Link to home
Start Free TrialLog in
Avatar of ThePhreakshow

asked on

Cisco ASA Site to Site VPN - certain subnets

I am trying to access another internal network that is behind a different router than the default one listed on the ASA via a site-to-site VPN

Some reference points:

ASA Inside -
Default Inside Router - (directly connected)

The network I am trying to access is 192.168.100.x

I can ping anything on the 100.x network no problem from the ASA or anything else on the 1.x network.

I cannot, however, get to that network via the remote side of the site to site VPN.

The remote site can get to all other networks that are behind the ASA (including the 1.x or even the DMZ) but cannot get to this 100.x network... It is included in the remote routers group of addresses to send across the VPN, so it must be something the ASA cannot handle, as it dies at the remote router and never makes it to the ASA.

Here are some potentially helpful parts of the config:

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object Jaguar-Net-VPN

nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static Jaguar-Net-VPN Jaguar-Net-VPN no-proxy-arp route-lookup
nat (dmz,outside) source static DMZ-Net DMZ-Net destination static Jaguar-Net-VPN Jaguar-Net-VPN no-proxy-arp route-lookup

route inside 1

*** For reference, DM_INLINE_NETWORK_1 includes the 100.x network I cannot reach. DM_INLINE_NETWORK_2 also includes the 100.x network I cannot reach. They both include all the other networks that I CAN reach.  JAGUAR-NET-VPN is the network at the remote site,
Avatar of ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ThePhreakshow


All of the source networks are in the cyptomap with the remote subnet as the destination.
NAT is in place, inside to outside with all of the source networks and remote subnet as the destination.

There are a total of six source networks, all of which I can reach, except this one. It is behind a different router than the default one for the ASA, but the ASA default router is aware of this other network and forwards on to the other router. This is proven, as I can reach the ASA no problem from the subnet that is behind the second router.
I'm afraid you've lost me on the network config, a diagram might be useful.
It has to be part of the access-lists
One defining interesting traffic to get them to enter/leave the tunnel.
The other is whether the traffic is allowed to enter or leave each respective side.

Ping confirms a path so sonething else might be preventing the specific access

Posting sanitized Asa config
The VPN site can get to the internal networks on A, B and C. Sites A,B and C can reach all of the other vLan networks at any site (well, except for the guest). vLans 2,3,4,5 all traverse the MPLS and go out the 100MB DIA circuit at Site A....
Your diagram shows to be local to the ASA, but your first post has a route to via, these do not match up, which is correct ?

If the is local to the ASA, and on the other side of, it is not possible for any traffic from the ASA to reach the remote network.

If is not local to  the ASA, and only connected to, does the router on have a route for pointing at the ASA ?
The router at is the default gateway for everything on the ASA network. I am able to reach remote sites from the VPN site via the router.. I cannot reach networks on vLan4 on the router, but it does have a route for traffic that points it back to the router.
Reference to ips only you know.

What do you mean another router?

How or what IPs are available on the other side of the ? The routing paths might be your issue.
Can you please address the first question in my previous post

You are correct. While that 192.168.100.x network (vLan4) is accessible by the others, it is technically "behind" that router at That router handles the separate incoming 100MB DIA circuit and DHCP for vLans 3,4,5. 192.168.100.x is our security cameras and NVR's that all use as their gateway to go out via the DIA rather than take up bandwidth on the 50MB that is coming into the ASA.

I hope that clears things up a bit!
This requires that you ave static routes that vpn originating traffic routes through based on a static route on the asa has to match a routing rule on the to route theVPN ops back to the 192168.1.254  versus being sent elsewhee.