Site to Site-Connect to Attached Network



  • I am attempting to setup a peer to peer shared key vpn between my main office network, and an offsite.  I have it working where I can access all the networks that the main pfsense server is handling directly.

    My problem, is I have a couple networks that are attached to the main network via interface vlan's, and added gateways in pfsense.  For example, I have a network 10.0.50.0/24 connected to opt1, and that interface has a static ip of 10.0.50.2/24.  Then I added a gateway to the actual cisco asa ip of 10.0.50.1, so when I am sitting on my main network, I can access any device on the 10.0.50.0/24 network no problems.

    But, on my offsite vpn, I can only access the pfsense opt1 interface ip, 10.0.50.2, cannot ping anything past it.  Although, if I do a ping from the offsite pfsense diag using the openvpn interface, I can ping anything successfully….  What am I missing?



  • If I understand correctly you need to make sure the cisco asa has a route to your remote site subnet via 10.0.50.2

    Assuming that the asa is the default gateway for that network.



  • exactly, you need to make sure that your off site network has a route back to your main network. Also you need to make sure that firewall rules allow the traffic from both networks offsite and you need to make sure that your ASA access-list allow the traffic as well.



  • Yes the ASA is the gateway for the other network.  I can currently access anything on that network from my main network, without the need to add a route on the asa network.  Would that still be needed even though the main pfsense knows how to reach it?  I only want to be able to access it, the asa network does not need to be able to get back to the pfsense networks.



  • Your packets will never be able to make it back to you if you don't add a route. You maybe able to ping the directly connected interface but if you try to ping the non connected interface then it won't work.

    1. You could run a dynamic routing protocol on the ASA and PfSense like OSPF, or RIP or

    2. NAT your connection from the ASA network that way all your traffic would look like it was coming from an IP on the ASA network.

    The thing to remember is a router will not return a packet to an interface that it received a packet on automatically. The router will look at it's routing table to determine which interface to use to transmit a packet.



  • Is this close to being correct? If not can you draw it out?

    If this is close your asa needs to know how to send packets back to the 192.168.0.1

    So a route on the asa for 192.168.0.1 next hop should be 10.0.50.2

         ASA                                      PFsense                                     Remote Network
    
    +---------------------+                   +--------------------+      open^pn       +-------------------------+
    |                     |                   |                    |                    |                         |
    |    10.0.50.1/24     +-------------------+10.0.50.2           +--------------------+   192.168.0.1           |
    |                     |                   |                    |                    |                         |
    +-------+-------------+                   +--------------------+                    +-------------------------+
            |
            |
            |
            |
            |
            |
            |
            |
            |
            |
      +-----+--------+
      |              |
      |              |
      | 10.0.50.3    |
      |              |
      |              |
      |              |
      +--------------+