Solved: Site to site VPN issues

adleveritt · ‎05-24-2013

Hello, I am having an issue with my VPN setup. I have two locations each with it's own subnett. I have a site to site VPN between the two locations. The site to site VPN is up and fully functional with no issues. Now if I am away from work and connect with the VPN client to site A, I cannot ping or connect to anything at site B. Or if I am connected to site B through a VPN I cannot ping or connect to anything at site A.

Hopefully this makes sense but I will be glad to give further details on the setup if necessary.

graeme2010 · ‎05-25-2013

I believe the command you need is:

same-security-traffic permit Intra-interface (not inter-interface)

Both remote VPN and site-to-site VPN use the same outside interface, so this command allows the VPN traffic to hairpin off this interface

Sent from Cisco Technical Support iPad App

View solution in original post

sokakkar · ‎05-25-2013

Hi Anthony,

graeme2010 is right. The command i mentioned is already there in your config, basically I copied that and missed out to change it to 'intra'. Since, source and destination are behind same interface, command mentioned by 'graeme2010 ' is correct. Please add following and see if it works, if not, get us the requested info:

same-security-traffic permit Intra-interface

Here is the link to command reference which explains above command in detail:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html#wp1444448

Thank you 'graeme2010' for highlighting this :-).

-

Sourav

View solution in original post

matthewceroni · ‎05-24-2013

Would need more information / configuration details. It could be ACLs, NAT rules, many many things. My guess would be a NAT identity / exempt rule. Since VPN clients connect from the outside, to get to site B they have to hairpin (so ensure that is enabled on the outside interface) and go right back out the outside interface.

If you have a general NAT rule for outside interface then you want to identity NAT that VPN client traffic so that it doesn't get NATed.

You also have to ensure you have your cryto maps setup correctly to allow VPN client traffic to traverse the VPN tunnel.

Lots of areas to look at.

adleveritt · ‎05-24-2013

Here is a copy of my config file from the ASA.

SiteAasa# show run

: Saved

:

ASA Version 8.4(4)5

!

hostname SiteAasa

domain-name domain.local

enable password encrypted

passwd encrypted

names

name 192.168.10.0 SiteB

!

interface Ethernet0/0

description Comcast MetroE

speed 1000

duplex full

nameif outside

security-level 0

ip address 90.160.254.60 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.166.1 255.255.255.252

!

interface Ethernet0/2

description DSL

nameif secondary

security-level 0

ip address 10.10.10.1 255.255.255.252

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

regex domainblock "facebook\.com"

banner login This system is for the use of authorized users only.

banner login Individuals using this computer system without authority, or in

banner login excess of their authority, are subject to having all of their

banner login activities on this system monitored and recorded by system personnel.

banner login

banner login In the course of monitoring individuals improperly using this

banner login system, or in the course of system maintenance, the activities

banner login of authorized users may also be monitored.

banner login

banner login Anyone using this system expressly consents to such monitoring

banner login and is advised that if such monitoring reveals possible

banner login evidence of criminal activity, system personnel may provide the

banner login evidence of such monitoring to law enforcement officials.

banner asdm This system is for the use of authorized users only.

banner asdm Individuals using this computer system without authority, or in

banner asdm excess of their authority, are subject to having all of their

banner asdm activities on this system monitored and recorded by system personnel.

banner asdm

banner asdm In the course of monitoring individuals improperly using this

banner asdm system, or in the course of system maintenance, the activities

banner asdm of authorized users may also be monitored.

banner asdm

banner asdm Anyone using this system expressly consents to such monitoring

banner asdm and is advised that if such monitoring reveals possible

banner asdm evidence of criminal activity, system personnel may provide the

banner asdm evidence of such monitoring to law enforcement officials.

boot system disk0:/asa844-5-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.16.18

name-server 192.168.16.19

name-server 192.168.16.10

domain-name domain.local

dns server-group Internet

name-server 209.221.42.253

name-server 209.82.185.253

name-server 4.2.2.2

dns server-group Metro

name-server 209.221.42.253

name-server 209.82.185.253

same-security-traffic permit inter-interface

object network SITEB_Subnet_192.168.10.0

subnet 192.168.10.0 255.255.255.0

object network SITEB_VPN_USERS_Subnet_10.10.99.0

subnet 10.10.99.0 255.255.255.0

object network SITEA_VPN_USERS_Subnet_10.10.98.0

subnet 10.10.98.0 255.255.255.0

object network SITEC_Subnet_192.168.14.0

subnet 192.168.14.0 255.255.255.0

object network NETWORK_OBJ_10.10.98.0_25

subnet 10.10.98.0 255.255.255.128

object network NETWORK_OBJ_192.168.16.0_24

subnet 192.168.0.0 255.255.0.0

object network SITEA_OUTSIDE_INTERFACE

host 90.160.254.60

object network SITEA_Outlook_192.168.16.12

host 192.168.16.12

object service https

service tcp source eq https destination eq https

object network SITEA_192.168.16.14

host 192.168.16.14

object service smtp

service tcp source eq smtp destination eq smtp

object network SITEA_Subnet_192.168.16.0

subnet 192.168.16.0 255.255.255.0

object network 192.168.144.0

subnet 192.168.144.0 255.255.255.0

object network 192.168.166.0

subnet 192.168.166.0 255.255.255.0

object network OBJ-interface

object network OBJ-tcp

object network obj-192.168.16.12

host 192.168.16.12

object network obj-192.168.16.14

host 192.168.16.14

object network obj-any

subnet 0.0.0.0 0.0.0.0

object network 192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network VNET_192.168.20.0

subnet 192.168.20.0 255.255.255.0

object network WirelessSubnet_10.55.77.0

subnet 10.55.77.0 255.255.255.0

object network SiteCGRE

host 192.168.144.2

object network ISCSI_SiteB_10.1.100.0

subnet 10.1.100.0 255.255.255.0

object network ISCSI_SiteA_10.1.21.0

subnet 10.1.21.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object 192.168.16.0 255.255.255.0

network-object object SITEA_VPN_USERS_Subnet_10.10.98.0

network-object object 192.168.144.0

network-object object 192.168.166.0

network-object object WirelessSubnet_10.55.77.0

network-object object SITEC_Subnet_192.168.14.0

network-object object VNET_192.168.20.0

network-object object ISCSI_SiteA_10.1.21.0

object-group network DM_INLINE_NETWORK_2

network-object object SITEB_Subnet_192.168.10.0

network-object object SITEB_VPN_USERS_Subnet_10.10.99.0

network-object object 192.168.100.0

network-object object ISCSI_SiteB_10.1.100.0

object-group network DM_INLINE_NETWORK_3

network-object 192.168.16.0 255.255.255.0

network-object object SITEB_Subnet_192.168.10.0

network-object object SITEB_VPN_USERS_Subnet_10.10.99.0

network-object object SITEA_Subnet_192.168.16.0

network-object object SITEA_VPN_USERS_Subnet_10.10.98.0

object-group service DM_INLINE_UDP_1 udp

port-object eq snmp

port-object eq snmptrap

object-group service DM_INLINE_UDP_2 udp

port-object eq snmp

port-object eq snmptrap

object-group service DM_INLINE_SERVICE_1

service-object object smtp

service-object tcp destination eq smtp

object-group network GRETunnel

network-object host 192.168.144.2

object-group network GRETunnelLocal

network-object host 192.168.166.2

object-group network GRETunnelSiteB

network-object host 192.168.100.2

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_IN

LINE_NETWORK_2

access-list vpndomain_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0

access-list vpndomain_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

access-list vpndomain_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list vpndomain_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0

access-list outside_cryptomap_10 extended permit ip object-group GRETunnelLocal object-group GRETunn

el

access-list outside_cryptomap_10 extended permit gre object-group GRETunnelLocal object-group GRETun

nel

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip any 192.168.0.0 255.255.0.0

access-list inside_access_in extended permit ip any 10.0.0.0 255.0.0.0

access-list inside_access_in extended permit udp any any object-group DM_INLINE_UDP_1

access-list inside_access_in extended permit tcp any any eq smtp

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit icmp any any unreachable

access-list inside_access_in extended permit icmp any any time-exceeded

access-list inside_access_in extended permit ospf interface inside host 192.168.166.2

access-list outside_access_in extended permit tcp any host 192.168.16.14 eq smtp

access-list outside_access_in extended permit tcp any host 192.168.16.12 eq https

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any 192.168.0.0 255.255.0.0

access-list outside_access_in extended permit ip any 10.0.0.0 255.0.0.0

access-list outside_access_in extended permit udp any any object-group DM_INLINE_UDP_2

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit ospf interface inside host 192.168.166.2

access-list outside_access_in extended permit icmp any any echo-reply

access-list global_mpc extended permit ip any any

access-list domainipad_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list domainipad_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list domainipad_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

access-list domainipad_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0

access-list test extended permit ip host 192.168.10.82 host 192.168.20.10

access-list test extended permit ip host 192.168.20.10 host 192.168.10.82

pager lines 30

logging enable

logging buffer-size 32768

logging asdm-buffer-size 512

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm debugging

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination inside 192.168.16.16 2055

flow-export template timeout-rate 10

mtu outside 1492

mtu inside 1500

mtu secondary 1500

mtu management 1500

ip local pool VPNusers 10.10.98.0-10.10.98.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

arp permit-nonconnected

nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INL

INE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destinati

on static NETWORK_OBJ_10.10.98.0_25 NETWORK_OBJ_10.10.98.0_25 no-proxy-arp route-lookup

nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static SiteC_Subnet_192.168.14.0 SITEC_Subnet_192.168.14.0 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destinati

on static NETWORK_OBJ_10.10.98.0_25 NETWORK_OBJ_10.10.98.0_25 no-proxy-arp route-lookup

nat (inside,outside) source static GRETunnelLocal GRETunnelLocal destination static GRETunnel GRETun

nel no-proxy-arp route-lookup

!

object network obj-192.168.16.12

nat (inside,outside) static interface service tcp https https

object network obj-192.168.16.14

nat (inside,outside) static interface service tcp smtp smtp

object network obj-any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 68.170.255.254 1

route inside 10.1.21.0 255.255.255.0 192.168.166.2 1

route outside 10.1.100.0 255.255.255.0 68.170.255.254 1

route outside 10.10.98.0 255.255.255.0 68.170.255.254 1

route outside 10.10.99.0 255.255.255.0 68.170.255.254 1

route inside 10.55.77.0 255.255.255.0 192.168.166.2 1

route outside 94.10.72.52 255.255.255.255 68.170.255.254 1

route outside SiteB 255.255.255.0 40.120.2.25 1

route inside 192.168.14.0 255.255.255.0 192.168.166.2 1

route inside 192.168.16.0 255.255.255.0 192.168.166.2 1

route inside 192.168.20.0 255.255.255.0 192.168.166.2 1

route outside 192.168.100.0 255.255.255.0 40.120.2.25 1

route inside 192.168.144.0 255.255.255.0 192.168.166.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host 192.168.16.18

ldap-base-dn CN=Users,DC=domain,DC=local

ldap-group-base-dn CN=Users,DC=domain,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=administrator,CN=users,DC=domain,DC=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable 440

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

snmp-server host inside 192.168.16.16 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec df-bit clear-df outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-1

28-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP

-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 40.120.2.25

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP

-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set peer 94.10.72.52

crypto map outside_map 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ES

P-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 enable inside

crypto ikev1 enable outside

crypto ikev1 enable inside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet SiteB 255.255.255.0 inside

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate bad-packet-drop rate-interval 18000 average-rate 2147483647 burst-rate 2147483

647

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.16.4 source inside prefer

webvpn

group-policy GroupPolicy_94.10.72.52 internal

group-policy GroupPolicy_94.10.72.52 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_40.120.2.25 internal

group-policy GroupPolicy_40.120.2.25 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy vpndomain internal

group-policy vpndomain attributes

dns-server value 192.168.16.18 4.2.2.2

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value domainipad_splitTunnelAcl

default-domain value domain.local

group-policy domainipad internal

group-policy domainipad attributes

dns-server value 192.168.16.18 4.2.2.2

vpn-simultaneous-logins 20

vpn-idle-timeout 30

vpn-session-timeout none

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value domainipad_splitTunnelAcl

default-domain value domain.local

username admin password dfuF7mMMwX/B/6Fh encrypted privilege 15

username ipaduser password HdfnFhbw1RaM4q8b encrypted privilege 0

username ipaduser attributes

vpn-group-policy domainipad

username cisco password xKAAxDzyn0eA1HT1 encrypted privilege 15

tunnel-group 40.120.2.25 type ipsec-l2l

tunnel-group 40.120.2.25 general-attributes

default-group-policy GroupPolicy_40.120.2.25

tunnel-group 40.120.2.25 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group vpndomain type remote-access

tunnel-group vpndomain general-attributes

address-pool VPNusers

authentication-server-group LDAP

default-group-policy vpndomain

tunnel-group vpndomain ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 94.10.72.52 type ipsec-l2l

tunnel-group 94.10.72.52 general-attributes

default-group-policy GroupPolicy_94.10.72.52

tunnel-group 94.10.72.52 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group domainipad type remote-access

tunnel-group domainipad general-attributes

address-pool VPNusers

default-group-policy domainipad

tunnel-group domainipad ipsec-attributes

ikev1 pre-shared-key *****

!

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

description Netflow

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

class global-class

flow-export event-type all destination 192.168.16.16

class class-default

flow-export event-type all destination 192.168.16.16

user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:8279c0f16a1d3c4505f9fae944c2b0ad

: end

SiteAasa#

sokakkar · ‎05-24-2013

Hi Anthony,

One thing which is missing is following command:

same-security-traffic permit inter-interface

Rest looks ok to me on this ASA at least (relevant config):

ip local pool VPNusers 10.10.98.0-10.10.98.100 mask 255.255.255.0

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 40.120.2.25

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_IN

LINE_NETWORK_2

object-group network DM_INLINE_NETWORK_1

network-object 192.168.16.0 255.255.255.0

network-object object SITEA_VPN_USERS_Subnet_10.10.98.0

network-object object 192.168.144.0

network-object object 192.168.166.0

network-object object WirelessSubnet_10.55.77.0

network-object object SITEC_Subnet_192.168.14.0

network-object object VNET_192.168.20.0

network-object object ISCSI_SiteA_10.1.21.0

object-group network DM_INLINE_NETWORK_2

network-object object SITEB_Subnet_192.168.10.0

network-object object SITEB_VPN_USERS_Subnet_10.10.99.0

network-object object 192.168.100.0

network-object object ISCSI_SiteB_10.1.100.0

nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INL

INE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

Add the above command in bold and if it still fails, paste the config from second ASA along with the logs when you try to access resources on second site from VPN client.

-

Sourav

adleveritt · ‎05-24-2013

Sourav,

This doesn't seem to have worked. I will try to get the other ASA config and the logs posted by Tuesday. I have a busy weekend ahead. Thanks for your help so far.

Anthony

graeme2010 · ‎05-25-2013

I believe the command you need is:

same-security-traffic permit Intra-interface (not inter-interface)

Both remote VPN and site-to-site VPN use the same outside interface, so this command allows the VPN traffic to hairpin off this interface

Sent from Cisco Technical Support iPad App

sokakkar · ‎05-25-2013

Hi Anthony,

graeme2010 is right. The command i mentioned is already there in your config, basically I copied that and missed out to change it to 'intra'. Since, source and destination are behind same interface, command mentioned by 'graeme2010 ' is correct. Please add following and see if it works, if not, get us the requested info:

same-security-traffic permit Intra-interface

Here is the link to command reference which explains above command in detail:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html#wp1444448

Thank you 'graeme2010' for highlighting this :-).

-

Sourav

adleveritt · ‎05-28-2013

Yep, that command worked on the SiteA ASA that I posted the settings for. I can now ping site B when I am on Site A's VPN. This is a huge help. Thanks Sourav and graeme2010 for your help so far.

I also tried adding this command to site B but apparently something else is missing from the config.

SiteB# show run

: Saved

:

ASA Version 8.4(4)5

!

hostname SiteB

domain-name domain.local

enable password password encrypted

passwd password encrypted

names

!

interface Ethernet0/0

description Secondary Comcast Cable Modem

nameif secondary

security-level 0

ip address 173.165.58.154 255.255.255.248

!

interface Ethernet0/1

description Local Area Network

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.252

!

interface Ethernet0/2

description Metro E to Comcast

speed 100

duplex full

nameif outside

security-level 0

ip address 55.45.0.34 255.255.255.252

!

interface Ethernet0/3

description Guest_Wireless_DMZ

nameif Guest_Wireless_DMZ

security-level 50

ip address 192.168.7.20 255.255.255.0