Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
0
Helpful
4
Replies

Problem Accessing Webserver over L2L VPN Tunnel

a.ajiboye
Level 1
Level 1

‎09-17-2008 06:39 AM

Hi,

I have two ASA 5510 with L2L VPN tunnel setup between them. The ASA at the headoffice has an Exchange server and a Linux Deban v4.0 with a website hosted on it.

The hosts at the headoffice could access the URL for this web site hosted on the Linux box at the headoffice but hosts at the remote office could not via the VPN tunnel.

All other services including mail is accessible via the L2L VPN tunnel except the URL pointing to this web site.

My ACLs allows traffic between the local LAN and the remote office LAN as follows:

access-list inside_nat0_outbound extended permit ip 192.168.21.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list outside_60_cryptomap extended permit ip 192.168.21.0 255.255.255.0 192.168.22.0 255.255.255.0

There is no ACL that denies web traffic to the IP of this web server.

Is there something that could be wrong with the L2L VPN tunnel creation that might be blocking access to this web server?

Thanks for your help.

Labels:
0 Helpful
4 Replies 4

felixjai
Level 1
Level 1

‎09-17-2008 11:23 AM

DNS might be an issue here. When an user from the remote office is requesting the URL, I assume it's domain name URL, e.g. http://intranet.company.local/index.html, not IP in the URL. If so, when you ping the URL, what is the IP that it resolves to from the remote user?

E.g. if the URL is

http://intranet.company.local/index.html

You should ping intranet.company.local from a PC in the REMOTE OFFICE. And make sure the IP resolves to 192.168.21.x (that's your local subnet that your Linux server resides, right?)

If not, that's your problem. Make some DNS record changes.

0 Helpful

a.ajiboye
Level 1
Level 1
In response to felixjai

‎09-22-2008 08:29 AM

Hi,

When a user at the other end of the tunnel pings this URL, the URL is resolved to the internal IP address of 192.168.21.x of this server.

Could there be a problem with PMTU? I could see the value of this parameter increasing in the sh crypto ipsec sa detail command output.

0 Helpful

felixjai
Level 1
Level 1
In response to a.ajiboye

‎09-22-2008 10:50 AM

Please post or attach your firewall configs so that we can tell exactly what is wrong.

0 Helpful

singhsaju
Level 4
Level 4
In response to a.ajiboye

‎09-22-2008 11:04 AM

This could be fragmentation issue .

check out following link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

HTH

Saju

Pls rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents