04-29-2009 05:17 AM
Hi,
I am trying to design a VPN solution (Network Diagram attached). Requirement is to allow remote site VPN user to get into offshore network and then that user should access onsite application through existing site-to-site tunnel between onsite and offshore network.
Remote user can successfully get into offshore network but he is not able to access onsite application through existing site-to-site VPN tunnel. I checked the PIX firewall logs and it showing me error with syslog ID 302014(Flow is a loopback).
Has anybody worked on such design?
Regards,
Akshay
04-29-2009 06:04 AM
What version of IOS is the PIX running? You need 3 things:-
1) Allow the remote VPN IP Subnet in the encryption domain for the site-2-site - both ends
2) Ensure the remote VPN IP subnet is included in the no-nat config.
3) "Same security traffic" is permited - only in PIX IOS ver 7.x/8.x only.
HTH>
04-29-2009 06:30 AM
Thanks for your quick response.
IP pool which I used for remote VPN users is a part of the internal subnet used in site-to-site encryption domain. Hence first two points mentioned by you are covered. I did try 'same-security-traffic permit intra-interface' but that didn't make any difference. I am still getting the same error.
04-29-2009 06:31 AM
What version of software are you running on the PIX/ASA?
04-29-2009 06:39 AM
PIX ver 8.0(4)28
04-29-2009 06:48 AM
So you have added the config "same-security-traffic permit intra-interface" ??
04-29-2009 09:04 PM
Yes this command is configured.
04-30-2009 01:30 AM
Post your config for review, remove sensitive information.
05-04-2009 12:37 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: