can't access resources across a L2L vpn when using remote access vpn

Unanswered Question
Mar 9th, 2009
User Badges:

we have 2 offices, connected via L2L ipsec vpn tunnel, and each office also has a remote access vpn as well. 1 office has an ASA 5510 and the other is a PIX515e. The problem is that when users are connected to the RA vpn, they cannot access resources across the L2L vpn connection in the other office... I drew a diagram to illustrate...

(attached)

Where should I start in troubleshooting this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 03/09/2009 - 16:53
User Badges:
  • Green, 3000 points or more

Roger,


Reference this thread, I provided an example to similar requirements.. there is also a link in this thread on Enhenced spoke-to-spoke VPN which is not exactly your topology. But similarly the same logic can be applied in your requirement.


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4



You will need to add/Allow RA IP Subnet of your NY RA Client_10.1.111.x in your SF Office 10.1.200.X crypto map / Tunnel policy between SF and NY firewalls.


Similarly...in Your NY office Firewall you will need to Add/Allow SF RA Ip Subnet to the NY Office firewall.


key :


1- same-security-traffic permit intra-interface

2- Work with your current NAT exempt and crypto map acls on both NY and SF Office firewalls to allow RA IP subnets respectivately - nat (inside) 0 , nat (oustide) 0 .


I hope your PIX515e is not running 6.3 code as same-security traffic permit intra interface feature is only possible from code 7.x and above .. this is key for traffic comming from outside interface like your RA clients in your PIX515e side will be able to get out the same interface outside for the L2L access to the other side asa.



Regards


thesakadmin Mon, 03/09/2009 - 18:48
User Badges:

Hi Jorge,

Thanks for the information, I was messing around with allowing traffic to that .111 subnet but it wasn't working.


Ok so yes unfortunately I am running version 6.3 on the pix, and it only has 32 mb, so I guess I have to upgrade the memory and go to 7.0 in order to resolve this completely?


I guess I'll have to focus on upgrading the memory first...


thanks for the help

-Roger


JORGE RODRIGUEZ Mon, 03/09/2009 - 19:28
User Badges:
  • Green, 3000 points or more

Roger, yes to get the RA VPNs from both ends fully able to access each others LAN resources or even RA VPN networks at each end able to communicate through your existing L2L VPN you will need the same security intra interface feature available in code 7.x and above, I do not see your requirement not being posible otherwise.


PLS drop a note if need assistance after you upgrade PIX515e, we can assist you in the implementation..



Regards


thesakadmin Mon, 06/15/2009 - 10:44
User Badges:

bump!


I finally got my pix upgraded to version 7.0 (8), so I now need to implement the "same security intra interface feature." can someone point me to the correct docs to do this? thanks!

JORGE RODRIGUEZ Mon, 06/15/2009 - 14:30
User Badges:
  • Green, 3000 points or more

Roger, thanks for the update, you should be good, reference the links above if problems let us know.


Regards

Jorge

thesakadmin Mon, 06/28/2010 - 15:24
User Badges:

Hi Jorge, I'm just getting to solving this issue again, or trying to... and that link you sent me originally doesn't appear to work anymore.  Also,

I have version 7.08 now on the PIX515E and it still doesn't pass the traffic.


I realize this is an old thread, but let me know if you have any other ideas.


I will keep looking on the support docs too

Actions

This Discussion