ASA 5510 Hairpin (I think) for VPN traffic

campbell.thompson · ‎05-21-2009

I've got a slight problem with a site to site vpn setup between site A and site B and the ability to authenticate against an RSA SecurID appliance located at Site A if the user VPNs in to Site B.

Basically, the setup is as follows:

Site A:

Cisco ASA 5510

RSA SecurID appliance

VPN access set on the firewall to authenticate against site A RSA device.

Single Class C Subnet supernetted on /23 - the inside interface on the firewall is on this subnet

Site B:

Cisco ASA 5510

VPN access set on the firewall to authenticate against Site A RSA device.

Single Class C Subnet supernetted on /23 - the inside interface on the firewall is on this subnet

Site A works beautifully, authenticates and allows access.

Site B hangs on 'contacting the security gateway'. When I try to ping Site A subnet from firewall B, I get no response, which I think is the problem.

I have set the 'same-security-traffic permit intra-interface' setting.

Any help would be much appreciated.

mvsheik123 · ‎05-21-2009

Hi,

When you ping Site A subnet from firewall B, did you use the command

ping inside (LAN side of ASA) siteA ip..?

or just ping .

If there is working L2L tunnel between 2sites, ping (interface) ip should work.

TIA

MS