Point to Point traffic

Answered Question

I have a point to point T1 that is setup on the same subnet as my ASA 5510, the remote users are unable to log on to the domain. I need them to be able to log on to the domain any body have any suggestions.

Correct Answer by Richard Burts about 9 years 3 weeks ago

Shane


What is the remote site using as their default gateway? Is it perhaps the ASA?


Or in putting the ASA into place did you change something that affected the forwarding logic for the remote traffic? I would have thought that whatever received the traffic from the remote would forward it to the LAN. But apparently it is being forwarded to the ASA. I wonder if the traffic is being forwarded from the remote to the ASA and the ASA ought to forward it back to the LAN perhaps you need to enable intra-interface traffic on the ASA. intra-interface traffic is denied by default on the ASA and if you want the ASA to forward traffic back out the interface on which it was received then you need to enable intra-interface traffic.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Richard Burts Tue, 03/04/2008 - 08:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


I am not clear how a point to point T1 (which would generally be its own subnet) is in the same subnet as your ASA5510. And I am not clear what relationship that has to being able to log on to the domain. Can you help me understand better?


HTH


Rick

Rick


the way the network was setup when i took over the admin job is. remote location (192.168.1.1) routes to local lan address (172.16.1.1) before i put my 5510 ASA (172.16.1.254) the remote location was able to pass all traffic to the lan as well as the internet. i have it now setup were they are at least getting internet traffic but i had to do this with by adding a nat rule in to the asa and this does not allow the remote users to pass any domain traffic (logon, security policies, etc).


hope that helped.


Shane

Richard Burts Tue, 03/04/2008 - 09:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


It helps some, though there still are parts that I do not understand. How does their traffic come into your network? Does it pass through the ASA on the way in? I assume that it goes out through the ASA but how does the ASA affect the remote location access to your LAN?


HTH


Rick

Rick,


The point to point is connected to a switch on the local lan. The remote office traffic should pass as local lan traffic but there is something amiss in the ASA config. When Remote office trys a tracert to (172.16.1.1) that router sends it to the ASA and the asa drops the traffic and does not turn the traffic back inside.


Shane

Correct Answer
Richard Burts Tue, 03/04/2008 - 11:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


What is the remote site using as their default gateway? Is it perhaps the ASA?


Or in putting the ASA into place did you change something that affected the forwarding logic for the remote traffic? I would have thought that whatever received the traffic from the remote would forward it to the LAN. But apparently it is being forwarded to the ASA. I wonder if the traffic is being forwarded from the remote to the ASA and the ASA ought to forward it back to the LAN perhaps you need to enable intra-interface traffic on the ASA. intra-interface traffic is denied by default on the ASA and if you want the ASA to forward traffic back out the interface on which it was received then you need to enable intra-interface traffic.


HTH


Rick

Richard Burts Tue, 03/04/2008 - 11:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


Yes the intra-interface command should work even though they are not connected on VPN. The command is really not specific to VPN (even though it may appear that way in some documentation). The issue comes up most often in situations with VPN but the command is not limited to VPN.


I do not understand your comment about the 172.16.1.1 router.


HTH


Rick

Rick,


i do beleive that allowed the remote users to connect they way that they are suppose to.. From one of the remote users i can now perform an "nslookup" and it comes back with the correct domain and ip address.


Thank you for helping me with a problem that 3 or 4 engineers have not been able to fix.


Thank you


Shane

Richard Burts Tue, 03/04/2008 - 12:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


I am glad that you have it working and that my answers were helpful in getting it resolved. Thanks for posting back to the forum to indicate that your problem was resolved. And thanks for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read what was done to successfully resolve the problem.


The forum is an excellent place to learn about Cisco networking and sometimes to get a solution to a problem. I encourage you to continue your participation in the forum.


HTH


Rick

Richard Burts Tue, 03/04/2008 - 13:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


It helps to know that the remote users can see the domain controller. It confirms that the intra-interface command did fix at least part of the problem. so let me ask a few questions to try to understand the problem with the terminal servers:

- are the terminal servers in the same subnet as the domain controller?

- can the remote users ping the terminal servers? (this would test basic connectivity)

- how do the remote users access the terminal servers (is it an HTTP connection, an RDP connection, a telnet connection, or what)?


HTH


Rick

Richard Burts Tue, 03/04/2008 - 13:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


ok, lets explore a couple of possibilities:

- would traffic from the terminal servers go through the ASA on the way to the remote site? (probably the easy way to find that would be to traceroute/tracert from a terminal server to an address at the remote site)

- does the ASA have a route to the network/subnet of the remote site?

- does the ASA need a route to the network/subnet of the remote site?

- does the ASA need some access rule to permit the traffic (I am thinking especially of the RDP but it may also be a factor in the ping)


HTH


Rick

Rick,


Sorry it took me so long to get back with you, i got tied up working on another problem.


From 1 of the TS servers i did run a path ping and it goes stright to the router from my local lan.


i would say that the local lan does have a route in it for the remote site. for the ping to pass from local to remote


The remote side does need to pass traffic to the local. to be able to share files etc.


I would say that there is a missing access rule but this got way over my head.


Thank you

Shane






Richard Burts Wed, 03/05/2008 - 09:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


Maybe we can find a way to get this to work that does not involve changes on the ASA. I re-read this discussion and I would like to go back to this post of yours:

The point to point is connected to a switch on the local lan. The remote office traffic should pass as local lan traffic but there is something amiss in the ASA config. When Remote office trys a tracert to (172.16.1.1) that router sends it to the ASA and the asa drops the traffic and does not turn the traffic back inside.


I am a bit confused about the topology and maybe you can help to straighten this out. The remote site is in their own network. They forward over the PPP link. What does the PPP link terminate on? What address on that device does the remote network forward to?


It seems to me that the real issue seems to be that whatever receives the traffic on the PPP should forward to the LAN but instead seems to be forwarding to the ASA. So what kind of device is this and what kind of forwarding logic does it have?


Can you help me to understand this? I believe that this may be the key to resolving the problem.


HTH


Rick

Rick,


sorry i think i miss typed that. the remote office connect by a router 172.16.1.1, what i should have said was when the remote office does a tracert to 172.16.3.3, the ASA is droping the traffic.


As for the device that the remote office is connected to it is a Cisco 1600 router. i have looked at the route on it and i show the only traffic that should be going to the ASA is the 0.0.0.0 traffic (internet).


i just got off the phone with an engineer from a ticket that i had opened on this problem and he had me add a nat for the remote office. Now when the remote office passes traffic to a Terminal server it strips the 172.16 and puts a 10.1 and this will allow the traffic to pass as it should.



shane

Richard Burts Wed, 03/05/2008 - 13:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shane


do I understand correctly that the problem is now solved? If so - congratulations.


HTH


Rick

Actions

This Discussion