02-28-2013 07:02 PM - edited 03-11-2019 06:07 PM
Hi Guys,
Good day!
Need your kind assistance in configuring ASA . Currently users can connect using VPN client. Users can access our local servers. The problem is vpn user cannot connect to servers that are located on our other site connected via site-to-site VPN. Do I need to configure static routes so the ASA knows how to route remote vpn users to our other site.
Thank you in advance . I have attaced a diagram for reference.
Solved! Go to Solution.
02-28-2013 07:14 PM
Ron
There is not enough information here for us to be sure. But my first guess at your problem is that by default an ASA will not forward traffic back out the interface on which it arrived. So if your vpn user traffic comes in the interface named outside, then it will not forward that traffic back out interface outside. But that is probably where your site to site traffic goes. The way to solve this is to use the command that allows traffic same-security intra interface.
HTH
Rick
02-28-2013 07:14 PM
Ron
There is not enough information here for us to be sure. But my first guess at your problem is that by default an ASA will not forward traffic back out the interface on which it arrived. So if your vpn user traffic comes in the interface named outside, then it will not forward that traffic back out interface outside. But that is probably where your site to site traffic goes. The way to solve this is to use the command that allows traffic same-security intra interface.
HTH
Rick
02-28-2013 07:30 PM
Hi Sir Richard,
Thank you for the information. I got your point thanks alot! Please let me know the details on how to configure this. I am researching for a week now & I was able to read topic on "vpn hair pinning". Is this the same concept? But the topic is very hard for me since I only have basic knowledge on Cisco ASA.
Is there a way to do this on ASDM?
Thank you very much Sir..
02-28-2013 07:41 PM
Hi Ron,
I agree with Richard, just wanted to add that you should also ensure the client's IP subnet is permitted through the site to site tunnel.
02-28-2013 08:37 PM
Hi Sir,
Thank you for the information I already coordinated to the other site to allow client's IP subnet. Do you have an idea on what specific commands I need to configure ? Thank you..
03-01-2013 10:17 AM
Ron
The command that you need is
same-security-traffic permit intra-interface
you might also want to use
same-security-traffic permit inter-interface
For more information you might try this link
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html#wp1039276
HTH
Rick
03-06-2013 12:38 AM
Hi Sir,
Thank you for the information I have check the command & followed a guide on the link below.
Step 1: Add the Subnet of the Remote Site to the "Split Tunnel" for the remote VPN -done
Step 2: Turn On Hair Pinning -done
Step 3: Add the "Remote VPN Network" to the EXISTING site to site VPN on the Main Site. -done
(REMOTE SITE)
Step 4: Add a NAT Exemption on the Remote Site ASA
Step 5: Add the Remote VPN Pool to the EXISTING Site to Site VPN Access List
Details is on this link: http://www.petenetlive.com/KB/Article/0000040.htm
How can I check If my counter part already did step 4 & 5. Can it be seen on cisco asa packet trace. please see result.
Again thank you sir for your support.
03-07-2013 11:10 PM
Hi Sir Burts ,
Today I can now telnet to the site on port 80. & packet trace is successful from ASA.
But still cannot access the site.. Ping also fails. Does it mean that the problem is with the remote site?
Thank you..
03-08-2013 03:00 PM
Ron
I am not clear whether you are saying that these are issues when you are in a VPN session or are these problems in general. Clarification would be appreciated.
HTH
Rick
03-07-2013 08:36 PM
Hi ,
Today I can now telnet to the site on port 80. & packet trace is successful.
But still cannot access the site.. Ping also fails. Does it mean that the problem is with the remote site?
Thank you..
03-11-2013 03:02 AM
Hi Sir Burts / Guys,
I am now able to access the site. Thank you very much for the help.
Problem is not now that I can access it using vpn-client but cannot access on ssl-web vpn. Any ideas?
I think i need to create another dicussion for this topic.
Thank you.
03-11-2013 05:24 AM
Ron
My first guess would be to ask if the address used as the source address for access when using ssl-web is different from the address assigned to clients for access. Assuming that they are different I would then guess that the access rules that allow client access do not permit access for the address used by ssl-web.
Perhaps a new discussion for this question would be appropriate.
HTH
Rick
03-11-2013 08:14 PM
Hi Sir Burts,
I already check ip address & pool is same woth vpn client. Please let me know if you have ideas on how to troubleshoot this issue. Again thank you.
Please see link for the new discussion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide