Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
10
Helpful
7
Replies

Could not access L2L site via Remote VPN

Go to solution
man3mar3n
Level 1
Level 1

‎02-02-2016 08:04 PM - edited ‎03-12-2019 12:14 AM

Hi,

I have configured a L2L to 2 different site, A-B, A-C

I also configured a remote VPN to site A. 

When I remote access to site A, I could access LAN on site A but not on Site B and C

How do I define NAT exemption for the other sites, B and C?

I attached some of the config.

Labels:
Preview file
13 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Boris Uskov
Level 4
Level 4
In response to man3mar3n

‎02-03-2016 12:11 AM

I'm afraid, packet tracer is not suitable for verification of IPsec tunnels on ASA.

Have you added the command:

same-security-traffic permit intra-interface

?

View solution in original post

Go to solution
Boris Uskov
Level 4
Level 4
In response to Boris Uskov

‎02-03-2016 05:48 AM

Also, be aware. After the configuration changes, you should reconnect the VPN Client on remote PC in order the new configurations take place.

View solution in original post

7 Replies 7

Go to solution
Boris Uskov
Level 4
Level 4

‎02-02-2016 11:13 PM

Hello!

I have looked through the configuration briefly, and I think, you should add the following command:

same-security-traffic permit intra-interface

By default the traffic, which is entering the interface is not allowed to exit through the same interface or through another interface with the same security level. To allow this behaviour, you should use the command "same-security-traffic ..."

In your case, the traffic from remote VPN enters the "outside" interface and, in order to reach other remote site, it has to exit from the same interface "outside".

For more information, see the following links:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html#wp1383263

https://learningnetwork.cisco.com/thread/22344

NAT exceptions are defined correctly from my point of view. 

Hope this helps.

0 Helpful

Go to solution
man3mar3n
Level 1
Level 1
In response to Boris Uskov

‎02-03-2016 12:09 AM

I did a packet tracer and got this

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-OUT2IN in interface outside
access-list ACL-OUT2IN extended permit ip any any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to man3mar3n

‎02-03-2016 12:11 AM

I'm afraid, packet tracer is not suitable for verification of IPsec tunnels on ASA.

Have you added the command:

same-security-traffic permit intra-interface

?

Go to solution
man3mar3n
Level 1
Level 1
In response to Boris Uskov

‎02-03-2016 05:30 AM

I added the command same-security-traffic permit intra-interface

However, it is still not working.

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to man3mar3n

‎02-03-2016 05:46 AM

Ok, try to add the keywords "no-proxy-arp" and "route-lookup" to all your NAT-exception statements.

For example:

nat (inside10,outside) source static OBJ-NET-INSIDE10 OBJ-NET-INSIDE10 destination static OBJ-NET-REMOTE192 OBJ-NET-REMOTE192 no-proxy-arp route-lookup
nat (inside20,outside) source static OBJ-NET-INSIDE20 OBJ-NET-INSIDE20 destination static OBJ-NET-REMOTE192 OBJ-NET-REMOTE192 no-proxy-arp route-lookup
nat (inside30,outside) source static OBJ-NET-INSIDE30 OBJ-NET-INSIDE30 destination static OBJ-NET-REMOTE192 OBJ-NET-REMOTE192 no-proxy-arp route-lookup
nat (inside40,outside) source static OBJ-NET-INSIDE40 OBJ-NET-INSIDE40 destination static OBJ-NET-REMOTE192 OBJ-NET-REMOTE192 no-proxy-arp route-lookup

Also, please, confirm, that the other sites (B and C) are configured correctly to encrypt traffic from local subnet to subnet 192.168.10.0 255.255.255.0.

0 Helpful

Go to solution
Boris Uskov
Level 4
Level 4
In response to Boris Uskov

‎02-03-2016 05:48 AM

Also, be aware. After the configuration changes, you should reconnect the VPN Client on remote PC in order the new configurations take place.

Go to solution
man3mar3n
Level 1
Level 1
In response to Boris Uskov

‎02-05-2016 05:15 AM

It is now working. I did not add the command no-proxy-arp route-lookup.

However, I am not sure why it is now working.

I am deleting everything and reconfigure it again ... just need to know what is it that I am missing?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card