP
SSL VPN LAN through ASA5510 with 10.1.1.x Subnet
L2L VPN Subnet through GRE L2L VPN Tunnel with 10.1.2.x Subnet
 
The tunnel is up and working, i can access the 10.1.2.x L2L VPN Subnet (inside) without any issue from SSL VPN 10.1.1.x Subnet (outside).

From the internal network 192.168.1.x (inside) i can only access the 10.1.2.x L2L VPN Subnet (inside) when i add on the local client a static routing "10.1.2.x MASK 255.255.255.0 192.168.1.3" - so if the packages go directly to L2L VPN Router it works, as soon there is just the ASA5510 as the default gateway in place it doesn't work.

I've added already a NAT Rule for 10.1.2.x (inside) to 192.168.1.x (inside) and back and in addition a static routing entry for 10.1.2.x Subnet through 192.168.1.3 gateway but it's still not working.

From the other side of the tunnel it's the same issue, as long there is no static routing entry on the server at 192.168.1.x subnet, you cannot access services there (e.g. AD, DNS, WWW, ...), as soon the entry is in place, it works.

It looks for me, that the ASA doesn't handle the traffic correct from 192.168.1.x Subnet to 10.1.2.x Subnet - maybe because both are "inside"?
0
Comment
Question by:iamroot80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39691287
Inside to inside works just fine.  It usually breaks when one or both ends do not exclude the inside network from NAT'g to the other inside network.

From the ASA, you should run packet-tracer to see where the errors lie.
0
 

Author Comment

by:iamroot80
ID: 39691303
I did a static Inside-Inside NAT rule for L2L-VPN Network to Internal Network and vice-verse - so this shouldn't be in place?

the strange thing is, packet tracer on ASA doesn't show an error - packages run through without error - just from a client it's not working without the manual routing entry in place (and i've devices in LAN where i can't configure static routing - so they are not accessible now from L2L VPN).
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39691306
Can you post a clean (no passwords, keys, etc) config from both ends?

You should have to put a static route into place.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39696644
you should to three things:

1. add static route to the 10.1.2.0 255.255.255.0 via 192.168.1.3
2. add an inspection policy that disable TCP STATE inspection between 192.168.1.0/24 and 10.1.2.0/24. This is because TCP SYN packets will flow trough the ASA, the ACK does not (goes from the 2600 straight to the client) but the SYN/ACK will flow again trough the ASA. This is confusing for the ASA and it will drop this kind of traffic. Disabling TCP State inspection will stop dropping this traffic.
3. allow intra interface traffic (same-security-traffic permit intra-interface)
0
 

Accepted Solution

by:
iamroot80 earned 0 total points
ID: 39703011
Finally i found the issue:

The MTU size inside the GRE tunnel was 1300, the ASA internal interface was still on default 1500 - after configuring the internal interface from ASA to 1300 too it worked :)
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question