Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1176
Views
5
Helpful
4
Replies

Remote VPN Site To Site Connectivity

Go to solution
mjfraziervision
Level 1
Level 1

‎05-19-2011 06:33 PM

Hello

I currently have an Ipsec policy set up on a ASA 5510 succesfully and remote users connect and access internal resources to the main office.  I have a Site To Site VPN connection to a branch office to a 5505 on the same Outside interface as the remote VPN users.  The issue I am having is when a remote VPN user tries to access the shared drive in the branch office the TCP connection cannot be established.  I have seen this issue before with the ASA not being able to complete the TCP connection because the source and the destination are coming and going from the same interface.  I attempted to connect the Site To Site on a different ASA interface but receive the error that the subnet masks cannot be the same.  Any ideas would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Adesh Gairola
Level 1
Level 1

‎05-26-2011 03:56 PM

Date Created: 26-MAY-2011 10:53 PM Created By: Gairola, Adesh(AGAIROLA,314372) ____________RESOLUTION__SUMMARY_________________

*Scope: IPsec - L2L

*Symptoms: When traffic generates from RA tunnel and destination is L2L tunnel network we are getting following logs

Deny TCP (no connection) from 10.10.17.16/50915 to 192.168.20.2/445 flags RST ACK on interface Trusted

*Resolution: Customer resolved the issue by adding a route on the router

Current Contact: [removed]

Current Issue Status/Symptoms: Resolved

Troubleshooting Steps: Customer resolved the issue by adding a static route on the router

Other Notes: Cust said ok to close case

_________________________________________________

Message was edited by: Herbert Baerten (VPN moderator)

View solution in original post

4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-19-2011 07:05 PM

A few things need to be configured to allow remote access to access the remote LAN via site-to-site VPN:

On ASA 5510, configure the following:

1) same-security-traffic permit intra-interface

2) Split tunnel ACL that you configure for the remote access VPN, needs to include the remote LAN subnet of the branch office.

3) The crypto ACL for the site-to-site VPN should include the following:

permit ip

On the branch office, configure the following:

1) The crypto ACL for the site-to-site VPN should include the following:

permit ip

2) NAT exemption should also include the same ACL as above.

The above should resolves the issue.

0 Helpful

Go to solution
mjfraziervision
Level 1
Level 1
In response to Jennifer Halim

‎05-20-2011 07:34 AM

I appreciate your responce.  It appears I have met all of your suggestions.  I incuded my running config if you want to browse through that.  I get the below when appempted an access of shared files.  20.0 subnet is branch, 10.17 subnet is VPN.

6May 20 201110:29:1010601510.10.17.1650915192.168.20.2445Deny TCP (no connection) from 10.10.17.16/50915 to 192.168.20.2/445 flags RST ACK on interface Trusted

86664-running-config.txt.zip
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to mjfraziervision

‎05-20-2011 06:20 PM

The syslog error doesn't seem correct at all. Why would the packet even hit the Trusted interface? It's dropping it because it's not supposed to arrive on Trusted interface.

From the VPN Client, it should hit the Untrusted interface, and perform a U-Turn on the Untrusted interface towards the remote site-to-site VPN, hence should not even arrive on the Trusted interface.

Where you running dynamic routing protocols earlier? From the config, I saw that you have "VPNVAROUTE" route-map configured and the ACL seems to advise some redistribution of the vpn pools and the remote LAN subnet. Can you please advise that it is no longer in the routing table as it might have been routed incorrectly.

You are right. Configuration seems to be correct. Please try to clear the tunnels and get it re-establish again, and see if the vpn client access towards the branch LAN works.

Please share the following if it doesn't work:

show cry isa sa

show cry ipsec sa

And any syslog messages that might be denying the access. Thanks.

0 Helpful

Go to solution
Adesh Gairola
Level 1
Level 1

‎05-26-2011 03:56 PM

Date Created: 26-MAY-2011 10:53 PM Created By: Gairola, Adesh(AGAIROLA,314372) ____________RESOLUTION__SUMMARY_________________

*Scope: IPsec - L2L

*Symptoms: When traffic generates from RA tunnel and destination is L2L tunnel network we are getting following logs

Deny TCP (no connection) from 10.10.17.16/50915 to 192.168.20.2/445 flags RST ACK on interface Trusted

*Resolution: Customer resolved the issue by adding a route on the router

Current Contact: [removed]

Current Issue Status/Symptoms: Resolved

Troubleshooting Steps: Customer resolved the issue by adding a static route on the router

Other Notes: Cust said ok to close case

_________________________________________________

Message was edited by: Herbert Baerten (VPN moderator)

Customers Also Viewed These Support Documents