VPN Subnet Translation-Problem between MX100/ASA5515 and MX64 - AuttVPN

Awacs2000
Conversationalist

VPN Subnet Translation-Problem between MX100/ASA5515 and MX64 - AuttVPN

Hello everybody,
I have the following construct with a customer.

At the main site there is an ASA5515 and behind it an MX100.
There is an MX64 at the remote location. The ASA lets everything through towards the MX100 and nothing is
blocked at this point in time. The auto VPN tunnel is active and data from the remote site to the main site
flows smoothly and I can reach everything I would like to reach.
But if I try to reach the remote location from the main location, my traceroute only gets
to the MX100. The traffic does not go into the tunnel to the remote site.
On the ASA I have a static route for the remote network and the MX100 as a gateway.
According to the documentation there is something like "VPN Subnet Translation", but unfortunately I can't find it.
Ideas?

Main Site local network: 192.168.57.0/24
Remote Site local Network: 10.0.1.0/24
ASA static route to 10.0.1.0/24 Gateway 192.168.54.254 (IP of MX100)

5 REPLIES 5
KarstenI
Kind of a big deal
Kind of a big deal

"VPN Subnet Translation" is only needed if you have sites with identical IP networks and you can't renumber any of them.

Based on you addressing, I assume that the MX is configured as one-armed concentrator in an ASA-DMZ?

You say that data rom remote-to-main flows. Does this mean you have bidirectional communication? Then there is obvious no routing-problem.

It still could be an access-control-problem on the ASA and/or MX.

Capture the traffic along the way from source to destination. I would start with:

1) ASA outgoing interface

2) main MX VPN Tunnel

3) Branch MX

ww
Kind of a big deal
Kind of a big deal

Did you set routes to the asa?

192.168.54.x/x is a vpn vlan/subnet?

PhilipDAth
Kind of a big deal
Kind of a big deal

The ASA is not a router.

 

At a minimum you'll need:

same-security-traffic permit intra-interface

To allow traffic that comes in one interface to be routed out the same interface.

 

The ACL in the inside interface will also need to allow the traffic.

 

Depending on your NAT rules you may need to create a NAT exemption as well.

 

Use the ASDM and monitor the IP address you are trying to access to see what the ASA is complaining about next.

PhilipDAth
Kind of a big deal
Kind of a big deal

Awacs2000
Conversationalist

It´s working now. I just changed it from "Routed" to "VPN Concentrator", modified some rules on the ASA and I can reach every network now that I want to reach in both directions.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels