We configured a site-to-site VPN and here is the topology. I control the network on the left but not the one on the right. All devices in our network has public IPs.
Server---ASA5505---Cisco887======Internet=====ASA5510---devices
I can see the tunnel is up and can do extended ping using a loopback interface. From the 10.175 and 10.165 networks, they can also ping my loopback address. I can also dial in using a Cisco VPN client, and can connect to the devices on the right.
#show crypto session
Crypto session current status
Interface: Vlan3
Profile: xxx-profile
Session status: UP-ACTIVE
Peer: 213.121.x.x port 500
IKEv1 SA: local 77.245.x.x/500 remote 213.121.x.x/500 Active
IPSEC FLOW: permit ip 10.0.20.0/255.255.255.240 10.175.0.0/255.255.128.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.0.20.0/255.255.255.240 10.165.0.0/255.255.192.0
Active SAs: 2, origin: crypto map
#ping 10.165.29.39 source loopback 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.165.29.39, timeout is 2 seconds:
Packet sent with a source address of 10.0.20.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/20 ms
My problem is the devices on the right cannot reach my server. They could only ping the loopback address and nothing else.
I'm pasting some diagnostics related to routing thinking perhaps routing is my issue. I can paste all the running-config on my side of network if needed.
#show ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
Ethernet0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset up up connected to ASA
FastEthernet1 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset administratively down down
FastEthernet3 unassigned YES unset up up
Loopback1 10.0.20.65 YES NVRAM up up
Loopback2 10.0.20.1 YES NVRAM up up
Virtual-Template1 77.245.x.x YES unset up down
Virtual-Template2 77.245.x.x YES unset up down
Vlan1 unassigned YES unset down down
Vlan3 77.245.x.x YES NVRAM up up connected to the Internet
#show run | section ip route
ip route 0.0.0.0 0.0.0.0 77.245.x.x
ip route 213.121.240.36 255.255.255.255 Vlan3
#show access-list
Extended IP access list 102
10 permit ip 10.0.20.0 0.0.0.15 10.175.0.0 0.0.127.255 (3332 matches)
20 permit ip 10.0.20.0 0.0.0.15 10.165.0.0 0.0.63.255 (3498 matches)
#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
3 VLAN0003 active Fa0, Fa1, Fa2, Fa3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 77.245.x.x to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 77.245.x.x
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.0.20.0/28 is directly connected, Loopback2
L 10.0.20.1/32 is directly connected, Loopback2
C 10.0.20.64/28 is directly connected, Loopback1
L 10.0.20.65/32 is directly connected, Loopback1
S 10.165.0.0/18 [1/0] via 213.121.x.x
77.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S 77.0.0.0/8 [1/0] via 77.245.x.x
C 77.245.x.x/29 is directly connected, Vlan3
L 77.245.x.x/32 is directly connected, Vlan3
213.121.x.0/32 is subnetted, 1 subnets
S 213.121.x.x is directly connected, Vlan3
I read some of the posts here which lead to NATing issue but I'not sure of my next step. Should I translate my public address to private and route it to the loopback address? (only guessing)
CISCO VPN site to site
Site-to-Site VPN between two ASA 5505s only working in one direction
Hope someone could help. Thanks in advance!
