Cannot get my wan traffic over VPN tunnel

Discussion in 'Cisco' started by SteveB, Nov 1, 2007.

  1. SteveB

    SteveB

    Joined:
    Oct 3, 2006
    Messages:
    17
    I have a problem that is best described by viewing a diagram, which is located here.


    Basically, we have a working site-site vpn tunnel to a vendor that allows a few machines on our private WAN to access a vendor's ftp server on the other side of the tunnel. The tunnel itself works fine if I am connecting to the remote ftp host from a host on the same subnet as the inside interface on the ASA 5520. The ACLs for the vpn on both firewalls allow traffic from 192.168.3.0 and 150.1.1.237 to pass.

    On our WAN subnet, I have a machine at 150.1.1.237 that needs to connect to the vendor ftp server at the other side of the tunnel. On the router on that subnet, I added a route so that if 150.1.1.237 wants to get to 192.168.102.186, send the traffic to 192.168.100.1. The router at 192.168.100.1 has a route to 192.168.102.186 that sends it to 192.168.3.254. The problem is, the packet doesn't get there. If I do a traceroute from 150.1.1.237, the packet goes to the default gateway (150.1.1.1) and then to the fiber connected interface on the other subnet. It dies at 192.168.100.1.

    Am I missing something in the VPN configuration to allow the host at 150.1.1.237 to access the tunnel? Any host of 192.168.3.0 can connect fine but 150.1.1.237 cannot. I just wasn't sure if it was a vpn issue or a router issue.
    The ACl in the ASA looks like this:
    access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.186
    access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.189
    access-list WAV-CLINIC extended permit ip 192.168.3.0 255.255.255.0 host 192.168.102.190
    access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.186
    access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.189
    access-list WAV-CLINIC extended permit ip 150.1.1.0 255.255.255.0 host 192.168.102.190

    I also have an access list for Nat 0 that looks like this:
    access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.102.0 255.255.255.0
    access-list nonat extended permit ip 150.1.1.0 255.255.255.0 192.168.102.0 255.255.255.0


    The vendor has an ASA and they have mirrored my access lists. Again, I can get to the 192.168.102.186 host from the 192.168.3.0 network, but the host at 150.1.1.237 in the diagram cannot. The tracert dies at 192.168.100.1 even though I have a route in there (ip route 192.168.102.186 255.255.255.255 192.168.3.254) Everything else in our WAN works fine. People on 150 have always been able to browse the net and everything through the ASA. I just can't get that traffic destined for 192.168.102.186 to go out over the tunnel from that network. :(

    Any ideas on what I could be missing?
     
    Last edited: Nov 1, 2007
    SteveB, Nov 1, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,166
  2. g18c@hotmail.com
    Replies:
    2
    Views:
    443
    g18c@hotmail.com
    Jan 15, 2007
  3. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    1,021
    Theo Markettos
    Feb 14, 2008
  4. Locutus
    Replies:
    4
    Views:
    709
    Walter Roberson
    May 19, 2008
  5. BluffPlace

    Cannot send traffic out vpn tunnel

    BluffPlace, Feb 25, 2010, in forum: Cisco
    Replies:
    0
    Views:
    1,288
    BluffPlace
    Feb 25, 2010
Loading...

Share This Page