Meraki

Community

VPN Subnet Translation-Problem between MX100/ASA5515 and MX64 - AuttVPN

Awacs2000
Conversationalist
‎Sep 21 2020 12:13 AM
‎Sep 21 2020 12:13 AM

VPN Subnet Translation-Problem between MX100/ASA5515 and MX64 - AuttVPN

Hello everybody,
I have the following construct with a customer.

At the main site there is an ASA5515 and behind it an MX100.
There is an MX64 at the remote location. The ASA lets everything through towards the MX100 and nothing is
blocked at this point in time. The auto VPN tunnel is active and data from the remote site to the main site
flows smoothly and I can reach everything I would like to reach.
But if I try to reach the remote location from the main location, my traceroute only gets
to the MX100. The traffic does not go into the tunnel to the remote site.
On the ASA I have a static route for the remote network and the MX100 as a gateway.
According to the documentation there is something like "VPN Subnet Translation", but unfortunately I can't find it.
Ideas?

Main Site local network: 192.168.57.0/24
Remote Site local Network: 10.0.1.0/24
ASA static route to 10.0.1.0/24 Gateway 192.168.54.254 (IP of MX100)

0 Kudos
5 Replies 5
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 21 2020 12:32 AM
‎Sep 21 2020 12:32 AM

"VPN Subnet Translation" is only needed if you have sites with identical IP networks and you can't renumber any of them.

Based on you addressing, I assume that the MX is configured as one-armed concentrator in an ASA-DMZ?

You say that data rom remote-to-main flows. Does this mean you have bidirectional communication? Then there is obvious no routing-problem.

It still could be an access-control-problem on the ASA and/or MX.

Capture the traffic along the way from source to destination. I would start with:

1) ASA outgoing interface

2) main MX VPN Tunnel

3) Branch MX

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
ww
Kind of a big deal
Kind of a big deal
‎Sep 21 2020 12:38 AM
‎Sep 21 2020 12:38 AM

Did you set routes to the asa?

192.168.54.x/x is a vpn vlan/subnet?

0 Kudos
In response to ww
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 21 2020 1:00 AM
‎Sep 21 2020 1:00 AM

The ASA is not a router.

 

At a minimum you'll need:

same-security-traffic permit intra-interface

To allow traffic that comes in one interface to be routed out the same interface.

 

The ACL in the inside interface will also need to allow the traffic.

 

Depending on your NAT rules you may need to create a NAT exemption as well.

 

Use the ASDM and monitor the IP address you are trying to access to see what the ASA is complaining about next.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 21 2020 1:01 AM
‎Sep 21 2020 1:01 AM

Check out this guide for allowing intra-interface traffic.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_p... 

0 Kudos
Awacs2000
Conversationalist
‎Sep 21 2020 3:55 AM
‎Sep 21 2020 3:55 AM

It´s working now. I just changed it from "Routed" to "VPN Concentrator", modified some rules on the ASA and I can reach every network now that I want to reach in both directions.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.