- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Subnet Translation-Problem between MX100/ASA5515 and MX64 - AuttVPN
Hello everybody,
I have the following construct with a customer.
At the main site there is an ASA5515 and behind it an MX100.
There is an MX64 at the remote location. The ASA lets everything through towards the MX100 and nothing is
blocked at this point in time. The auto VPN tunnel is active and data from the remote site to the main site
flows smoothly and I can reach everything I would like to reach.
But if I try to reach the remote location from the main location, my traceroute only gets
to the MX100. The traffic does not go into the tunnel to the remote site.
On the ASA I have a static route for the remote network and the MX100 as a gateway.
According to the documentation there is something like "VPN Subnet Translation", but unfortunately I can't find it.
Ideas?
Main Site local network: 192.168.57.0/24
Remote Site local Network: 10.0.1.0/24
ASA static route to 10.0.1.0/24 Gateway 192.168.54.254 (IP of MX100)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"VPN Subnet Translation" is only needed if you have sites with identical IP networks and you can't renumber any of them.
Based on you addressing, I assume that the MX is configured as one-armed concentrator in an ASA-DMZ?
You say that data rom remote-to-main flows. Does this mean you have bidirectional communication? Then there is obvious no routing-problem.
It still could be an access-control-problem on the ASA and/or MX.
Capture the traffic along the way from source to destination. I would start with:
1) ASA outgoing interface
2) main MX VPN Tunnel
3) Branch MX
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you set routes to the asa?
192.168.54.x/x is a vpn vlan/subnet?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The ASA is not a router.
At a minimum you'll need:
same-security-traffic permit intra-interface
To allow traffic that comes in one interface to be routed out the same interface.
The ACL in the inside interface will also need to allow the traffic.
Depending on your NAT rules you may need to create a NAT exemption as well.
Use the ASDM and monitor the IP address you are trying to access to see what the ASA is complaining about next.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out this guide for allowing intra-interface traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It´s working now. I just changed it from "Routed" to "VPN Concentrator", modified some rules on the ASA and I can reach every network now that I want to reach in both directions.