ASA 5510 Hairpin (I think) for VPN traffic

Unanswered Question
May 21st, 2009
User Badges:

I've got a slight problem with a site to site vpn setup between site A and site B and the ability to authenticate against an RSA SecurID appliance located at Site A if the user VPNs in to Site B.


Basically, the setup is as follows:


Site A:

Cisco ASA 5510

RSA SecurID appliance

VPN access set on the firewall to authenticate against site A RSA device.

Single Class C Subnet supernetted on /23 - the inside interface on the firewall is on this subnet


Site B:

Cisco ASA 5510

VPN access set on the firewall to authenticate against Site A RSA device.

Single Class C Subnet supernetted on /23 - the inside interface on the firewall is on this subnet



Site A works beautifully, authenticates and allows access.


Site B hangs on 'contacting the security gateway'. When I try to ping Site A subnet from firewall B, I get no response, which I think is the problem.


I have set the 'same-security-traffic permit intra-interface' setting.


Any help would be much appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Thu, 05/21/2009 - 06:07
User Badges:
  • Gold, 750 points or more

Hi,


When you ping Site A subnet from firewall B, did you use the command

ping inside (LAN side of ASA) siteA ip..?

or just ping .



If there is working L2L tunnel between 2sites, ping (interface) ip should work.


TIA

MS

Actions

This Discussion