cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
0
Helpful
8
Replies

Remote Site and Site-to-Site VPN Combination

akshay.dm
Level 1
Level 1

Hi,

I am trying to design a VPN solution (Network Diagram attached). Requirement is to allow remote site VPN user to get into offshore network and then that user should access onsite application through existing site-to-site tunnel between onsite and offshore network.

Remote user can successfully get into offshore network but he is not able to access onsite application through existing site-to-site VPN tunnel. I checked the PIX firewall logs and it showing me error with syslog ID 302014(Flow is a loopback).

Has anybody worked on such design?

Regards,

Akshay

8 Replies 8

andrew.prince
Level 10
Level 10

What version of IOS is the PIX running? You need 3 things:-

1) Allow the remote VPN IP Subnet in the encryption domain for the site-2-site - both ends

2) Ensure the remote VPN IP subnet is included in the no-nat config.

3) "Same security traffic" is permited - only in PIX IOS ver 7.x/8.x only.

HTH>

Thanks for your quick response.

IP pool which I used for remote VPN users is a part of the internal subnet used in site-to-site encryption domain. Hence first two points mentioned by you are covered. I did try 'same-security-traffic permit intra-interface' but that didn't make any difference. I am still getting the same error.

What version of software are you running on the PIX/ASA?

PIX ver 8.0(4)28

So you have added the config "same-security-traffic permit intra-interface" ??

Yes this command is configured.

Post your config for review, remove sensitive information.

Config attached herewith.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: