SA520w routing through site-to-site VPN tunnels

I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

A - the site

Site B -

Site of the C -

Any help is greatly appreciated.

So, that's what you have configured correctly?



_____________ || ___________

||                                            ||

RTR_B                                RTR_C

Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

I hope this helps.

Tags: Cisco Support

Similar Questions

  • SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

    Hi all.

    I really need help on this one.

    The office 1 installer running SBS2008 Office 2 running Server 2008.

    Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

    Each firm has its own internal IP address pool Office 1 and office 2.

    Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

    Each firm has its own DNS server and acts as a domain controller

    How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

    Is it so simple that the addition of another pool internal IP for each DNS server?

    Thanks in advance for your help.


    Your Question is beyond the scope of this community.

    I suggest that repost you your question in the Forums of SBS.

    "Windows Small Business Server 2011 Essentials online help"

    TechNet Server forums.

    See you soon.

  • Using the same set processing on several site to site VPN tunnels

    Hi all. I have a rather strange situation about site-to-site VPN tunnel.

    On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

    The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.

    I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.

    Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?

    Use it on PIX

    card crypto set pfs group2

    Or on ASA, use:

    card crypto set pfs Group1

  • Keep Site to Site VPN Tunnel active for monitoring

    Hi all

    I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.

    My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer.  currently the timers of default on SA is configured

    Help, please...

    Thank you


    TARGET_GP group policy attributes

    VPN-idle-timeout no

  • Static routes through site to site tunnel


    I use a Cisco ASA 5505

    Here's a description of my topology.

    Seat =

    Customer X =

    Datacenter =

    A Site in Tunnels:

    Seat---> data center

    Data center---> customer X

    I want to ability for the computers on the subnet of the central administration to access the subnet of the Client X.

    I tried to configure a static route to push all the fate of traffic for to the datacenter, but failed.

    Does anyone know a solution to how I can route all through the tunnel.

    I tried ading a static route on my ASA but without success.

    You cannot route just the traffic of HQ through the website of the client.

    You enter the subnet of HQ and customer to the ACL crypto between the data center and the customer, as well as between Headquarters and data center.

    You also need to configure NAT exemption on the client side.

    Generally, the IPSec tunnel is configured with specific subnet, so you would need to include the additional subnet to be able to move HQ to the client and vice versa.

  • Site to Site VPN tunnel is not come between 2 routers

    Dear all,

    I have 2 routers for branch which is configured for VPN site-to-site, but the tunnel does not come!

    I ran debug and I enclose herwith output for your kind review and recommendation. I also enclose here the 2 routers configs branch.

    Any idea on why the Site to site VPN is not coming?

    Kind regards


    You guessed it!

    Just because you have re-used the same card encryption for LAN to LAN and vpn-client traffic.

    This from the DOC CD


    (Optional) Use this keyword if the router to router IP Security (IPSec) is on the same card encryption as a virtual private network (VPN) - client - to-Cisco-IOS IPSec. This keyword prevents the router causing the peer for the information of extended authentication (Xauth) (username and password).

  • Unable to pass traffic between ASA Site to Site VPN Tunnel


    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you



    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 255.255.*.* access-list exempt extended permit ip 255.255.*.* access-list exempt extended permit ip 255.255.*.* access-list exempt extended permit ip 255.255.*.* access-list exempt extended permit ip 255.255.*.* access-list exempt extended permit ip 255.255.*.* 

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.


  • ASA 5505 and ASA 5510 Site to Site VPN Tunnel cannot be established

    Hi all experts

    We are now plan to form an IPSec VPN tunnel from site to site between ASA 5505 (ASA Version 8.4) and ASA 5510 (ASA Version 8.0) but failed, would you please show me how to establish? A reference guide?

    I got error syslog 713902 and 713903, how to fix?

    I got the following, when I type "sh crypto isakmp his."

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG2



    This State is reached when the policies of the phase 1 do not correspond to the two ends.

    Please confirm that you have the same settings of phase 1 on both sides with the following commands:

    See the isakmp crypto race

    See the race ikev1 crypto

    Also make sure that port UDP 500 and 4500 are open for communication between your device and the remote peer.

    Finally, make sure you have a route suitable for the remote VPN endpoint device.

    Hope that helps.

    Kind regards

    Dinesh Moudgil

  • Site to Site VPN tunnel between two ASA

    I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

    Thank you



    First, I would like to say that I don't personally use ASDM for the configuration.

    But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

    I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

    If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.


  • disconnecting from site-to-site vpn tunnel

    Dear Cisco

    I use the Cisco ASA 5505 5 builed VPN site to site.

    B, C, D, E of the site all site-to-site VPN A with only IPSEC IKEv2 configurartion site.

    Reading the Site an ASDM.  Monitoring VPN can always read all four sites are connected.  But I found that Site D and E during connection reset periodically with a few hours.

    (1) I would like to know the connection during the reset time is normal or not?

    (2) any installation or configuration can refine the site to site VPN.  Make VPN tunnel more stable?

    (3) any menthod can monitor VPN site-to-site is health or not?

    Thank you very much for your help


    A. in general, the time is set to 86400 for expiration. It can also be defined by the amount of traffic

    (B) Yes. Try turning on KeepAlive IKE

    C. check the logs is as far as I know of

    This is a good doc on VPN

  • Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

    I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

    I can ping the FWb inside interface from the FWa inside interface, but I can not ping to the of the FWa FWb inside2 interface. I can not ping the gateway host FWa

    I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.

    Here is a skeleton of the FWa configuration:

    name network-inside
    name HprCnc Thesys
    name ring52-network
    name ring53-network
    name S.S.S.S outside-interface

    interface Vlan1
    nameif inside
    security-level 100
    interface Vlan2
    Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
    nameif outside
    security-level 0
    outside interface IP address

    the DM_INLINE_NETWORK_5 object-group network
    network-object HprCnc Thesys
    ring52-network network-object
    ring53-network network-object

    the DM_INLINE_NETWORK_3 object-group network
    ring52-network network-object
    network-object HprCnc Thesys
    ring53-network network-object

    outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
    inside_nat_outbound list extended access allowed inside-network ip, DM_INLINE_NETWORK_5 object-group
    permit access list extended ip host Outside_nat0_outbound aus_asx_uat

    NAT (inside) 0 access-list sheep
    NAT (inside) 101-list of access inside_nat_outbound
    NAT (inside) 101
    NAT (outside) 0-list of access Outside_nat0_outbound

    card crypto VPN 5 corresponds to the address Outside_5_cryptomap
    card crypto VPN 5 set pfs Group1
    VPN 5 set peer D.D.D.D crypto card
    VPN 5 value transform-set VPN crypto card
    tunnel-group D.D.D.D type ipsec-l2l
    IPSec-attributes tunnel-Group D.D.D.D
    pre-shared key *.



    name ring52-network
    name ring53-network
    name ring51-network
    name ring54-network

    interface Vlan1
    nameif inside
    security-level 100
    interface Vlan2
    nameif outside
    security-level 0
    address IP D.D.D.D
    interface Vlan52
    prior to interface Vlan1
    nameif inside2
    security-level 100

    the DM_INLINE_NETWORK_3 object-group network
    ring52-network network-object
    ring53-network network-object

    the DM_INLINE_NETWORK_2 object-group network
    ring52-network network-object
    ring53-network network-object

    inside_nat0_outbound to access extended list ip allow host S.S.S.S
    inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

    outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1
    inside2_nat0_outbound (inside2) NAT 0 access list
    NAT (inside2) 1

    Route inside2 network ring51 1
    Route inside2 network ring53 1
    Route inside2 network ring54 1

    card crypto outside_map 1 match address outside_1_cryptomap
    card crypto outside_map 1 set pfs Group1
    outside_map game 1 card crypto peer S.S.S.S
    card crypto outside_map 1 set of transformation-ESP-3DES-SHA
    outside_map interface card crypto outside

    tunnel-group S.S.S.S type ipsec-l2l
    IPSec-attributes tunnel-group S.S.S.S
    pre-shared key *.

    I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

    Ping Successul FWa inside the interface on FWb

    FWa # ping
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to, time-out is 2 seconds:
    Echo request ICMP from outside-interface to ID = 32068 seq = 23510 len = 72
    ! ICMP echo reply to in outside-interface ID = 32068 seq = 23510 len = 72

    FWb #.
    Echo ICMP of S.S.S.S to ID request = 32068 seq = 23510 len = 72
    ICMP echo reply S.S.S.S ID = 32068 seq = 23510 len = 72
    Successful ping of Fwa on a host connected to the inside interface on FWb

    FWa # ping
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to, wait time is 2 seconds:
    Echo request ICMP from outside-interface to ID = seq 50862 = 18608 len = 72
    ! ICMP echo reply to in outside-interface ID = seq 50862 = 18608 len = 72

    FWb #.
    Inside outside:S.S.S.S ICMP echo request: ID = seq 50862 = 18608 len = 72
    ICMP echo reply to Interior: outside:S.S.S.S ID = seq 50862 = 18608 len = 72

    Unsuccessful ping of FWa to inside2 on FWb interface

    FWa # ping
    Send 5, echoes ICMP 100 bytes to, wait time is 2 seconds:
    Echo request ICMP from outside-interface to ID = 19752 seq = 63173 len = 72
    ? Echo request ICMP from outside-interface to ID = 19752 seq = 63173 len = 72

    FWb #. ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72


    Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

    FWa # ping
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to, wait time is 2 seconds:
    Echo request ICMP from outside-interface to ID = 11842 seq = 15799 len = 72

    FWb #.
    Echo request ICMP outside:S.S.S.S to inside2: ID = 11842 seq = 15799 len = 72
    Echo request ICMP outside:S.S.S.S to inside2: ID = 11842 seq = 15799 len = 72


    Thank you

    Hi odelaporte2,

    Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

    This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

    It may be useful


  • KeepAlive in site to site VPN tunnel

    I was asked a question by a colleague today if there is any way that a keepalive

    can be configured so that site to site tunnels would remain place, vs having to have interesting traffic to allow the ISAKMP

    negotiations occur to bring up the tunnel on the SAA.

    The configuration is of a PIX running version 6.3.3 on one end to the other end, which is a code running ASA 8.3.1.

    Is there a function which would leave the tunnel to the top?

    Thank you


    Phase2 is defined using the encryption card, as follows:

    card crypto xxx 1 set security-association life seconds xxxxxx

  • Internet through a RA IPSec VPN Tunnel traffic

    Armed with an ASA 5505 Security Plus, I configure IPSec VPN for RA the VPN IP address pool is in the network.

    The Lan is with inside interface a.254.

    The VPN works great. What I would do is to route all internet through the firewall traffic when users are connected to the VPN. I put this gateway tunnel, but I'm having no luck to get it works.

    Any ideas?

    Thanks in advance!

    You are just going to route internet traffic to the remote vpn client to the ASA and backward on the Internet?

    If the above statement is correct, you need not configure the tunnel default gateway.

    But you need to configure NAT for the ip pool, so they can go to the internet, as well as the 'same-security-movement' command as follows:

    NAT (outside) 1

    permit same-security-traffic intra-interface

    In addition, assuming that you have not have split configured tunnel.

  • NAT and Site to site VPN

    Hi all

    We currently have a PIX in our local network. There is a Site to site VPN tunnel between this PIX and another network abroad.

    We have several networks in our local network.

    The VPN tunnel is on a single network: / 24.

    and the network of the other site is: 21

    Part of the configuration:

    inside_nat0_outbound ip access list allow

    NAT (inside) 0-list of access inside_nat0_outbound

    As I said before, we have several networks.

    In particular, we have too.

    And we would like that this network can use the VPN tunnel also.

    But the other site does not want to carry our another network in their LAN.

    They suggest we NAT / 24 to an IP address on the / 24, users in a network / 24 can also use the VPN tunnel.

    Do you know if it is possible to do it with my PIX? And how?

    It's a PIX-515-DMZ, v6.3 (5).

    Any help would be appreciated!

    Thank you

    Good point. You can be good then.

  • only one statement of site-to-site VPN remote network?


    I wonder on in case of site to site vpn, we can define only a single declaration of network for the Branch Office peer network?

    If there is a local network to peer site, then, how to set those for the local subnet peer?

    Can anyone answer my question?

    Thank you.

    If I understand your question, wondering how to add a different subnet to an existing site-to-site VPN tunnel?

    If that is correct, you can add this network to the crypto ACL of the tunnel at a site.  But you have to demolish and rebuild the tunnel before it takes effect.

    Once you have added the required configuration, run the following commands to shoot down the tunnel.  Do not forget that this disconnects all users on the VPN, so it is best to let users know when you go to so that they are not connected at this time here.

    ISAKMP crypto claire

    clear crypto ipsec his

Maybe you are looking for