Remote access to site-to-site VPN

Answered Question
Jun 10th, 2009

We currently have a site-to-site VPN set up over a private line between our two datacenters. Hosts at site A can talk to hosts at site B, and hosts at site B can talk to hosts at site A.


I recently set up a remote access VPN at site A. VPN clients can access all of the resources behind the ASA at site A without an issue. However, strange things happen when they try to contact site B.


I've set up matching NAT exemptions on each side of the connection. The remote site is not reporting any anomalies. When attempting to connect to a remote VPN client from site B, the only errors that show up are on the ASA at site A. When a remote client tries to connect to a host at site B, the following errors show up in the log:


%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22


I have the following NAT exemption set up at site A:


access-list nonat; 3 elements

access-list nonat line 1 extended permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt=0)

access-list nonat line 2 extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt=0)

access-list nonat line 3 extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0)


I've been working on this for a few days now, and am hesitant to open up a TAC ticket. I've seen a few similar issues on the forums, but have found none with a working solution. I attempted to follow the tech notes on the Cisco Web site for a similar configuration, but had no luck.


By the way, I have enabled same-security-traffic on both intra-interface and inter-interface.


Any help would be much appreciated.

Correct Answer by JORGE RODRIGUEZ about 7 years 8 months ago

ASA HUB, is this your topology? if so try bellow suggestions.


Inside Net 10.1.1.0/16

ds3 net 172.16.0.0/28 - far end net through L2L Tunnel 10.0.0.0/16

VPN RA Net 10.3.0.0/24


For RA to gain access to far end hosts of L2L tunnel you will need nonat exempt rule applied to ds3 interface.


based on log

%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22


Try this


no access-list test extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list test extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.255.0

nat (ds3) 0 access-list test


on the far end of the tunnel (Spoke) you have to permit the RA network comming from the ASA HUB in the interesting traffic.



Let us know how it works out


Regards



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Wed, 06/10/2009 - 20:39

Matthew, follow this example links within bellow post.. look carefully at your RA VPN pool network and where you apply your nat exepmt rules usually would bee applied not only in (inside) but (outside) as well. Thread bellow should get you in the right track.. if you still have issues then provide us with sanatized config for the hub asa where the RA VPN and L2L terminates.



http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4


mahoran Thu, 06/11/2009 - 06:01

Thanks, Jorge.


I took a look at the link and associated references, and am still having issues.


I've attached the config from site A, where the remote access VPN terminates.


Note that my topology is a bit different in that we have a dedicated link between the sites.



Attachment: 
Correct Answer
JORGE RODRIGUEZ Thu, 06/11/2009 - 08:32

ASA HUB, is this your topology? if so try bellow suggestions.


Inside Net 10.1.1.0/16

ds3 net 172.16.0.0/28 - far end net through L2L Tunnel 10.0.0.0/16

VPN RA Net 10.3.0.0/24


For RA to gain access to far end hosts of L2L tunnel you will need nonat exempt rule applied to ds3 interface.


based on log

%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22


Try this


no access-list test extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list test extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.255.0

nat (ds3) 0 access-list test


on the far end of the tunnel (Spoke) you have to permit the RA network comming from the ASA HUB in the interesting traffic.



Let us know how it works out


Regards



JORGE RODRIGUEZ Thu, 06/11/2009 - 10:36

Glad is resolved, and thanks for the rating, was a pleasure to assist someone over in Berklee, I used to have lots of friends at Berklee Colledge of music.I graduated from Boston Conservatory of music years ago which is down the road from you.


regards

Actions

This Discussion