cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1358
Views
5
Helpful
7
Replies
Massimoriboli
Beginner

anyconnect access site-to-site VPN in branch office problem

Hi all,
i have a main site with a x.x.x.x address with an active dhcp, all are behind an ASA 5512-x.
I have a branch office with y.y.y.y address with an active dhcp and 3 vlan with ip-helper active.

I setup a site-to-site VPN with IKE2 and preshared, all works fine.
On the main site i have setup a VPN with anyconnect, but i cannot reach my branch office, so i goggled a bit and i fund this page:

http://www.petenetlive.com/KB/Article/0000040

and i setup the "hairpinning", all seems to work fine, but it's not true... the dhcp on branch site is not working and when i a client try to registrate, it's seems to take the ip address, but  suddenly lost it and ask again for another ip, so this generate a infinite loop, and at the end my scope is full of "BAD ADDRESS".
For now the only drastic solution that i have taken is to disable the nat created for the hairpinning on the branch office, an all are normalized and the dhcp start working again in the correct mode.
Someone could help me?

Best Regards
Massimo Riboli

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Massimo,
Since your Inside interface is not used as egress for any NAT there shouldn't be any side effect on disabling proxy ARP on it. Disabling Proxy ARP
The NAT exempt shouldn't cause any conflict with the DHCP but I know from experience that proxy arp and a NAT (any,any) will.
HTH
Pablo

View solution in original post

7 REPLIES 7
Pablo
Cisco Employee

Hi Massimo,

Can you provide a sanitized copy of the configuration from the 2 sites?
__ __
Pablo

Hi Pablo,

sorry for the delay...

The configuration on both ASA are little dirty, there are more than one crypromap access list, but only one is used..

So i use the command sh crypto ipsec sa on both appliance, this is the main site:

interface: outside
    Crypto map tag: outside_map0, seq num: 1, local addr: ========

     access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 10.100.1.0 255.255.255.0

this  is the branch site:

interface: OUTSIDE
    Crypto map tag: OUTSIDE_map, seq num: 1, local addr: ========

access-list OUTSIDE_cryptomap extended permit ip 10.100.1.0 255.255.255.0 192.168.0.0 255.255.255.0

It's the first time that i sanitize a configuration, i hope that i've done it in the right way.

Best Regards

Massimo Riboli

Massimo,
Configuration wise the VPN looks in good shape. I don't see how the u-turning NAT exempt on the main office will affect the DHCP services on the branch.
One thing that might be causing some addressing conflicts is the (any,any) NAT entry defined on the branch office, this in conjunction with the proxy arp feature on the ASA are a really bad combination.
There are a couple of things that I'd like you to try:
a) Disable proxy arp on the Inside interface of the branch office with the command:
ASA(config)# sysopt noproxyarp Inside
b) Reconfigure the following NAT as follows:
object network videoconferenza
nat (INSIDE,OUTSIDE) static videoconf_public
Right after this, do a clear xlate, clear arp on the branch ASA and give it a new try.
HTH
Pablo

i don't know if  i have posted that in the branch site i  have a DHCP with 3 VLAN and ip-helper active.

what i can see if that i activate the NAT that enable hairpinning

nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_10.100.1.0_24 NETWORK_OBJ_10.100.1.0_24 destination static nami_pool nami_pool inactive

the DHCP will be crazy.

Only one question, what is the side effect of disabling proxyarp on the inside interface ?

Please be patient.. i'm not so confident with ASA.

Best Regards

Massimo Riboli 

Hi Massimo,
Since your Inside interface is not used as egress for any NAT there shouldn't be any side effect on disabling proxy ARP on it. Disabling Proxy ARP
The NAT exempt shouldn't cause any conflict with the DHCP but I know from experience that proxy arp and a NAT (any,any) will.
HTH
Pablo

View solution in original post

thanks Pablo,

i will try soon when i have the next maintenance Windows.

I'll let you know if i have success.

Best Regards

Massimo Riboli

Hi Pablo,

sorry for the delay of the response, but the client is hard to convince about the maintenance Windows... :(

So i'm glad to communicate that you solution works like a charm.

Many, many thanks.

Best Regards

Massimo Riboli

Content for Community-Ad