What did I miss? Cross-zone/vpn traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What did I miss? Cross-zone/vpn traffic

L3 Networker

New PA200 installed and working on getting it setup. Aside from a 2wk demo, I have little experience with PAN.

I've got a Site-To-Site VPN configured to an ASA5505 at another of our offices.

I have one zone setup for a Wifi network. (Called Wifi) IP space behind that zone is 172.168.1.0/24. Interface 1/3 is configured with the IP 172.168.1.1 PAN is providing DHCP for this network.

Client behind this network has a DHCP address of 172.168.1.10 with a subnet mask of 255.255.255.0

On the other side of tunnel.1 (this interface is tagged as the Remote zone) is the IP space 10.5.0.0/16. Client behind that firewall has IP 10.5.1.25/255.255.0.0.

I have Security Policies configured to allow traffic between the zones.

However, pinging between the clients routes through the wrong rule (Default rule allowing outside access) instead of the Wifi-to-Remote or Remote-To-Wifi rules (depending on which side I'm pinging from)

I can ping from the CLI of the PAN to any client in the Remote zone.

And I can ping from any client in the Remote zone to the 172.168.1.1 address of the PAN.

Since it wasn't working with the zones defined, I changed the Source/Destination of the rules to the specific IP ranges of the zones in the security rules.

Wifi-To-Remote:

Source: 172.168.1.0/24

Destination: 10.5.0.0/16

Remote-To-Wifi:

Source: 10.5.0.0/16

Destination: 172.168.1.0/24

(I've also tried putting in the range directly, 172.168.1.1-172.168.1.254, with the same result)

Now in the Monitor->Traffic tab, the Wifi-Client to Remote-Client (and vice versa) ping shows up in the correct rule, but the ping still doesn't complete (Request Timed Out)

I'm sure there's something relatively simple that I've missed, could someone point it out for me?

18 REPLIES 18

Set it /24 local and /16 remote. Reversed on the ASA.

I've got a ticket filed with support. Thanks for your help!

I'll post back up if I can find something specific to point to.

Worked with support for several hours yesterday.

Found that I'd left a PBF that was preventing local from following the rest of the rules I'd set in place. Doh!

Now I'm pinging from local to remote, but not from remote to local.

We're staring at config files on the ASA to see what we missed.

You must have a little different routing setup then what I have dealt with. We did not need any PBF rules for our site to site VPN setup, and from all of the documentation that I have looked at, it never shows any PBF rules required to make it function. I did find that there were static routes needed on the ASA in the document that I linked to, but nothing more than that. Hopefully TAC will be able to discover what is missing. Sorry I could not help more!

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.

PBF was part of my earlier attempts to get out-bound traffic working. Wasn't needed then, simply forgot to remove it.

Static routes are in place on the ASA. Matching the range behind the PAN.

At this point, I can see traffic in the log on the PAN as approved for passage, yet the ping does not complete.

I have my boss looking at the configs on the ASA to ensure they're properly configured.

  • 8310 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!