VPN Routing Issue - Can reach all devices from A to B, but from B cannot reach any devices in A

Hi,

I have set up a IPSec Site to Site VPN between an ASA and a Cisco 4G 897 Router. The VPN is up and the setup is as follows:

HQ: 10.10.5.0/24----------ASA-----------------Site to Site VPN--------------------------------Cisco 4G---------------Branch Office 1: 10.21.1.0/24

from the HQ, I can access the servers on the Branch office, (except cannot ping the gateway: 10.21.1.1)

But from the Branch Office, I cannot reach any devices in the HQ.

All internet traffic from branch office needs to go through the VPN as well.

Any suggestions as to what I missed here?

Configs attached:
Branch Office 1: Mel_Site-Config-EE.txt
ASA: asa-config.txt
LVL 2
Avis MoonsamyTechnical ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
It could be the Windows firewall.  By default when an exception is added, such as File and Print Sharing, it only grants access from the local subnet.  When accessing from another subnet, such as when using a VPN, you usually have to add the remote subnet to the firewall exception, or change to "public", i.e. all.
0
Avis MoonsamyTechnical ConsultantAuthor Commented:
hi Rob,

Windows Firewall is disabled on both remote servers and the test does not work from the Branch Office Router as well.
0
arnoldCommented:
Ping requires you add inspect icmp on the remote side or an equivalent.

The remote, branch is a dynamic ip, only the branch can keep the VPN up all the time.

Look at your intersting traffic, ACL rule, it sounds as though the rule on the Asa is what blocks the traffic from coming through since traffic leaving the ASA is permitted to return.

Packet A enters the Bon tunnel on the ASA side, gets encrypted reaches the 4g, gets decrytped exits the tunnel into the LAN, hits the resource. The response, flows through the LAN into the tunnel. Gets encrypted, enters the tunnel, reaches the Asa gets decrypted, allowed in.

The reverse from branch, the packet is seen as new and I think this is where it is blocked by ACL.

Your 4g seems to gave the LAN to Ian is 10.10.0.0/16 to 10.21.0.0/16.

Show crypto iskamp summary
Show crypto sa

From each side seems right.

I see on the Asa you allow traffic leAving an interface to return through the same interface.

You have several VPN, it is difficult for me to determine in the interface currently using to match which access-list applies to this VPN tunnel.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Avis MoonsamyTechnical ConsultantAuthor Commented:
Hi Arnold,

"The reverse from branch, the packet is seen as new and I think this is where it is blocked by ACL." I agree this is where the problem is. Any suggestions how to troubleshoot this further? Am running out of ideas...
0
arnoldCommented:
I am having difficulty identifying the Access-list on the ASA side that allows the traffic from 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0

Your Asa split tunnel VPN
Double check the resources you are trying to access are part of the rule.

Look at VPN-Vocus on the branch to make sure the IPs from which you are attempting the access is not limited by that.

Having debug for source ip in the VPN as 10.21.0.0 255.255.0.0 on the Asa while trying to access from the branch to see if it gets to the ASA.
If not, you know the ACL on the branch does not allow it to leave.
0
Avis MoonsamyTechnical ConsultantAuthor Commented:
On the branch, I can see the traffic hitting the VPN-Vocus ACL but if i do a traceroute, it just reaches the gateway of 10.21.1.1 and times out.

Trace route from Branch to HQ

Tracing route to mngdc01.maps.local [10.10.5.240]
over a maximum of 30 hops:

  1    <1 ms     1 ms    <1 ms  10.21.1.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.

HQ to Branch

Tracing route to exchangeknx.mng.net.au [10.21.1.6]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  10.10.5.254
  2     1 ms    <1 ms    <1 ms  10.10.250.2
  3     2 ms     2 ms     2 ms  192.168.240.2
  4     3 ms     3 ms     3 ms  10.250.15.93
  5     3 ms     3 ms     3 ms  10.250.15.92
  6     *        *        *     Request timed out.
  7   119 ms    78 ms    79 ms  exchangeknx.mng.net.au [10.21.1.6]

HQ to Branch Gateway (times out for some reason)
Tracing route to 10.21.1.1 over a maximum of 30 hops

  1     1 ms     2 ms     1 ms  10.10.5.254
  2    <1 ms    <1 ms    <1 ms  10.10.250.2
  3     2 ms     2 ms     2 ms  192.168.240.2
  4     3 ms     3 ms     3 ms  10.250.15.93
  5     3 ms     3 ms     3 ms  10.250.15.92
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.

Notes: The ISA is connected to an ISP MPLS network.
0
arnoldCommented:
MPLS network, but you are using VPN is this a VPN between the Asa and the 4g or there are things in between.

The following is a VPN troubleshooter guide for use on the ASA to see if the packet makes it there.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc17
The issue with timeouts it is a dual I.e. Packet does not leave. Or packet leaves and there is no response.


Double check that the path from the ASA to the Branch in question is not flowing through a different VPn

Where is the 192.168.240.1 and 10.250..15.252,253 comes into play?

Not familiar with the branch, if you ping the gateway at the branch, do you get a response.
0
arnoldCommented:
You should request attention, and have your uploaded masked, you've included emails, etc. that you might not have wanted in the Asa config. Not sure the Asa config is complete, can not see the nat rule
0
Avis MoonsamyTechnical ConsultantAuthor Commented:
I have set it up as a VPN between ASA and the 4G Router. These IPs are part of the ISP's MPLS network.

Do you reckon that it could be the ISP MPLS network to be the culprit?

From the branch, I can only ping the ASA public IP.
0
Avis MoonsamyTechnical ConsultantAuthor Commented:
That is the full ASA config. The ASA is managed by the ISP and they configured their side and I configured the Cisco 4G.
0
arnoldCommented:
The ASa does not seem to have the ip 116. That the 4G has as the peer address.
The Asa outside, seems to be 10.10.250.

See Asa config.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/firewall/asa-94-firewall-config/nat-reference.html

HQ to branch works, so the paths are there

Check the crypto on the 4g to confirm packets leaving your 4G via the tunnel and not hitting an ACL on your side

Double check with the MPLS ISP to see what they see on the ASA unless you can

Is the public ip on the ASA nated by an upstream router?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Avis MoonsamyTechnical ConsultantAuthor Commented:
Issue was was the MPLS ISP.
0
Avis MoonsamyTechnical ConsultantAuthor Commented:
Thanks to Arnold for really helping me out of this issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.