12-19-2012 05:55 AM
I have an ASA 5505 (v8.2) at a site we'll call HQ, and another ASA 5505 at a site we'll call Colo. The 2 sites are successfully connected via an IPSec Site to Site VPN. I also have remote users sucessfully connecting to site HQ via IPSec Remote Access VPN (using Cisco client).
My issue: I need to allow remote users connecting to HQ access to Colo through the existing Site to Site VPN.
Attached are my configs. What am I missing? Are my NAT statements incorrect? Access Lists ? As you can see, I've already done:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
12-19-2012 07:38 AM
Your config looks good, Try by adding below command on HQ. Also post the logs from your HQ ASA.
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
With Regards,
Safwan
12-19-2012 08:45 AM
Hi Safwan,
I tried that command on HQ, but still nothing. Any other thoughts? What is the best way to capture the logs for this issue?
12-19-2012 09:14 AM
just run the logs? What I suspect is the issue that there is no translation rule configured for vpn pool on outside interface to outside interface and hence traffic is dropping.
Just check the log having source as 10.10.11.x to your colo network. IF it says no translation found, try adding
static (outside,outside) 10.10.11.0 10.10.11.0 netmask 255.255.255.0
Logging may be enabled by
logging enable
logging level 7
and then try to generate traffic from your client towards colo.
to stop do:
un all
12-19-2012 10:00 AM
12-19-2012 10:21 AM
I see a mismatch in crypto acl:
On HQ:
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 Colospace_Network_172.16.16.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip Colospace_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.11.0 255.255.255.0 Colospace_Network_172.16.16.0 255.255.255.0
There is no need of the second line
access-list outside_1_cryptomap extended permit ip Colospace_Network_172.16.16.0 255.255.255.0 10.10.11.0 255.255.255.0
as Colospace network is remote and not local.
12-19-2012 12:41 PM
Thanks for your help! I had to grapple with a split-dns issue but it's up and running. Thanks!
12-19-2012 10:25 AM
Clear the crypto the tunnel using below command, because whatever change you are making its not applied untill you re initiate the tunnel.
clear crypto isakmp sa
clear crypto ipsec sa
note: do it for both HQ and colo
With Regards,
Safwan
12-19-2012 12:41 PM
Got it, Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: