Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
3
Replies

Problem with Dynamic VPN

Vinh Phan Le Tien
Level 1
Level 1

‎10-09-2013 11:51 PM

Hi all.

I want to create Dynamic VPN to connect Head Office and Branch Office.

After configuring, I can ping between two site. But it has problem when I try to access web, copy file, remote desktop, . . .

I can only ping and can't do anything.

This is my configuration, please help me to check it

Thanks so muc

Labels:
15368919-ASA-HO.txt.zip
15368920-ASA-Brach.txt.zip
0 Helpful
3 Replies 3

rizwanr74
Level 7
Level 7

‎10-10-2013 07:31 AM

Hi Vinh,

You are missing a static route on branch ASA, so please add it as shown below.

on branch ASA

route Outside 192.168.25.0 255.255.255.0 172.16.3.1

On HO ASA you are missing no-nat between two remote LANs, so please add no-nat as shown below.

HO ASA

nat (DMZ,Outside) source static DMZ DMZ destination static Vlan225 Vlan225 no-proxy-arp route-lookup

last but not least, please add a static route on HO ASA as well.

route Outside 192.168.225.0 255.255.255.0 xxx.xxx.xxx

xxx.xxx.xxx = your gateway address of your Outside interface.

Let me know, please if this helps.

thanks

Rizwan Rafeek.

0 Helpful

Vinh Phan Le Tien
Level 1
Level 1
In response to rizwanr74

‎10-10-2013 06:27 PM

Hi Rizwan.

Branch ASA is running ver 8.0 (2), not 8.4

I don't use static route as you wrote because I have default route on 2 ASA.

We run route mode in ASA HO.

DMZ ---- ASA HO ------ Draytek 3300----------Internet-------------Vigor 2920------------ASA Branch -----------------------192.168.225.0

Thanks.

0 Helpful

rizwanr74
Level 7
Level 7
In response to Vinh Phan Le Tien

‎10-12-2013 08:28 PM

Hi Vinh,

"I don't use static route as you wrote because I have default route on 2 ASA."

Your default-route on ASA is internet bound traffic however for the vpn bound traffic you must have a static route push the vpn bound traffic toward to outside's gateway, otherwise ASA will push towards the inside interface.

"Branch ASA is running ver 8.0 (2), not 8.4"

the missing no-nat is on HO ASA.

nat (DMZ,Outside) source static DMZ DMZ destination static Vlan225 Vlan225 no-proxy-arp route-lookup

route Outside 192.168.225.0 255.255.255.0 xxx.xxx.xxx

xxx.xxx.xxx = your gateway address of your Outside interface.

and

You still need a static route on branch ASA as shown below.

route Outside 192.168.25.0 255.255.255.0 172.16.3.1

Thanks

Rizwan Rafeek.



0 Helpful
Customers Also Viewed These Support Documents