Solved

Routing issue through GRE L2L Tunnel via ASA5510

Posted on 2013-12-02
7
333 Views
Last Modified: 2014-10-21
I've a strange problem with the routing from internal network through a GRE Tunnel over an ASA5510:

The infrastructure design is as following:

Internal Network 192.168.1.x
ASA5510 as Internet Gateway with 192.168.1.1
Cisco 2600 Router for GRE L2L VPN Tunnel with 192.168.1.3 IP
SSL VPN LAN through ASA5510 with 10.1.1.x Subnet
L2L VPN Subnet through GRE L2L VPN Tunnel with 10.1.2.x Subnet
 
The tunnel is up and working, i can access the 10.1.2.x L2L VPN Subnet (inside) without any issue from SSL VPN 10.1.1.x Subnet (outside).

From the internal network 192.168.1.x (inside) i can only access the 10.1.2.x L2L VPN Subnet (inside) when i add on the local client a static routing "10.1.2.x MASK 255.255.255.0 192.168.1.3" - so if the packages go directly to L2L VPN Router it works, as soon there is just the ASA5510 as the default gateway in place it doesn't work.

I've added already a NAT Rule for 10.1.2.x (inside) to 192.168.1.x (inside) and back and in addition a static routing entry for 10.1.2.x Subnet through 192.168.1.3 gateway but it's still not working.

From the other side of the tunnel it's the same issue, as long there is no static routing entry on the server at 192.168.1.x subnet, you cannot access services there (e.g. AD, DNS, WWW, ...), as soon the entry is in place, it works.

It looks for me, that the ASA doesn't handle the traffic correct from 192.168.1.x Subnet to 10.1.2.x Subnet - maybe because both are "inside"?
0
Comment
Question by:iamroot80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39691287
Inside to inside works just fine.  It usually breaks when one or both ends do not exclude the inside network from NAT'g to the other inside network.

From the ASA, you should run packet-tracer to see where the errors lie.
0
 

Author Comment

by:iamroot80
ID: 39691303
I did a static Inside-Inside NAT rule for L2L-VPN Network to Internal Network and vice-verse - so this shouldn't be in place?

the strange thing is, packet tracer on ASA doesn't show an error - packages run through without error - just from a client it's not working without the manual routing entry in place (and i've devices in LAN where i can't configure static routing - so they are not accessible now from L2L VPN).
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39691306
Can you post a clean (no passwords, keys, etc) config from both ends?

You should have to put a static route into place.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39696644
you should to three things:

1. add static route to the 10.1.2.0 255.255.255.0 via 192.168.1.3
2. add an inspection policy that disable TCP STATE inspection between 192.168.1.0/24 and 10.1.2.0/24. This is because TCP SYN packets will flow trough the ASA, the ACK does not (goes from the 2600 straight to the client) but the SYN/ACK will flow again trough the ASA. This is confusing for the ASA and it will drop this kind of traffic. Disabling TCP State inspection will stop dropping this traffic.
3. allow intra interface traffic (same-security-traffic permit intra-interface)
0
 

Accepted Solution

by:
iamroot80 earned 0 total points
ID: 39703011
Finally i found the issue:

The MTU size inside the GRE tunnel was 1300, the ASA internal interface was still on default 1500 - after configuring the internal interface from ASA to 1300 too it worked :)
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question