03-04-2008 08:33 AM - edited 03-03-2019 08:58 PM
I have a point to point T1 that is setup on the same subnet as my ASA 5510, the remote users are unable to log on to the domain. I need them to be able to log on to the domain any body have any suggestions.
Solved! Go to Solution.
03-04-2008 11:16 AM
Shane
What is the remote site using as their default gateway? Is it perhaps the ASA?
Or in putting the ASA into place did you change something that affected the forwarding logic for the remote traffic? I would have thought that whatever received the traffic from the remote would forward it to the LAN. But apparently it is being forwarded to the ASA. I wonder if the traffic is being forwarded from the remote to the ASA and the ASA ought to forward it back to the LAN perhaps you need to enable intra-interface traffic on the ASA. intra-interface traffic is denied by default on the ASA and if you want the ASA to forward traffic back out the interface on which it was received then you need to enable intra-interface traffic.
HTH
Rick
03-04-2008 08:41 AM
Shane
I am not clear how a point to point T1 (which would generally be its own subnet) is in the same subnet as your ASA5510. And I am not clear what relationship that has to being able to log on to the domain. Can you help me understand better?
HTH
Rick
03-04-2008 08:54 AM
Rick
the way the network was setup when i took over the admin job is. remote location (192.168.1.1) routes to local lan address (172.16.1.1) before i put my 5510 ASA (172.16.1.254) the remote location was able to pass all traffic to the lan as well as the internet. i have it now setup were they are at least getting internet traffic but i had to do this with by adding a nat rule in to the asa and this does not allow the remote users to pass any domain traffic (logon, security policies, etc).
hope that helped.
Shane
03-04-2008 09:05 AM
Shane
It helps some, though there still are parts that I do not understand. How does their traffic come into your network? Does it pass through the ASA on the way in? I assume that it goes out through the ASA but how does the ASA affect the remote location access to your LAN?
HTH
Rick
03-04-2008 09:19 AM
Rick,
The point to point is connected to a switch on the local lan. The remote office traffic should pass as local lan traffic but there is something amiss in the ASA config. When Remote office trys a tracert to (172.16.1.1) that router sends it to the ASA and the asa drops the traffic and does not turn the traffic back inside.
Shane
03-04-2008 11:16 AM
Shane
What is the remote site using as their default gateway? Is it perhaps the ASA?
Or in putting the ASA into place did you change something that affected the forwarding logic for the remote traffic? I would have thought that whatever received the traffic from the remote would forward it to the LAN. But apparently it is being forwarded to the ASA. I wonder if the traffic is being forwarded from the remote to the ASA and the ASA ought to forward it back to the LAN perhaps you need to enable intra-interface traffic on the ASA. intra-interface traffic is denied by default on the ASA and if you want the ASA to forward traffic back out the interface on which it was received then you need to enable intra-interface traffic.
HTH
Rick
03-04-2008 11:23 AM
Rick
i googled how to enable intra-interface traffic and the commands i found were for vpn will this work even thought they are not connected by vpn? As a side note i do not have the 172.16.1.1 router setup on its on interface
Shane
03-04-2008 11:42 AM
Shane
Yes the intra-interface command should work even though they are not connected on VPN. The command is really not specific to VPN (even though it may appear that way in some documentation). The issue comes up most often in situations with VPN but the command is not limited to VPN.
I do not understand your comment about the 172.16.1.1 router.
HTH
Rick
03-04-2008 11:57 AM
Rick,
i do beleive that allowed the remote users to connect they way that they are suppose to.. From one of the remote users i can now perform an "nslookup" and it comes back with the correct domain and ip address.
Thank you for helping me with a problem that 3 or 4 engineers have not been able to fix.
Thank you
Shane
03-04-2008 12:01 PM
Shane
I am glad that you have it working and that my answers were helpful in getting it resolved. Thanks for posting back to the forum to indicate that your problem was resolved. And thanks for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read what was done to successfully resolve the problem.
The forum is an excellent place to learn about Cisco networking and sometimes to get a solution to a problem. I encourage you to continue your participation in the forum.
HTH
Rick
03-04-2008 12:55 PM
Rick
Sorry to bother with another dumb question but the users at the remote end can now see the domain control as well as ping the server (with DNS name or address) but they are unable to communicate with any of the terminal servers that they connect to.
Shane
03-04-2008 01:27 PM
Shane
It helps to know that the remote users can see the domain controller. It confirms that the intra-interface command did fix at least part of the problem. so let me ask a few questions to try to understand the problem with the terminal servers:
- are the terminal servers in the same subnet as the domain controller?
- can the remote users ping the terminal servers? (this would test basic connectivity)
- how do the remote users access the terminal servers (is it an HTTP connection, an RDP connection, a telnet connection, or what)?
HTH
Rick
03-04-2008 01:33 PM
Rick,
The servers are on the same subnet as the dc
the user can not ping the Terminal servers
and they use RDP connection to connect.
Shane
03-04-2008 01:50 PM
Shane
ok, lets explore a couple of possibilities:
- would traffic from the terminal servers go through the ASA on the way to the remote site? (probably the easy way to find that would be to traceroute/tracert from a terminal server to an address at the remote site)
- does the ASA have a route to the network/subnet of the remote site?
- does the ASA need a route to the network/subnet of the remote site?
- does the ASA need some access rule to permit the traffic (I am thinking especially of the RDP but it may also be a factor in the ping)
HTH
Rick
03-05-2008 06:14 AM
Rick,
Sorry it took me so long to get back with you, i got tied up working on another problem.
From 1 of the TS servers i did run a path ping and it goes stright to the router from my local lan.
i would say that the local lan does have a route in it for the remote site. for the ping to pass from local to remote
The remote side does need to pass traffic to the local. to be able to share files etc.
I would say that there is a missing access rule but this got way over my head.
Thank you
Shane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide