i have a main site with a x.x.x.x address with an active dhcp, all are behind an ASA 5512-x.
I have a branch office with y.y.y.y address with an active dhcp and 3 vlan with ip-helper active.
I setup a site-to-site VPN with IKE2 and preshared, all works fine.
On the main site i have setup a VPN with anyconnect, but i cannot reach my branch office, so i goggled a bit and i fund this page:
and i setup the "hairpinning", all seems to work fine, but it's not true... the dhcp on branch site is not working and when i a client try to registrate, it's seems to take the ip address, but suddenly lost it and ask again for another ip, so this generate a infinite loop, and at the end my scope is full of "BAD ADDRESS".
For now the only drastic solution that i have taken is to disable the nat created for the hairpinning on the branch office, an all are normalized and the dhcp start working again in the correct mode.
Someone could help me?
Solved! Go to Solution.
sorry for the delay...
The configuration on both ASA are little dirty, there are more than one crypromap access list, but only one is used..
So i use the command sh crypto ipsec sa on both appliance, this is the main site:
Crypto map tag: outside_map0, seq num: 1, local addr: ========
access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 10.100.1.0 255.255.255.0
this is the branch site:
Crypto map tag: OUTSIDE_map, seq num: 1, local addr: ========
access-list OUTSIDE_cryptomap extended permit ip 10.100.1.0 255.255.255.0 192.168.0.0 255.255.255.0
It's the first time that i sanitize a configuration, i hope that i've done it in the right way.
i don't know if i have posted that in the branch site i have a DHCP with 3 VLAN and ip-helper active.
what i can see if that i activate the NAT that enable hairpinning
nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_10.100.1.0_24 NETWORK_OBJ_10.100.1.0_24 destination static nami_pool nami_pool inactive
the DHCP will be crazy.
Only one question, what is the side effect of disabling proxyarp on the inside interface ?
Please be patient.. i'm not so confident with ASA.
sorry for the delay of the response, but the client is hard to convince about the maintenance Windows... :(
So i'm glad to communicate that you solution works like a charm.
Many, many thanks.