Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
10
Replies

VPN user is not able to access Site to site Host behind another Firewall

Amardeep Kumar
Level 1
Level 1

‎06-28-2017 06:19 AM

Hi ,


We have two cisco ASA are connect Via P2P tunnel fiber link provided by ISP.


ASA - A is main Firewall where VPN user Connects.

ASA - B where our Hosts are placed and VPN users wants to access these hosts.


We are not able to access those host. Please suggest.

Thanks

Amardeep Rana

Labels:
0 Helpful
10 Replies 10

Rahul Govindan
VIP Alumni
VIP Alumni

‎06-28-2017 07:30 AM

Few things you can check:

1) Right encryption domains in the crypto ACL - You need to have the VPN subnet as local proxy network on ASA A and as a remote proxy network on ASA B. 

2) Add the remote subnet in the VPN split tunnel

3) Allow same-security-traffic permit intra-interface

4) Check Identity nat rules (nat exemption) on ASA A for vpn subnet between outside to outside interface

5) Check Identity nat rules (nat exemption) on ASA B for von subnet between inside and outside interface.

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to Rahul Govindan

‎06-28-2017 07:39 AM

1. VPN user Connects to ASA A and able to access hosts Behind ASA A. 

2. Remote Subnet You mean , Subnet of ASA B ?

3.Already Done.

 

Thanks

Amardeep 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Amardeep Kumar

‎06-28-2017 08:07 AM

Yes, your split tunnel should include subnet behind ASA B (subnet where hosts are located). If not, this traffic will not even make it through the Remote access tunnel 

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to Rahul Govindan

‎06-28-2017 08:10 AM

I checked , It is already added in split tunnel.

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to Rahul Govindan

‎06-28-2017 07:40 AM

Just want to clear 

Both ASA are not connected through Site to Site Tunnel. we  have taken a P2P connection from ISP. 

Thanks

Amardeep 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Amardeep Kumar

‎06-28-2017 08:06 AM

Ah ok, then except point#1 everything should be valid. 

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to Rahul Govindan

‎06-28-2017 08:16 AM

Please give me more details about Point 4 and 5 . 

nat (inside,outside) source static VPN_Pool VPN_Pool destination static REMOTE-SITES REMOTE-SITES no-proxy-arp route-lookup

nat (inside,outside) source static REMOTE-SITES REMOTE-SITES destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Amardeep Kumar

‎06-28-2017 10:41 AM

If your WAN link is outside, your first nat rule should be (outside,outside). VPN users are logically located on the outside interface with respect to the ASA.

Second NAT rule looks correct.

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to Rahul Govindan

‎06-29-2017 02:38 AM

Tried All suggestion .. Still not able to access host behind ASA B. 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Amardeep Kumar

‎06-30-2017 04:23 AM

I would apply packet captures on the ASA A WAN and ASA B LAN and WAN interfaces to see where the traffic makes it through. The packet capture config example is here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

0 Helpful
Customers Also Viewed These Support Documents