cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
734
Views
0
Helpful
5
Replies

Remote access to site-to-site VPN

mahoran
Level 1
Level 1

We currently have a site-to-site VPN set up over a private line between our two datacenters. Hosts at site A can talk to hosts at site B, and hosts at site B can talk to hosts at site A.

I recently set up a remote access VPN at site A. VPN clients can access all of the resources behind the ASA at site A without an issue. However, strange things happen when they try to contact site B.

I've set up matching NAT exemptions on each side of the connection. The remote site is not reporting any anomalies. When attempting to connect to a remote VPN client from site B, the only errors that show up are on the ASA at site A. When a remote client tries to connect to a host at site B, the following errors show up in the log:

%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

I have the following NAT exemption set up at site A:

access-list nonat; 3 elements

access-list nonat line 1 extended permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt=0)

access-list nonat line 2 extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt=0)

access-list nonat line 3 extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0)

I've been working on this for a few days now, and am hesitant to open up a TAC ticket. I've seen a few similar issues on the forums, but have found none with a working solution. I attempted to follow the tech notes on the Cisco Web site for a similar configuration, but had no luck.

By the way, I have enabled same-security-traffic on both intra-interface and inter-interface.

Any help would be much appreciated.

1 Accepted Solution

Accepted Solutions

ASA HUB, is this your topology? if so try bellow suggestions.

Inside Net 10.1.1.0/16

ds3 net 172.16.0.0/28 - far end net through L2L Tunnel 10.0.0.0/16

VPN RA Net 10.3.0.0/24

For RA to gain access to far end hosts of L2L tunnel you will need nonat exempt rule applied to ds3 interface.

based on log

%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

Try this

no access-list test extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list test extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.255.0

nat (ds3) 0 access-list test

on the far end of the tunnel (Spoke) you have to permit the RA network comming from the ASA HUB in the interesting traffic.

Let us know how it works out

Regards

Jorge Rodriguez

View solution in original post

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

Matthew, follow this example links within bellow post.. look carefully at your RA VPN pool network and where you apply your nat exepmt rules usually would bee applied not only in (inside) but (outside) as well. Thread bellow should get you in the right track.. if you still have issues then provide us with sanatized config for the hub asa where the RA VPN and L2L terminates.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

Jorge Rodriguez

Thanks, Jorge.

I took a look at the link and associated references, and am still having issues.

I've attached the config from site A, where the remote access VPN terminates.

Note that my topology is a bit different in that we have a dedicated link between the sites.

ASA HUB, is this your topology? if so try bellow suggestions.

Inside Net 10.1.1.0/16

ds3 net 172.16.0.0/28 - far end net through L2L Tunnel 10.0.0.0/16

VPN RA Net 10.3.0.0/24

For RA to gain access to far end hosts of L2L tunnel you will need nonat exempt rule applied to ds3 interface.

based on log

%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22

Try this

no access-list test extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0

access-list test extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.255.0

nat (ds3) 0 access-list test

on the far end of the tunnel (Spoke) you have to permit the RA network comming from the ASA HUB in the interesting traffic.

Let us know how it works out

Regards

Jorge Rodriguez

That did it! Thanks a lot.

Glad is resolved, and thanks for the rating, was a pleasure to assist someone over in Berklee, I used to have lots of friends at Berklee Colledge of music.I graduated from Boston Conservatory of music years ago which is down the road from you.

regards

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: