Avatar of ThePhreakshow
 asked on

Cisco ASA Site to Site VPN - certain subnets

I am trying to access another internal network that is behind a different router than the default one listed on the ASA via a site-to-site VPN

Some reference points:

ASA Inside -
Default Inside Router - (directly connected)

The network I am trying to access is 192.168.100.x

I can ping anything on the 100.x network no problem from the ASA or anything else on the 1.x network.

I cannot, however, get to that network via the remote side of the site to site VPN.

The remote site can get to all other networks that are behind the ASA (including the 1.x or even the DMZ) but cannot get to this 100.x network... It is included in the remote routers group of addresses to send across the VPN, so it must be something the ASA cannot handle, as it dies at the remote router and never makes it to the ASA.

Here are some potentially helpful parts of the config:

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object Jaguar-Net-VPN

nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static Jaguar-Net-VPN Jaguar-Net-VPN no-proxy-arp route-lookup
nat (dmz,outside) source static DMZ-Net DMZ-Net destination static Jaguar-Net-VPN Jaguar-Net-VPN no-proxy-arp route-lookup

route inside 1

*** For reference, DM_INLINE_NETWORK_1 includes the 100.x network I cannot reach. DM_INLINE_NETWORK_2 also includes the 100.x network I cannot reach. They both include all the other networks that I CAN reach.  JAGUAR-NET-VPN is the network at the remote site,

Avatar of undefined
Last Comment

8/22/2022 - Mon

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

All of the source networks are in the cyptomap with the remote subnet as the destination.
NAT is in place, inside to outside with all of the source networks and remote subnet as the destination.

There are a total of six source networks, all of which I can reach, except this one. It is behind a different router than the default one for the ASA, but the ASA default router is aware of this other network and forwards on to the other router. This is proven, as I can reach the ASA no problem from the subnet that is behind the second router.

I'm afraid you've lost me on the network config, a diagram might be useful.
Pete Long

Your help has saved me hundreds of hours of internet surfing.

It has to be part of the access-lists
One defining interesting traffic to get them to enter/leave the tunnel.
The other is whether the traffic is allowed to enter or leave each respective side.

Ping confirms a path so sonething else might be preventing the specific access

Posting sanitized Asa config

Network Map

The VPN site can get to the internal networks on A, B and C. Sites A,B and C can reach all of the other vLan networks at any site (well, except for the guest). vLans 2,3,4,5 all traverse the MPLS and go out the 100MB DIA circuit at Site A....
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Your diagram shows to be local to the ASA, but your first post has a route to via, these do not match up, which is correct ?

If the is local to the ASA, and on the other side of, it is not possible for any traffic from the ASA to reach the remote network.

If is not local to  the ASA, and only connected to, does the router on have a route for pointing at the ASA ?

The router at is the default gateway for everything on the ASA network. I am able to reach remote sites from the VPN site via the router.. I cannot reach networks on vLan4 on the router, but it does have a route for traffic that points it back to the router.

Reference to ips only you know.

What do you mean another router?

How or what IPs are available on the other side of the ? The routing paths might be your issue.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Can you please address the first question in my previous post


You are correct. While that 192.168.100.x network (vLan4) is accessible by the others, it is technically "behind" that router at That router handles the separate incoming 100MB DIA circuit and DHCP for vLans 3,4,5. 192.168.100.x is our security cameras and NVR's that all use as their gateway to go out via the DIA rather than take up bandwidth on the 50MB that is coming into the ASA.

I hope that clears things up a bit!

This requires that you ave static routes that vpn originating traffic routes through based on a static route on the asa has to match a routing rule on the to route theVPN ops back to the 192168.1.254  versus being sent elsewhee.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.