VPN Routing Issue - Can reach all devices from A to B, but from B cannot reach any devices in A

Hi,

I have set up a IPSec Site to Site VPN between an ASA and a Cisco 4G 897 Router. The VPN is up and the setup is as follows:

HQ: 10.10.5.0/24----------ASA-----------------Site to Site VPN--------------------------------Cisco 4G---------------Branch Office 1: 10.21.1.0/24

from the HQ, I can access the servers on the Branch office, (except cannot ping the gateway: 10.21.1.1)

But from the Branch Office, I cannot reach any devices in the HQ.

All internet traffic from branch office needs to go through the VPN as well.

Any suggestions as to what I missed here?

Configs attached:
Branch Office 1: Mel_Site-Config-EE.txt
ASA: asa-config.txt
LVL 2
Avis MoonsamyTechnical ConsultantAsked:
Who is Participating?
 
arnoldCommented:
The ASa does not seem to have the ip 116. That the 4G has as the peer address.
The Asa outside, seems to be 10.10.250.

See Asa config.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/firewall/asa-94-firewall-config/nat-reference.html

HQ to branch works, so the paths are there

Check the crypto on the 4g to confirm packets leaving your 4G via the tunnel and not hitting an ACL on your side

Double check with the MPLS ISP to see what they see on the ASA unless you can

Is the public ip on the ASA nated by an upstream router?
0
 
Rob WilliamsCommented:
It could be the Windows firewall.  By default when an exception is added, such as File and Print Sharing, it only grants access from the local subnet.  When accessing from another subnet, such as when using a VPN, you usually have to add the remote subnet to the firewall exception, or change to "public", i.e. all.
0
 
Avis MoonsamyTechnical ConsultantAuthor Commented:
hi Rob,

Windows Firewall is disabled on both remote servers and the test does not work from the Branch Office Router as well.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
arnoldCommented:
Ping requires you add inspect icmp on the remote side or an equivalent.

The remote, branch is a dynamic ip, only the branch can keep the VPN up all the time.

Look at your intersting traffic, ACL rule, it sounds as though the rule on the Asa is what blocks the traffic from coming through since traffic leaving the ASA is permitted to return.

Packet A enters the Bon tunnel on the ASA side, gets encrypted reaches the 4g, gets decrytped exits the tunnel into the LAN, hits the resource. The response, flows through the LAN into the tunnel. Gets encrypted, enters the tunnel, reaches the Asa gets decrypted, allowed in.

The reverse from branch, the packet is seen as new and I think this is where it is blocked by ACL.

Your 4g seems to gave the LAN to Ian is 10.10.0.0/16 to 10.21.0.0/16.

Show crypto iskamp summary
Show crypto sa

From each side seems right.

I see on the Asa you allow traffic leAving an interface to return through the same interface.

You have several VPN, it is difficult for me to determine in the interface currently using to match which access-list applies to this VPN tunnel.
0
 
Avis MoonsamyTechnical ConsultantAuthor Commented:
Hi Arnold,

"The reverse from branch, the packet is seen as new and I think this is where it is blocked by ACL." I agree this is where the problem is. Any suggestions how to troubleshoot this further? Am running out of ideas...
0
 
arnoldCommented:
I am having difficulty identifying the Access-list on the ASA side that allows the traffic from 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Your Asa split tunnel VPN
Double check the resources you are trying to access are part of the rule.

Look at VPN-Vocus on the branch to make sure the IPs from which you are attempting the access is not limited by that.

Having debug for source ip in the VPN as 10.21.0.0 255.255.0.0 on the Asa while trying to access from the branch to see if it gets to the ASA.
If not, you know the ACL on the branch does not allow it to leave.
0
 
Avis MoonsamyTechnical ConsultantAuthor Commented:
On the branch, I can see the traffic hitting the VPN-Vocus ACL but if i do a traceroute, it just reaches the gateway of 10.21.1.1 and times out.

Trace route from Branch to HQ

Tracing route to mngdc01.maps.local [10.10.5.240]
over a maximum of 30 hops:

  1    <1 ms     1 ms    <1 ms  10.21.1.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.

HQ to Branch

Tracing route to exchangeknx.mng.net.au [10.21.1.6]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.10.5.254
  2     1 ms    <1 ms    <1 ms  10.10.250.2
  3     2 ms     2 ms     2 ms  192.168.240.2
  4     3 ms     3 ms     3 ms  10.250.15.93
  5     3 ms     3 ms     3 ms  10.250.15.92
  6     *        *        *     Request timed out.
  7   119 ms    78 ms    79 ms  exchangeknx.mng.net.au [10.21.1.6]

HQ to Branch Gateway (times out for some reason)
Tracing route to 10.21.1.1 over a maximum of 30 hops

  1     1 ms     2 ms     1 ms  10.10.5.254
  2    <1 ms    <1 ms    <1 ms  10.10.250.2
  3     2 ms     2 ms     2 ms  192.168.240.2
  4     3 ms     3 ms     3 ms  10.250.15.93
  5     3 ms     3 ms     3 ms  10.250.15.92
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.

Notes: The ISA is connected to an ISP MPLS network.
0
 
arnoldCommented:
MPLS network, but you are using VPN is this a VPN between the Asa and the 4g or there are things in between.

The following is a VPN troubleshooter guide for use on the ASA to see if the packet makes it there.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc17
The issue with timeouts it is a dual I.e. Packet does not leave. Or packet leaves and there is no response.


Double check that the path from the ASA to the Branch in question is not flowing through a different VPn

Where is the 192.168.240.1 and 10.250..15.252,253 comes into play?

Not familiar with the branch, if you ping the gateway at the branch, do you get a response.
0
 
arnoldCommented:
You should request attention, and have your uploaded masked, you've included emails, etc. that you might not have wanted in the Asa config. Not sure the Asa config is complete, can not see the nat rule
0
 
Avis MoonsamyTechnical ConsultantAuthor Commented:
I have set it up as a VPN between ASA and the 4G Router. These IPs are part of the ISP's MPLS network.

Do you reckon that it could be the ISP MPLS network to be the culprit?

From the branch, I can only ping the ASA public IP.
0
 
Avis MoonsamyTechnical ConsultantAuthor Commented:
That is the full ASA config. The ASA is managed by the ISP and they configured their side and I configured the Cisco 4G.
0
 
Avis MoonsamyTechnical ConsultantAuthor Commented:
Issue was was the MPLS ISP.
0
 
Avis MoonsamyTechnical ConsultantAuthor Commented:
Thanks to Arnold for really helping me out of this issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.