cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
686
Views
0
Helpful
2
Replies

Site to Site Tunnel not passing Windows traffic

netadmin
Level 1
Level 1

Have an issue with a static to dynamic Site to Site VPN between 2 ASA5505. Tunnel is up, and can ping both directions not a problem, can also web browse and RDP from remote site. However, i cannot browse the network nor get any DC authentication to pass.

My VPN clients do all of this no problem. I'm posting the config from the remote site.

The config may have gotten a little dirtied up in attempts, please let me know if you see anything, i'm leaning towards the ACL's.

sho run
: Saved
:
ASA Version 8.2(5)22
!
hostname ASA-2
domain-name internal.monaco.com
enable password xxxxx encrypted
passwd xxxx encrypted
names
!
interface Ethernet0/0
description External Connection
switchport access vlan 2
!
interface Ethernet0/1
description Internal LAN
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif Inside
security-level 100
ip address 10.16.2.1 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address dhcp setroute
!
group-object BasicPortsUDP
object-group network Main
network-object 172.16.0.0 255.255.0.0
object-group network Internal
group-object Local
access-list Inside_in remark --- BEGIN: Out bound ACL (Updated: 20AUG2013) ---
access-list Inside_in remark --> Allow common Internet use
access-list Inside_in extended permit tcp any any object-group OutgoingTCP
access-list Inside_in extended permit udp any any object-group OutgoingUDP
access-list Inside_in extended permit icmp any any
access-list Inside_in remark --> Explicit DENY ANY
access-list Inside_in extended deny ip any any
access-list Inside_in remark --- END -------------------------------------------
access-list Inside_in remark --> Allow VPN Traffic to Main
access-list Inside_in extended permit ip object-group Internal object-group Main
access-list Inside_in extended permit ip object-group Main object-group Internal

moved to here
access-list Outside_in remark --- BEGIN: In bound ACL (Updated: 12-15-2006) ---
access-list Outside_in extended permit ip object-group Main object-group Internal
access-list Outside_in remark -> Permit ICMP Traffic
access-list Outside_in extended permit icmp any any echo-reply
access-list Outside_in extended permit icmp any any unreachable
access-list Outside_in extended permit icmp any any traceroute
access-list Outside_in remark -> Explicit DENY ANY
access-list Outside_in extended deny ip any any
access-list Outside_in remark --- END -------------------------------------------
access-list no_nat extended permit ip object-group Local object-group Main
access-list VPN_to_Main extended permit ip object-group Local object-group Main
access-list nat extended permit ip any any
pager lines 24

1 Accepted Solution

Accepted Solutions

Santhosha Shetty
Cisco Employee
Cisco Employee

Hi Brad,

Since the issue is seen for speciifc traffic/application, could you please collect the packet tracer (in outbound direcion)output on both ASAs to verify if the the flow is correct for non-working traffic.

Collect the following:

packet-tracer input   detailed

Thanks,

Santhosh

View solution in original post

2 Replies 2

Santhosha Shetty
Cisco Employee
Cisco Employee

Hi Brad,

Since the issue is seen for speciifc traffic/application, could you please collect the packet tracer (in outbound direcion)output on both ASAs to verify if the the flow is correct for non-working traffic.

Collect the following:

packet-tracer input   detailed

Thanks,

Santhosh

netadmin
Level 1
Level 1

Thank you Santhosha,

Saturday i did just that and found that i had been overlooking the misplacement of a deny in my ACL's, moved it to the bottom and everything worked as expected.

Updated that chunk of my config as an example.

-Brad