I have attached what I am

joseph.bucar · ‎11-20-2015

Hello and hopefully someone here can help as I am not an expert in Cisco.

I am having an issue with traffic thru a site to site tunnel. It appears that not all traffic is being allowed into the ASA 5505 from the ASA 5510.

Configuration:

HQ = ASA 5510 (172.16.0.0/16)

Remote Office = ASA 5505 (192.168.8.0/24)

Problem:

We use team viewer from our HQ to support our remote PCs. It appears we cannot access the remote site PCs using it. When doing a packet trace I see the packets hit the 5505 at the remote site and thats it, nothing else. No deny's, etc. I am at a loss as to what is happening. If we use the actual team viewer ID it works just fine as this forces the communication to go to the outside world and then back in on the 5505. If we use the computer name, which resolves to a 192.168.8.0/24 address the traffic stays inside and doesn't work. Ive looked and looked and cannot see what could be causing it. 5938 is open on the 5505. I will post the 5505 configuration here. The 5510 configuration is quite lengthy and the 5505 pretty small. All functions from the remote PC's work just fine (file access, domain, netbios etc). Ping works from the 5510 to the 5505 and can ping thru to any remote PC off the 5505.

Also from the remote 5505 logged into the CLI I cannot ping back into the 172.16.0.0/16 network or access any PC's that network. Im sure there is something pretty simple wrong here but I simply am not seeing it.

Thanks,

Joe

Vibhor Amrodia · ‎11-22-2015

Hi,

Can you post the related configuration from the ASA 5510 ?

Also , the output of tracer ? So , as per you only thing which does not work is the remote access to the Remote PC's ? Is that correct ? Everything else works ?

Also , have you tried to capture traffic on the Egress interfaces of the 5505 to see if the traffic is even reaching to the other end or not ?

Capture:-

https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm

Thanks and Regards,

Vibhor Amrodia

joseph.bucar · ‎11-22-2015

Vibhor

I would post the 5510's config but I need to heavily sanitize it first. There is alot of public information in it that Id prefer not to make openly available. I will do that and post it or is there a way I can get you a private copy of it?

Thanks,

Joe

Akshay Rastogi · ‎11-28-2015

Hi Joe,

Could you please try adding port for tco '5938' under your object group 'object-group service internetTCP tcp'

I am not sure if 'sysopt for vpn is enable on ASAs or not. Try adding to both ASA if you have similar kind of acl on both.

Regards,

Akshay Rastogi

joseph.bucar · ‎11-23-2015

I have attached what I am seeing on the 5505 (Remote Office) site when starting a session from

HQ for TeamViewer. I see the connection hit the 5505 and then it tears it down. I dont see any deny, etc. I am at a loss here. Its obvious the traffic is making it to it.

Thanks,

Joe

joseph.bucar · ‎11-23-2015

Also attached is an ingress trace when making a connection from the 5510 side to the 5505 using Teamviewer.

Thanks,

Joe

joseph.bucar · ‎11-23-2015

Here is a trace from the 5510 going to the remote site ... I have also attached a screen shot of the ASDM Firewall Rules Config on the 5505

as well.

Thanks,

Joe

IPSec Tunnel between ASA 5510 and ASA 5505