Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
20
Helpful
17
Replies

Point to Point traffic

Go to solution
sbohannan
Level 1
Level 1

‎03-04-2008 08:33 AM - edited ‎03-03-2019 08:58 PM

I have a point to point T1 that is setup on the same subnet as my ASA 5510, the remote users are unable to log on to the domain. I need them to be able to log on to the domain any body have any suggestions.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sbohannan

‎03-04-2008 11:16 AM

Shane

What is the remote site using as their default gateway? Is it perhaps the ASA?

Or in putting the ASA into place did you change something that affected the forwarding logic for the remote traffic? I would have thought that whatever received the traffic from the remote would forward it to the LAN. But apparently it is being forwarded to the ASA. I wonder if the traffic is being forwarded from the remote to the ASA and the ASA ought to forward it back to the LAN perhaps you need to enable intra-interface traffic on the ASA. intra-interface traffic is denied by default on the ASA and if you want the ASA to forward traffic back out the interface on which it was received then you need to enable intra-interface traffic.

HTH

Rick

HTH

Rick

View solution in original post

17 Replies 17

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-04-2008 08:41 AM

Shane

I am not clear how a point to point T1 (which would generally be its own subnet) is in the same subnet as your ASA5510. And I am not clear what relationship that has to being able to log on to the domain. Can you help me understand better?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to Richard Burts

‎03-04-2008 08:54 AM

Rick

the way the network was setup when i took over the admin job is. remote location (192.168.1.1) routes to local lan address (172.16.1.1) before i put my 5510 ASA (172.16.1.254) the remote location was able to pass all traffic to the lan as well as the internet. i have it now setup were they are at least getting internet traffic but i had to do this with by adding a nat rule in to the asa and this does not allow the remote users to pass any domain traffic (logon, security policies, etc).

hope that helped.

Shane

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sbohannan

‎03-04-2008 09:05 AM

Shane

It helps some, though there still are parts that I do not understand. How does their traffic come into your network? Does it pass through the ASA on the way in? I assume that it goes out through the ASA but how does the ASA affect the remote location access to your LAN?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to Richard Burts

‎03-04-2008 09:19 AM

Rick,

The point to point is connected to a switch on the local lan. The remote office traffic should pass as local lan traffic but there is something amiss in the ASA config. When Remote office trys a tracert to (172.16.1.1) that router sends it to the ASA and the asa drops the traffic and does not turn the traffic back inside.

Shane

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sbohannan

‎03-04-2008 11:16 AM

Shane

What is the remote site using as their default gateway? Is it perhaps the ASA?

Or in putting the ASA into place did you change something that affected the forwarding logic for the remote traffic? I would have thought that whatever received the traffic from the remote would forward it to the LAN. But apparently it is being forwarded to the ASA. I wonder if the traffic is being forwarded from the remote to the ASA and the ASA ought to forward it back to the LAN perhaps you need to enable intra-interface traffic on the ASA. intra-interface traffic is denied by default on the ASA and if you want the ASA to forward traffic back out the interface on which it was received then you need to enable intra-interface traffic.

HTH

Rick

HTH

Rick

Go to solution
sbohannan
Level 1
Level 1
In response to Richard Burts

‎03-04-2008 11:23 AM

Rick

i googled how to enable intra-interface traffic and the commands i found were for vpn will this work even thought they are not connected by vpn? As a side note i do not have the 172.16.1.1 router setup on its on interface

Shane

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sbohannan

‎03-04-2008 11:42 AM

Shane

Yes the intra-interface command should work even though they are not connected on VPN. The command is really not specific to VPN (even though it may appear that way in some documentation). The issue comes up most often in situations with VPN but the command is not limited to VPN.

I do not understand your comment about the 172.16.1.1 router.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to sbohannan

‎03-04-2008 11:57 AM

Rick,

i do beleive that allowed the remote users to connect they way that they are suppose to.. From one of the remote users i can now perform an "nslookup" and it comes back with the correct domain and ip address.

Thank you for helping me with a problem that 3 or 4 engineers have not been able to fix.

Thank you

Shane

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sbohannan

‎03-04-2008 12:01 PM

Shane

I am glad that you have it working and that my answers were helpful in getting it resolved. Thanks for posting back to the forum to indicate that your problem was resolved. And thanks for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read what was done to successfully resolve the problem.

The forum is an excellent place to learn about Cisco networking and sometimes to get a solution to a problem. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to Richard Burts

‎03-04-2008 12:55 PM

Rick

Sorry to bother with another dumb question but the users at the remote end can now see the domain control as well as ping the server (with DNS name or address) but they are unable to communicate with any of the terminal servers that they connect to.

Shane

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sbohannan

‎03-04-2008 01:27 PM

Shane

It helps to know that the remote users can see the domain controller. It confirms that the intra-interface command did fix at least part of the problem. so let me ask a few questions to try to understand the problem with the terminal servers:

- are the terminal servers in the same subnet as the domain controller?

- can the remote users ping the terminal servers? (this would test basic connectivity)

- how do the remote users access the terminal servers (is it an HTTP connection, an RDP connection, a telnet connection, or what)?

HTH

Rick

HTH

Rick

Go to solution
sbohannan
Level 1
Level 1
In response to Richard Burts

‎03-04-2008 01:33 PM

Rick,

The servers are on the same subnet as the dc

the user can not ping the Terminal servers

and they use RDP connection to connect.

Shane

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to sbohannan

‎03-04-2008 01:50 PM

Shane

ok, lets explore a couple of possibilities:

- would traffic from the terminal servers go through the ASA on the way to the remote site? (probably the easy way to find that would be to traceroute/tracert from a terminal server to an address at the remote site)

- does the ASA have a route to the network/subnet of the remote site?

- does the ASA need a route to the network/subnet of the remote site?

- does the ASA need some access rule to permit the traffic (I am thinking especially of the RDP but it may also be a factor in the ping)

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
sbohannan
Level 1
Level 1
In response to Richard Burts

‎03-05-2008 06:14 AM

Rick,

Sorry it took me so long to get back with you, i got tied up working on another problem.

From 1 of the TS servers i did run a path ping and it goes stright to the router from my local lan.

i would say that the local lan does have a route in it for the remote site. for the ping to pass from local to remote

The remote side does need to pass traffic to the local. to be able to share files etc.

I would say that there is a missing access rule but this got way over my head.

Thank you

Shane

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card