Remote Site and Site-to-Site VPN Combination

akshay.dm · ‎04-29-2009

Hi,

I am trying to design a VPN solution (Network Diagram attached). Requirement is to allow remote site VPN user to get into offshore network and then that user should access onsite application through existing site-to-site tunnel between onsite and offshore network.

Remote user can successfully get into offshore network but he is not able to access onsite application through existing site-to-site VPN tunnel. I checked the PIX firewall logs and it showing me error with syslog ID 302014(Flow is a loopback).

Has anybody worked on such design?

Regards,

Akshay

andrew.prince · ‎04-29-2009

What version of IOS is the PIX running? You need 3 things:-

1) Allow the remote VPN IP Subnet in the encryption domain for the site-2-site - both ends

2) Ensure the remote VPN IP subnet is included in the no-nat config.

3) "Same security traffic" is permited - only in PIX IOS ver 7.x/8.x only.

HTH>

akshay.dm · ‎04-29-2009

Thanks for your quick response.

IP pool which I used for remote VPN users is a part of the internal subnet used in site-to-site encryption domain. Hence first two points mentioned by you are covered. I did try 'same-security-traffic permit intra-interface' but that didn't make any difference. I am still getting the same error.

andrew.prince · ‎04-29-2009

What version of software are you running on the PIX/ASA?

akshay.dm · ‎04-29-2009

PIX ver 8.0(4)28

andrew.prince · ‎04-29-2009

So you have added the config "same-security-traffic permit intra-interface" ??

akshay.dm · ‎04-29-2009

Yes this command is configured.

andrew.prince · ‎04-30-2009

Post your config for review, remove sensitive information.

akshay.dm · ‎05-04-2009

Config attached herewith.