Avatar of ThePhreakshow
ThePhreakshow
 asked on

Cisco ASA Site to Site VPN - certain subnets

I am trying to access another internal network that is behind a different router than the default one listed on the ASA via a site-to-site VPN

Some reference points:

ASA Inside - 192.168.1.1
Default Inside Router - 192.168.1.254 (directly connected)

The network I am trying to access is 192.168.100.x

I can ping anything on the 100.x network no problem from the ASA or anything else on the 1.x network.

I cannot, however, get to that network via the remote side of the site to site VPN.

The remote site can get to all other networks that are behind the ASA (including the 1.x or even the DMZ) but cannot get to this 100.x network... It is included in the remote routers group of addresses to send across the VPN, so it must be something the ASA cannot handle, as it dies at the remote router and never makes it to the ASA.

Here are some potentially helpful parts of the config:


access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object Jaguar-Net-VPN

nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static Jaguar-Net-VPN Jaguar-Net-VPN no-proxy-arp route-lookup
nat (dmz,outside) source static DMZ-Net DMZ-Net destination static Jaguar-Net-VPN Jaguar-Net-VPN no-proxy-arp route-lookup

route inside 192.168.100.0 255.255.255.0 192.168.1.253 1

*** For reference, DM_INLINE_NETWORK_1 includes the 100.x network I cannot reach. DM_INLINE_NETWORK_2 also includes the 100.x network I cannot reach. They both include all the other networks that I CAN reach.  JAGUAR-NET-VPN is the network at the remote site, 192.168.0.0/24
CiscoVPN

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
ArneLovius

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ThePhreakshow

ASKER
All of the source networks are in the cyptomap with the remote subnet as the destination.
NAT is in place, inside to outside with all of the source networks and remote subnet as the destination.

There are a total of six source networks, all of which I can reach, except this one. It is behind a different router than the default one for the ASA, but the ASA default router is aware of this other network and forwards on to the other router. This is proven, as I can reach the ASA no problem from the subnet that is behind the second router.
ArneLovius

I'm afraid you've lost me on the network config, a diagram might be useful.
Pete Long

Your help has saved me hundreds of hours of internet surfing.
fblack61
arnold

It has to be part of the access-lists
One defining interesting traffic to get them to enter/leave the tunnel.
The other is whether the traffic is allowed to enter or leave each respective side.

Ping confirms a path so sonething else might be preventing the specific access


Posting sanitized Asa config
ThePhreakshow

ASKER
Network Map
ThePhreakshow

ASKER
The VPN site can get to the internal networks on A, B and C. Sites A,B and C can reach all of the other vLan networks at any site (well, except for the guest). vLans 2,3,4,5 all traverse the MPLS and go out the 100MB DIA circuit at Site A....
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ArneLovius

Your diagram shows 192.168.100.0/24 to be local to the ASA, but your first post has a route to 192.168.100.0/24 via 192.168.1.253, these do not match up, which is correct ?

If the 192.168.100.0/24 is local to the ASA, and on the other side of 192.168.1.253, it is not possible for any traffic from the ASA to reach the remote network.

If 192.168.100.0/24 is not local to  the ASA, and only connected to 192.168.1.253, does the router on 192.168.1.253 have a route for 192.168.0.0/24? pointing at the ASA ?
ThePhreakshow

ASKER
The router at 192.168.1.254 is the default gateway for everything on the ASA network. I am able to reach remote sites from the VPN site via the router.. I cannot reach networks on vLan4 on the 192.168.1.253 router, but it does have a route for 192.168.0.0/24 traffic that points it back to the 192.168.1.254 router.
arnold

Reference to ips only you know.

What do you mean another router?

How or what IPs are available on the other side of the 192.168.1.253 ? The routing paths might be your issue.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ArneLovius

Can you please address the first question in my previous post
ThePhreakshow

ASKER
Arne,

You are correct. While that 192.168.100.x network (vLan4) is accessible by the others, it is technically "behind" that router at 192.168.1.253. That router handles the separate incoming 100MB DIA circuit and DHCP for vLans 3,4,5. 192.168.100.x is our security cameras and NVR's that all use 192.168.1.253 as their gateway to go out via the DIA rather than take up bandwidth on the 50MB that is coming into the ASA.

I hope that clears things up a bit!
arnold

This requires that you ave static routes that vpn originating traffic routes through 192.168.1.253 based on a static route on the asa has to match a routing rule on the 192.168.1.253 to route theVPN ops back to the 192168.1.254  versus being sent elsewhee.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.