Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN clients cannot access remote site through site-to-site VPN

Hello,

I have 2 sites :

site A :

ASA 5510

VPN gateway for remote users

LAN 192.168.192.0/22

site B :

ASA 5505

LAN 192.168.208.0/22

Both sites are connected through a site to site VPN.

Remote clients (AnyConnect/VPN client) can connect to Site A LAN  and see machines on LAN A but cannot see Site B LAN.

What do I miss (maybe on both sides) ?

Any help appreciated.

Here is a part of my configuration :

On Site A (ASA 5510)

--------------------------------

name 192.168.192.0 SiteA_Internal_Network

name 192.168.208.0 SiteB_Internal_Network

name 192.168.133.0 VPNPool_AnyConnect

name 192.168.133.32 VPNPool_VpnClient

object-group network DM_INLINE_NETWORK_3

network-object VPNPool_AnyConnect 255.255.255.224

network-object VPNPool_VpnClient 255.255.255.224

network-object SiteA_Internal_Network 255.255.252.0

access-list External_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 SiteB_Internal_Network 255.255.252.0

nat (Internal) 0 access-list Internal_nat0_outbound

nat (Internal) 1 SiteA_Internal_Network 255.255.252.0

nat (External-DMZ) 0 access-list External-DMZ_nat0_outbound

static (Internal,External-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0

static (Internal,Internal-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0

static (External-DMZ,External) SiteA_ExternalDMZ_Network SiteA_ExternalDMZ_Network netmask 255.255.255.240

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

webvpn

enable External

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 regex "Windows CE"

svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 3 regex "Intel Mac OS X"

svc image disk0:/anyconnect-macosx-powerpc-2.3.0254-k9.pkg 4 regex "PPC Mac OS X"

svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 5 regex "Linux"

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value XXXXXXXXXXXXX

vpn-tunnel-protocol IPSec svc webvpn

ip-comp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-lan

default-domain value XXXXX

webvpn

  svc keepalive 30

  svc compression none

group-policy TG-ADM internal

group-policy TG-ADM attributes

vpn-tunnel-protocol IPSec

ip-comp disable

group-policy JSIgroup internal

group-policy JSIgroup attributes

vpn-tunnel-protocol IPSec svc webvpn

webvpn

  url-list none

  svc ask enable

tunnel-group DefaultRAGroup general-attributes

authentication-server-group RADIUS LOCAL

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool POOL-ANYCONNECT

authentication-server-group RADIUS LOCAL

dhcp-server XXXXXXXXXX

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias VPN-ACCESS enable

tunnel-group XXXXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXXXX ipsec-attributes

pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXX

tunnel-group TG-ADM type remote-access

tunnel-group TG-ADM general-attributes

address-pool POOL-ADM

authentication-server-group RADIUS LOCAL

default-group-policy TG-ADM

tunnel-group TG-ADM ipsec-attributes

pre-shared-key XXXXXXXXXXXXXXXXXXXXXX

On Site B (ASA 5505)

-------------------------------

name 192.168.192.0 SiteA_Internal_Network

name 192.168.133.32 AnyConnect

name 192.168.133.0 VPN_Client

object-group network DM_INLINE_NETWORK_2

network-object 192.168.133.0 255.255.255.224

network-object 192.168.133.32 255.255.255.224

network-object 192.168.192.0 255.255.252.0

object-group network DM_INLINE_NETWORK_1

network-object 192.168.133.0 255.255.255.224

network-object 192.168.133.32 255.255.255.224

network-object 192.168.192.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_1

access-list inside_access_in extended permit ip 192.168.208.0 255.255.252.0 192.168.192.0 255.255.252.0

access-list inside_access_in extended permit object-group Traffic-Good 192.168.208.0 255.255.252.0 any

access-list outside_cryptomap_1 extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_2

access-list outside_access_in extended deny ip any 192.168.208.0 255.255.252.0

access-list outside_access_in extended deny ip any 192.168.192.0 255.255.252.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

27 REPLIES
Green

VPN clients cannot access remote site through site-to-site VPN

It looks like you have the traffic defined in the crypto acl's and the nat0 acl on the site B asa. Do you have this on the site A asa?

same-security-traffic permit intra-interface

New Member

This was the solution for me.

This was the solution for me. I had to allow hairpinning. With a continuous ping going, as soon as I entered this command, pings started returning.

 

 

New Member

Do you remember what you did

Do you remember what you did to fix it?

I have the same issues for the VPN.Thank you

New Member

Thank you.  I had everything

Thank you.  I had everything right and couldn't think why this was not working.  I had forgotten to add this line.  In hindsight I guess everything was not right :).

New Member

VPN clients cannot access remote site through site-to-site VPN

Yes I forgot it, here is what I have on Site A router :

The site 2 site tunnel is working fine, except for vpn remote users

access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 SiteB_Internal_Network 255.255.252.0

access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 VPNPool_AnyConnect 255.255.255.224

access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 VPNPool_VpnClient 255.255.255.224

access-list Internal_nat0_outbound extended permit ip VPNPool_AnyConnect 255.255.255.224 SiteB_Internal_Network 255.255.252.0

access-list Internal_nat0_outbound extended permit ip VPNPool_VpnClient 255.255.255.224 SiteB_Internal_Network 255.255.252.0

Green

VPN clients cannot access remote site through site-to-site VPN

You shouldn't need those last 2 lines there as the nat0 is applied to the inside interface, while the vpn client traffic is coming from the outside interface. It would never be natted there anyway.

What do your logs say on site A asa when you try to connect from a vpn client to site b? I usually bring up the ASDM log viewer, filter on the ip address of the vpn client and test.

New Member

VPN clients cannot access remote site through site-to-site VPN

Thanks for your feedback.

I removed both lines. No change.

Should I remove also VPN client networks in DM_INLINE_NETWORK_1 of siteB ?

I watched the logs, but I can only see that I connect to SiteA gateway but when I ping a machine of SiteB there is nothing in the logs.

Green

VPN clients cannot access remote site through site-to-site VPN

No, don't remove on the other end. That is needed.

What does your split tunnel acl look like on site A asa? Make sure you are tunneling the site B inside network.

New Member

VPN clients cannot access remote site through site-to-site VPN

Thanks,

Well, removing the 2 nat lines caused an Issue : vpn clients couldn't access LAN of siteA anymore... I put it back.

Here are the full configurations of both ASAs

SITE A

: Saved

:

ASA Version 8.0(4)

!

hostname XXXXX

domain-name XXXXXX

enable password XXXXXXXX encrypted

passwd XXXXXXXX encrypted

names

name 192.168.33.0 SiteA_InternalDMZ_Network description SiteA DMZ

name 192.168.192.0 SiteA_Internal_Network description SiteA

name 192.168.208.0 SiteB_Internal_Network description SiteB

name 192.168.133.0 VPNPool_AnyConnect

name 192.168.133.32 VPNPool_VpnClient

name XXXXXX  SiteA_ExternalDMZ_Network description SiteA

name XXXXXXXXX  SiteA_External_Network description SiteA

name 192.168.33.17 AAA-InternalDMZ description Server SOUTH

name XXXXXXXXX AAA-ExternalDMZ description Server NORTH

dns-guard

!

interface Ethernet0/0

nameif External

security-level 0

ip address XXXXXXXXXXXXXX

ospf cost 10

!

interface Ethernet0/1

nameif Internal

security-level 100

ip address 192.168.192.1 255.255.252.0

ospf cost 10

!

interface Ethernet0/2

nameif External-DMZ

security-level 50

ip address XXXXXXXXXXXXXXXXXXXXXX

ospf cost 10

!

interface Ethernet0/3

nameif Internal-DMZ

security-level 75

ip address XXXXXXXXXXXXXXXXXXXXXXXXX

ospf cost 10

!

regex worldofwarcraft ".*worldofwarcraft\.com.*"

regex facebook ".*facebook\.com.*"

boot system disk0:/asaXXXXX.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup External

dns domain-lookup Internal

dns domain-lookup External-DMZ

dns server-group DefaultDNS

name-server XXXXXXXXXXX

name-server XXXXXXXXXXXXXX

domain-name XXXXXXXXXXXXXXXXXXXX

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Net-SiteA

description SiteA Nets

network-object SiteA_Internal_Network 255.255.252.0

network-object SiteA_ExternalDMZ_Network 255.255.255.240

object-group network Blocked-destinations

network-object host Blacklist_crackz.ws

network-object host Blacklist_bad-ads

network-object host Blacklist_roxy69.gtrx.net

network-object host Blacklist_beehappyy.biz

network-object host Blacklist_Warhammer

network-object host Blacklist_Infected-site

network-object host Blacklist_tfcco.biz

network-object host Blacklist_iframecash.biz

network-object host Blacklist_Infected-sm0king

object-group service Traffic-Good

service-object icmp

service-object esp

service-object tcp-udp eq domain

service-object tcp-udp eq echo

service-object tcp-udp eq www

service-object tcp-udp eq sunrpc

service-object tcp-udp eq tacacs

service-object tcp eq 3389

service-object tcp eq 445

service-object tcp eq aol

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object tcp eq https

service-object tcp eq ldap

service-object tcp eq ldaps

service-object tcp eq netbios-ssn

service-object tcp eq pop3

service-object tcp eq sip

service-object tcp eq ssh

service-object tcp eq telnet

service-object tcp eq whois

service-object icmp traceroute

service-object udp eq 10000

service-object udp eq 4500

service-object udp eq isakmp

service-object udp eq nameserver

service-object udp eq netbios-dgm

service-object udp eq netbios-ns

service-object udp eq nfs

service-object udp eq ntp

service-object udp eq sip

service-object udp eq snmp

service-object udp eq sunrpc

service-object udp eq syslog

service-object udp eq tftp

service-object icmp echo

service-object icmp echo-reply

service-object tcp-udp eq 9418

service-object tcp eq 10000

object-group service EEEEEEEEEE-ports

service-object tcp eq smtp

service-object icmp

service-object tcp eq www

service-object tcp eq https

object-group service revEEEEEEEEEE-ports

service-object tcp eq smtp

service-object icmp

service-object tcp eq 3389

object-group service revFFFFFF-ports

service-object ip

service-object icmp

object-group service FFFFFF-ports

service-object ip

service-object icmp

service-object tcp eq 3268

object-group service GGGGGGG

service-object tcp eq www

service-object tcp eq https

service-object tcp eq smtp

object-group network Internal-DC

network-object host XXXXXXXXXXXXX

network-object host XXXXXXXXXXXXXXXXX

object-group network Internal-email

network-object host XXXXXXXXXXXXXXXXXXXX

object-group network DM_INLINE_NETWORK_2

network-object SiteA_Internal_Network 255.255.252.0

network-object SiteA_ExternalDMZ_Network 255.255.255.240

object-group service GRP-SVC-FFFFFF-TCP tcp

port-object eq 3268

object-group service GRP-SVC-FFFFFF-UDP udp

port-object eq 88

port-object eq domain

port-object eq ntp

object-group service GRP-SVC-HHHHHHH-TCP tcp

port-object eq smtp

port-object eq https

object-group network GRP-ADMIN-WS

network-object SiteA_Internal_Network 255.255.252.0

object-group network GRP-DMZ-NODES

network-object SiteA_InternalDMZ_Network 255.255.255.0

network-object SiteA_ExternalDMZ_Network 255.255.255.240

object-group network GRP-PUB-DNS-SRV

network-object host DNS_1

network-object host DNS_2

object-group service GRP-SVC-BROWSING-TCP tcp

port-object eq ftp

port-object eq www

port-object eq https

object-group service GRP-SVC-PMAD-TCP tcp

port-object eq 3389

port-object eq ssh

object-group icmp-type GRP-SVC-USEFUL-ICMP

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

object-group network DM_INLINE_NETWORK_3

network-object VPNPool_AnyConnect 255.255.255.224

network-object VPNPool_VpnClient 255.255.255.224

network-object SiteA_Internal_Network 255.255.252.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

port-object eq 8443

port-object eq 8880

object-group service Torrent

service-object tcp range 6881 6889

service-object tcp eq 6969

service-object tcp eq 7000

object-group network DM_INLINE_NETWORK_1

network-object VPNPool_AnyConnect 255.255.255.224

network-object VPNPool_VpnClient 255.255.255.224

object-group network DM_INLINE_NETWORK_4

network-object SiteA_InternalDMZ_Network 255.255.255.0

network-object SiteA_ExternalDMZ_Network 255.255.255.240

object-group service DM_INLINE_SERVICE_1

service-object tcp

object-group network DM_INLINE_NETWORK_5

network-object VPNPool_AnyConnect 255.255.255.224

network-object VPNPool_VpnClient 255.255.255.224

access-list External_access_in extended deny ip any SiteA_Internal_Network 255.255.252.0

access-list External_access_in extended deny ip any SiteA_InternalDMZ_Network 255.255.255.0

access-list External_access_in extended permit tcp any host AAA-ExternalDMZ eq smtp

access-list External_access_in extended permit tcp any host AAA-ExternalDMZ object-group DM_INLINE_TCP_1

access-list External_access_in extended permit icmp any SiteA_External_Network 255.255.255.240 object-group GRP-SVC-USEFUL-ICMP

access-list External_access_in extended permit icmp any SiteA_ExternalDMZ_Network 255.255.255.240 object-group GRP-SVC-USEFUL-ICMP

access-list External-DMZ_access_in extended deny ip any SiteA_Internal_Network 255.255.252.0

access-list External-DMZ_access_in extended deny ip any SiteA_InternalDMZ_Network 255.255.255.0

access-list External-DMZ_access_in extended permit tcp host AAA-ExternalDMZ any eq smtp

access-list External-DMZ_access_in extended permit ip SiteA_ExternalDMZ_Network 255.255.255.240 any

access-list Internal_access_in extended deny ip any object-group Blocked-destinations

access-list Internal_access_in extended permit udp object-group Internal-DC object-group GRP-PUB-DNS-SRV eq domain

access-list Internal_access_in extended permit tcp object-group Internal-DC object-group GRP-PUB-DNS-SRV eq domain

access-list Internal_access_in extended permit object-group Traffic-Good SiteA_Internal_Network 255.255.252.0 any

access-list Internal_access_in extended permit ip object-group DM_INLINE_NETWORK_1 SiteB_Internal_Network 255.255.252.0

access-list Internal_access_in extended permit object-group Torrent SiteA_Internal_Network 255.255.252.0 any inactive

access-list Internal_access_in extended permit ip SiteA_Internal_Network 255.255.252.0 SiteB_Internal_Network 255.255.252.0

access-list Internal_access_in extended permit tcp host XXXXXXXXX host AAA-InternalDMZ eq smtp

access-list Internal_access_in extended permit tcp object-group GRP-ADMIN-WS object-group GRP-DMZ-NODES object-group GRP-SVC-PMAD-TCP

access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 SiteB_Internal_Network 255.255.252.0

access-list Internal_nat0_outbound extended permit ip SiteA_Internal_Network 255.255.252.0 object-group DM_INLINE_NETWORK_5

access-list Internal-DMZ_access_in extended deny ip any SiteA_ExternalDMZ_Network 255.255.255.240

access-list Internal-DMZ_access_in extended permit tcp host AAA-InternalDMZ object-group Internal-DC object-group GRP-SVC-FFFFFF-TCP

access-list Internal-DMZ_access_in extended permit udp host AAA-InternalDMZ object-group Internal-DC object-group GRP-SVC-FFFFFF-UDP

access-list Internal-DMZ_access_in extended permit tcp host AAA-InternalDMZ object-group Internal-email object-group GRP-SVC-HHHHHHH-TCP

access-list Internal-DMZ_access_in extended permit tcp host AAA-InternalDMZ host XXXXXXX eq www

access-list Internal-DMZ_access_in extended deny ip any SiteA_Internal_Network 255.255.252.0

access-list External-DMZ_nat0_outbound extended permit ip SiteA_ExternalDMZ_Network 255.255.255.240 SiteB_Internal_Network 255.255.252.0

access-list CSC-Internal extended deny ip any SiteB_Internal_Network 255.255.252.0 inactive

access-list CSC-Internal extended deny ip any SiteA_ExternalDMZ_Network 255.255.255.240

access-list CSC-Internal extended deny ip any SiteA_InternalDMZ_Network 255.255.255.0

access-list CSC-Internal extended permit tcp any any eq www

access-list CSC-Internal extended permit tcp any any eq smtp

access-list CSC-Internal extended permit tcp any any eq pop3

access-list CSC-Internal extended permit tcp any any eq ftp

access-list CSC-Internal extended permit tcp any any eq imap4

access-list CSC-External extended deny ip SiteB_Internal_Network 255.255.252.0 any inactive

access-list CSC-External extended permit tcp any any eq smtp

access-list CSC-External extended permit tcp any any eq www

access-list CSC-External extended permit tcp any any eq pop3

access-list CSC-External extended permit tcp any any eq imap4

access-list CSC-External extended permit tcp any any eq ftp

access-list CSC-External-DMZ extended deny ip any SiteB_Internal_Network 255.255.252.0 inactive

access-list CSC-External-DMZ extended deny ip any SiteA_Internal_Network 255.255.252.0

access-list CSC-External-DMZ extended deny ip any SiteA_InternalDMZ_Network 255.255.255.0

access-list CSC-External-DMZ extended permit tcp any any eq www

access-list CSC-External-DMZ extended permit tcp any any eq smtp

access-list CSC-External-DMZ extended permit tcp any any eq pop3

access-list CSC-External-DMZ extended permit tcp any any eq ftp

access-list CSC-External-DMZ extended permit tcp any any eq imap4

access-list CSC-Internal-DMZ extended deny ip any SiteB_Internal_Network 255.255.252.0 inactive

access-list CSC-Internal-DMZ extended deny ip any SiteA_Internal_Network 255.255.252.0

access-list CSC-Internal-DMZ extended deny ip any SiteA_ExternalDMZ_Network 255.255.255.240

access-list CSC-Internal-DMZ extended permit tcp any any eq www

access-list CSC-Internal-DMZ extended permit tcp any any eq smtp

access-list CSC-Internal-DMZ extended permit tcp any any eq pop3

access-list CSC-Internal-DMZ extended permit tcp any any eq ftp

access-list CSC-Internal-DMZ extended permit tcp any any eq imap4

access-list split-lan standard permit SiteA_Internal_Network 255.255.252.0

access-list External_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 SiteB_Internal_Network 255.255.252.0

pager lines 24

logging enable

logging trap warnings

logging asdm warnings

logging host Internal 192.168.192.XXX

mtu External 1500

mtu Internal 1500

mtu External-DMZ 1500

mtu Internal-DMZ 1500

ip local pool POOL-ANYCONNECT 192.168.133.1-192.168.133.30 mask 255.255.255.224

ip local pool POOL-ADM 192.168.133.33-192.168.133.62 mask 255.255.255.224

ip verify reverse-path interface External

ip verify reverse-path interface Internal

ip verify reverse-path interface External-DMZ

ip verify reverse-path interface Internal-DMZ

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply External

icmp permit any time-exceeded External

icmp permit any unreachable External

icmp permit SiteA_Internal_Network 255.255.252.0 echo Internal

icmp permit SiteA_Internal_Network 255.255.252.0 echo-reply Internal

icmp permit SiteA_Internal_Network 255.255.252.0 traceroute Internal

icmp permit SiteA_Internal_Network 255.255.252.0 unreachable Internal

icmp permit SiteA_Internal_Network 255.255.252.0 time-exceeded Internal

icmp permit XXXXXXXXX 255.255.252.0 echo Internal

icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 echo Internal

icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 echo-reply Internal

icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 traceroute Internal

icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 unreachable Internal

icmp permit SiteA_ExternalDMZ_Network 255.255.255.240 time-exceeded Internal

icmp permit VPNPool_AnyConnect 255.255.255.0 echo External-DMZ

icmp permit VPNPool_AnyConnect 255.255.255.0 echo-reply External-DMZ

icmp permit VPNPool_AnyConnect 255.255.255.0 time-exceeded External-DMZ

icmp permit VPNPool_AnyConnect 255.255.255.0 traceroute External-DMZ

icmp permit VPNPool_AnyConnect 255.255.255.0 unreachable External-DMZ

asdm image disk0:/asdm-XXXXXX.bin

no asdm history enable

arp timeout 14400

global (External) 1 XXXXXXXXXX netmask 255.0.0.0

nat (Internal) 0 access-list Internal_nat0_outbound

nat (Internal) 1 SiteA_Internal_Network 255.255.252.0

nat (External-DMZ) 0 access-list External-DMZ_nat0_outbound

static (External-DMZ,External) SiteA_ExternalDMZ_Network SiteA_ExternalDMZ_Network netmask 255.255.255.240

static (Internal,External-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0

static (Internal,Internal-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0

access-group External_access_in in interface External

access-group Internal_access_in in interface Internal

access-group External-DMZ_access_in in interface External-DMZ

access-group Internal-DMZ_access_in in interface Internal-DMZ

route External 0.0.0.0 0.0.0.0 XXXXXXXXXXXXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (Internal) host XXXXXXXXXX

key XXXXXXXXX

aaa-server RADIUS (Internal) host XXXXXXXXXX

key XXXXXXXXXXXX

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 External

http 0.0.0.0 0.0.0.0 Internal

http redirect External 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map External_map3 1 match address External_cryptomap_1

crypto map External_map3 1 set pfs group5

crypto map External_map3 1 set peer XXXXXXXX

crypto map External_map3 1 set transform-set ESP-AES-256-SHA

crypto map External_map3 1 set security-association lifetime seconds 28800

crypto map External_map3 1 set security-association lifetime kilobytes 4608000

crypto map External_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map External_map3 interface External

crypto ca server

shutdown

crypto isakmp enable External

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes-192

hash sha

group 5

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

telnet 0.0.0.0 0.0.0.0 Internal

telnet timeout 1440

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 External

ssh 0.0.0.0 0.0.0.0 Internal

ssh timeout 60

ssh version 2

console timeout 0

management-access Internal

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server XXXXXXX source External

ntp server XXXXXXXXX source External prefer

ntp server XXXXXXX source External

ntp server XXXXXX source External

tftp-server Internal XXXXXXXXXXXXX.cfg

webvpn

enable External

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 regex "Windows CE"

svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 3 regex "Intel Mac OS X"

svc image disk0:/anyconnect-macosx-powerpc-2.3.0254-k9.pkg 4 regex "PPC Mac OS X"

svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 5 regex "Linux"

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 192.168.192.80 192.168.192.81

vpn-tunnel-protocol IPSec svc webvpn

ip-comp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-lan

default-domain value XXXXXXXXXXXX

webvpn

svc keepalive 30

svc compression none

group-policy TG-ADM internal

group-policy TG-ADM attributes

vpn-tunnel-protocol IPSec

ip-comp disable

group-policy Profile2 internal

group-policy Profile2 attributes

vpn-tunnel-protocol IPSec svc webvpn

webvpn

url-list none

svc ask enable

username admin password XXXXXXXXXXXXXXXXXX encrypted privilege 15

username Profile2Access password XXXXXXXXXXXXXXXXX encrypted privilege 0

username Profile2Access attributes

vpn-group-policy Profile2

tunnel-group DefaultRAGroup general-attributes

authentication-server-group RADIUS LOCAL

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool POOL-ANYCONNECT

authentication-server-group RADIUS LOCAL

dhcp-server XXXXXXXXXXXX

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias PROFILE1-ACCESS enable

tunnel-group XXXXXXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXXXXX ipsec-attributes

pre-shared-key *

tunnel-group TG-ADM type remote-access

tunnel-group TG-ADM general-attributes

address-pool POOL-ADM

authentication-server-group RADIUS LOCAL

default-group-policy TG-ADM

tunnel-group TG-ADM ipsec-attributes

pre-shared-key *

tunnel-group PROFILE2ACCESS type remote-access

tunnel-group PROFILE2ACCESS general-attributes

address-pool POOL-ANYCONNECT

default-group-policy Profile2

tunnel-group PROFILE2ACCESS webvpn-attributes

group-alias PROFILE2-ACCESS enable

!

class-map External-DMZ-class

match access-list CSC-External-DMZ

class-map Internal-DMZ-class

match access-list CSC-Internal-DMZ

class-map Internal-class

match access-list CSC-Internal

class-map inspection_default

match default-inspection-traffic

class-map External-class

match access-list CSC-External

!

!

policy-map Internal-policy

class Internal-class

csc fail-open

policy-map External-policy

class External-class

csc fail-open

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

policy-map External-DMZ-policy

class External-DMZ-class

csc fail-open

policy-map Internal-DMZ-policy

class Internal-DMZ-class

csc fail-open

policy-map type inspect http blocked-sites

parameters

protocol-violation action drop-connection

match request uri regex facebook

drop-connection log

match request uri regex worldofwarcraft

drop-connection log

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

: end

SITE B

: Saved

:

ASA Version 8.2(2)

!

hostname XXXXXXXXXX

domain-name XXXXXXXXXXXX

enable password XXXXXXXXXXXXXXXXXXXencrypted

passwd XXXXXXXXXXXXX  encrypted

no names

name 192.168.192.0 SITEA

name 192.168.133.32 AnyConnect

name 192.168.133.0 VPN_Client

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.208.1 255.255.252.0

!

interface Vlan2

description Old Internet Access

shutdown

no forward interface Vlan1

nameif UNUSED

security-level 0

ip address XXXXXXXXXXXXXX 255.255.255.240

!

interface Vlan12

description: To Internet

nameif outsideNew

security-level 0

ip address XXXXXXXXXX 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 12

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asaXXXXXX.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name XXXXXXXXXX

object-group service Traffic-Good

service-object icmp

service-object esp

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object tcp-udp eq domain

service-object tcp-udp eq echo

service-object tcp-udp eq www

service-object tcp-udp eq sunrpc

service-object tcp-udp eq tacacs

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object tcp eq https

service-object tcp eq ldap

service-object tcp eq ldaps

service-object tcp eq sip

service-object tcp eq ssh

service-object udp eq ntp

service-object udp eq sip

service-object udp eq sunrpc

service-object udp eq syslog

service-object udp eq tftp

service-object tcp eq 3389

service-object tcp-udp eq sip

service-object tcp eq h323

object-group network DM_INLINE_NETWORK_2

network-object 192.168.133.0 255.255.255.224

network-object 192.168.133.32 255.255.255.224

network-object 192.168.192.0 255.255.252.0

object-group network DM_INLINE_NETWORK_1

network-object 192.168.133.0 255.255.255.224

network-object 192.168.133.32 255.255.255.224

network-object 192.168.192.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_1

access-list inside_access_in remark Full IP to SiteA Network

access-list inside_access_in extended permit ip 192.168.208.0 255.255.252.0 192.168.192.0 255.255.252.0

access-list inside_access_in remark Browsing to the Internet

access-list inside_access_in extended permit object-group Traffic-Good 192.168.208.0 255.255.252.0 any

access-list outsideNew_cryptomap_1 extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_2

access-list outsideNew_access_in extended deny ip any 192.168.208.0 255.255.252.0

access-list outsideNew_access_in extended deny ip any 192.168.192.0 255.255.252.0

pager lines 24

logging enable

logging trap warnings

logging asdm warnings

logging host inside 192.168.192.XXXXXXX

mtu inside 1500

mtu UNUSED 1500

mtu outsideNew 1500

ip verify reverse-path interface inside

ip verify reverse-path interface UNUSED

ip verify reverse-path interface outsideNew

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply UNUSED

icmp permit any time-exceeded UNUSED

icmp permit any unreachable UNUSED

icmp permit any echo-reply outsideNew

icmp permit any time-exceeded outsideNew

icmp permit any unreachable outsideNew

asdm image disk0:/asdm-XXXXX.bin

asdm history enable

arp timeout 14400

global (UNUSED) 1 interface

global (outsideNew) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outsideNew_access_in in interface outsideNew

route outsideNew 0.0.0.0 0.0.0.0 XXXXXXXXXXXXX 1

route UNUSED 0.0.0.0 0.0.0.0 XXXXXXXXXXX 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.192.0 255.255.252.0 inside

http 192.168.208.90 255.255.255.255 inside

http XXXXXXX 255.255.255.240 outsideNew

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outsideNew_map1 2 match address outsideNew_cryptomap_1

crypto map outsideNew_map1 2 set pfs group5

crypto map outsideNew_map1 2 set peer 93.20.180.195

crypto map outsideNew_map1 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outsideNew_map1 interface outsideNew

crypto isakmp enable outsideNew

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 192.168.192.0 255.255.252.0 inside

ssh 192.168.208.90 255.255.255.255 inside

ssh timeout 15

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outsideNew

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server XXXXXXXX source outsideNew

ntp server XXXXXXXXXXX source outsideNew

ntp server XXXXXXXXXXXXXX source outsideNew

tftp-server inside 192.168.192.XXXX XXXXXXXXXXXXXX.cfg

webvpn

username admin password XXXXXXXXXXXXXXXX encrypted privilege 15

tunnel-group XXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXXXXX ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect http

inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

: end

New Member

VPN clients cannot access remote site through site-to-site VPN

I appreciate that this was nearly a year ago, but I'm having similar issues and this is one of few posts where anyone else was having issues with a client VPN accessing a remote VLAN on a different site.

Do you remember what you did to fix it?

VPN clients cannot access remote site through site-to-site VPN

Hi,

Here you need to have the hair pinning enabled to make this work.

http://www.petenetlive.com/KB/Article/0000040.htm

By

Karthik

New Member

Dear nkarthikeyan

Dear nkarthikeyan

I have configed the vpn as your recommed,but it is fail,I don't know why,can you give me some suggestion,thank you!

New Member

run: packet-tracer input

run: packet-tracer input inside icmp SourceIP 8 0 RemoteIP

Post the results as well as your VPN config and some info on which host you are trying to access and from which network.

New Member

thanks! below is the

thanks! below is the configration:

SiteA:

ASA 5525:

VPN gateway for remote users

LAN1:10.24.10.0/24

LAN2:10.24.15.0/24

LAN3:10.24.24.0/24

Remote VPN pool:10.1.84.0/24

site B :

ASA 5520

LAN1:10.1.0.0/24

LAN2:10.1.1.0/24

Both sites are connected through a site to site VPN,and the VPN work normally.

Remote clients(VPN clients)can connect to Site A LAN   and see machines on LAN A but cannot see Site B LAN.

I want remote vpn clients can also visit Site B,but I have try many times,it not succeed.

What do I miss?

SiteA:

ip local pool Remote_admin 10.1.84.100-10.1.84.200 mask 255.255.255.0

same-security-traffic permit intra-interface

object network Subnet1
subnet 10.1.0.0 255.255.255.0
object network Subnet2
subnet 10.1.1.0 255.255.255.0

object network Corp
subnet 10.24.15.0 255.255.255.0
object network Servers
subnet 10.24.10.0 255.255.255.0

object network Remote_admin
subnet 10.1.84.0 255.255.255.0

object-group network Subnets

network-object object Subnet1
network-object object Subnet2

object-group network SF_Network
network-object 10.24.24.0 255.255.255.0
network-object object Corp
network-object object Servers

access-list split standard permit 10.24.15.0 255.255.255.0 

access-list split standard permit 10.24.10.0 255.255.255.0 

access-list split standard permit 10.24.24.0 255.255.255.0 

access-list split standard permit 10.1.0.0 255.255.255.0

access-list split standard permit 10.1.1.0 255.255.255.0

access-list Outside1_cryptomap extended permit ip object-group SF_Network object-group Subnets
access-list Outside1_cryptomap extended permit ip object Remote_admin object-group Subnets

nat (Inside,Outside1) source static any any destination static Remote_admin Remote_admin
nat (Outside1,Outside1) source static Remote_admin Remote_admin destination static Subnets Subnets no-proxy-arp route-lookup
nat (Inside,Outside1) source static SF_Network SF_Network destination static Subnets Subnets no-proxy-arp route-lookup
nat (Inside,Outside1) after-auto source dynamic any interface
access-group Inside_access_in in interface Inside
access-group global_access global

crypto ipsec ikev1 transform-set Trans esp-aes-256 esp-sha-hmac 

crypto dynamic-map dyn1 65534 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 65534 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 65534 set reverse-route

crypto map Outside1_map 1 match address Outside1_cryptomap
crypto map Outside1_map 1 set peer X.X.X.X 
crypto map Outside1_map 1 set ikev1 transform-set Trans
crypto map Outside1_map 1 set security-association lifetime seconds 28800
crypto map Outside1_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside1_map 65534 ipsec-isakmp dynamic dyn1

crypto map Outside1_map interface Outside1

crypto isakmp nat-traversal 3600
crypto ikev1 enable Outside1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1

group-policy Remote_Admin internal
group-policy Remote_Admin attributes
vpn-session-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
address-pools value Remote_admin

tunnel-group X.X.X.Xtype ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****

tunnel-group Remote_admin type remote-access
tunnel-group Remote_admin general-attributes
address-pool Remote_admin
default-group-policy Remote_Admin
tunnel-group Remote_admin ipsec-attributes
ikev1 pre-shared-key *****

SiteB:

access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.15.0 255.255.255.0

access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.24.15.0 255.255.255.0

nat (Inside) 0 access-list no_nat
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set Office esp-aes-256 esp-sha-hmac
crypto map mymap 90 match address Office
crypto map mymap 90 set peer X.X.X.X 
crypto map mymap 90 set transform-set Office
crypto map mymap 90 set security-association lifetime seconds 28800
crypto map mymap 90 set security-association lifetime kilobytes 4608000

crypto map mymap interface Outside

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *

I run this command at SieteB :

packet-tracer input inside icmp 10.1.0.195 8 0 10.1.84.102

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.84.0 255.255.255.0 Outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip Inside 10.1.0.0 255.255.255.0 Outside 10.1.84.0 255.255.255.0
NAT exempt
translate_hits = 4, untranslate_hits = 170
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 1 10.1.0.0 255.255.255.0
nat-control
match ip Inside 10.1.0.0 255.255.255.0 Outside any
dynamic translation to pool 1 (116.246.25.164 [Interface PAT])
translate_hits = 15542307, untranslate_hits = 1167241
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 1 10.1.0.0 255.255.255.0
nat-control
match ip Inside 10.1.0.0 255.255.255.0 Outside any
dynamic translation to pool 1 (116.246.25.164 [Interface PAT])
translate_hits = 15542307, untranslate_hits = 1167241
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I also run the command at SiteA:

packet-tracer input outside1 icmp 10.1.84.102 8 0 10.1.0.195

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside1

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit icmp any4 any4
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Outside1,Outside1) source static Remote_admin Remote_admin destination static ChinaSubnets ChinaSubnets no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.84.102/0 to 10.1.84.102/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: Outside1
input-status: up
input-line-status: up
output-interface: Outside1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

if you want any other information,pls tell me,thank you!

New Member

At Site B it looks like its

At Site B it looks like its actually being Nat/PAT out to the internet and not exempt from NAT.  Make sure you have a no nat statement from site B to not allow the traffic to be PAT to the Internet.  On the new 9.x ASA code this is done by the static NATs and no longer done via the NONAT ACLs.  Basically at site by match what you have working for the Site to site VPN (ACL and Static NATs) for the RA VPN subnet and that should push that traffic over the tunnel.  I did this recently for a client and this is what I ended up having to do on their ASA.

Remote Site B (8.2 code)

access-list VPN extended permit ip 10.46.1.0 255.255.255.0 10.41.9.0 255.255.0.0
access-list NONAT extended permit ip 10.46.1.0 255.255.255.0 10.41.9.0 255.255.255.0

Main Site A (9.x Code)

access-list outside_cryptomap extended permit ip 10.41.9.0 255.255.255.0 10.46.1.0 255.255.255.0

New Member

I have config the exempt from

I have config the exempt from NAT ,see as bellow:

Site B:

access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0

access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0

Site A:

access-list Outside1_cryptomap extended permit ip object Remote_admin object-group Subnets

Is there any other problem?

New Member

That looks good.  What

That looks good.  What version of ASA Code are you running?  If you are running 8.3 and above you will need static NATs

8.3+ code NAT should look something like this.

Site A (interface name may vary for you)

nat (inside,outside) source static Remote_admin Remote_admin destination static SiteBSubNetObject SiteBSubnetObject no-proxy-arp route-lookup

Site B

nat (inside,outside) source static Remote_admin Remote_admin SiteBSubNetObject SiteBSubnetObject destination static Remote_admin Remote_admin no-proxy-arp route-lookup

New Member

Thanks for your help,

Thanks for your help,

At SiteA,the version of the ASA is 9.0(1),I think the "remote client"belong to ouside flow,how do you think?So I think I should config the NAT as what I have copy to the disscution:nat (Outside1,Outside1) source static Remote_admin Remote_admin destination static Subnets Subnets no-proxy-arp route-lookup

At SiteB;the version is 8.0(5),so it not need to config NAT.

Do you think there is some else possibility?

New Member

Dear Raul

Dear Raul

Do you have any idea?

New Member

Hi sorry for dropping off.

Hi sorry for dropping off. Been traveling etc. So looking at the icmp traces you ran it fails at the VPN Encrypt phase. Site B looks good as far as I can tell. However it looks like your site A trace your NAT is matching a ChinaSubnet which I did not see in your config. I noticed you had a Subnets group with subnet 1 and 2 in the posted config, but seems it's not matching that. Your static NAT entry for this may need to be placed sourced before this China one. I would also add the following command "same-security-traffic permit inter-interface".   Sorry for the formatting as I am on my phone.

New Member

Dear Raul

Dear Raul

Many thanks for your help

Ihave add the folloing command"same-security-traffic permit inter-interface",but ,it is still failed.

In fact ,"ChinaSubnet "means "Subnet",I just replace it to "Subnet" when I copy the configuration to the discussion.

New Member

Try changing your NAT at site

Try changing your NAT at site A from (outside1,outside1) to (inside,outside1).

Also can you post the show run crypto from both sides along with NAT, nonnat, split tunnel ACL and crypto ACL. Try and not change anything that's not specifically identiable to your company.  I am getting on a plane soon and won't be able to reply. I should have some PC access tomorrow and can look over the full outputs and piece them together better.

New Member

Dear Raul

Dear Raul

Thanks for your help!Please see the configuration as below:

SiteA:

ASA Version 9.0(1)

ip local pool Remote_admin 10.1.84.100-10.1.84.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif Outside1
security-level 0
ip address A.A.A.A 255.255.255.248
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ChinaSubnet1
subnet 10.1.0.0 255.255.255.0
object network ChinaSubnet2
subnet 10.1.1.0 255.255.255.0
object network Corp
subnet 10.24.15.0 255.255.255.0
object network Servers
subnet 10.24.10.0 255.255.255.0
object network MGT
subnet 10.24.5.0 255.255.255.0
object network R&D
subnet 10.24.20.0 255.255.255.0
object network Remote_admin
subnet 10.1.84.0 255.255.255.0

object-group network ChinaSubnets
network-object object ChinaSubnet1
network-object object ChinaSubnet2

object-group network SF_Network
network-object 10.24.24.0 255.255.255.0
network-object object Corp
network-object object Servers
access-list global_access extended permit icmp any4 any4
access-list Inside_access_in extended permit ip any any
access-list Outside1_cryptomap extended permit ip object-group SF_Network object-group ChinaSubnets
access-list Outside1_cryptomap extended permit ip object Remote_admin object-group ChinaSubnets
access-list split standard permit 10.24.5.0 255.255.255.0
access-list split standard permit 10.1.1.0 255.255.255.0
access-list split standard permit 10.1.0.0 255.255.255.0
access-list split standard permit 10.24.10.0 255.255.255.0
access-list split standard permit 10.24.20.0 255.255.255.0
access-list split standard permit 10.24.24.0 255.255.255.0
access-list split standard permit 10.24.15.0 255.255.255.0
!
nat (Inside,Outside1) source static any any destination static Remote_admin Remote_admin
nat (Inside,Outside1) source static SF_Network SF_Network destination static ChinaSubnets ChinaSubnets no-proxy-arp route-lookup
nat (Inside,Outside1) source static Remote_admin Remote_admin destination static ChinaSubnets ChinaSubnets no-proxy-arp route-lookup
!
nat (Inside,Outside1) after-auto source dynamic any interface
access-group Inside_access_in in interface Inside
access-group global_access global

crypto ipsec ikev1 transform-set China_Trans esp-aes-256 esp-sha-hmac

crypto dynamic-map dyn1 65534 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 65534 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 65534 set reverse-route
crypto map Outside1_map 1 match address Outside1_cryptomap
crypto map Outside1_map 1 set peer B.B.B.B
crypto map Outside1_map 1 set ikev1 transform-set China_Trans
crypto map Outside1_map 1 set security-association lifetime seconds 28800
crypto map Outside1_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside1_map 65534 ipsec-isakmp dynamic dyn1


crypto map Outside1_map interface Outside1
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable Outside1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400


group-policy GroupPolicy_B.B.B.B internal
group-policy GroupPolicy_B.B.B.B attributes
vpn-tunnel-protocol ikev1

group-policy Remote_Admin internal
group-policy Remote_Admin attributes
vpn-session-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
address-pools value Remote_admin

tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B general-attributes
default-group-policy GroupPolicy_B.B.B.B
tunnel-group B.B.B.B ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold infinite

tunnel-group Remote_admin type remote-access
tunnel-group Remote_admin general-attributes
address-pool Remote_admin
default-group-policy Remote_Admin
tunnel-group Remote_admin ipsec-attributes
ikev1 pre-shared-key *****

SiteB:

ASA Version 8.0(5)
!

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address B.B.B.B 255.255.255.240


access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.15.0 255.255.255.0

access-list AmericanOffice extended permit ip 10.1.0.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.0.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.0.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.1.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.1.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.1.0 255.255.255.0 10.24.15.0 255.255.255.0


nat (Inside) 0 access-list no_nat
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set AmericanOffice esp-aes-256 esp-sha-hmac
crypto map mymap 90 match address AmericanOffice
crypto map mymap 90 set peer A.A.A.A
crypto map mymap 90 set transform-set AmericanOffice
crypto map mymap 90 set security-association lifetime seconds 28800
crypto map mymap 90 set security-association lifetime kilobytes 4608000

crypto map mymap interface Outside

tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key *

New Member

Dear Raul,how dou you think

Dear Raul,how dou you think about this ?I have copied the configuration about SiteA&SiteB.

New Member

Dear nkarthikeyan

Dear nkarthikeyan

I have configed the vpn as your recommed,but it is fail,I don't know why,can you give me some suggestion,thank you!

New Member

VPN clients cannot access remote site through site-to-site VPN

Hi Chris,

Adding these 2 commands on site A should most probably fix your issue:

access-list External-DMZ_nat0_outbound extended permit ip VPNPool_AnyConnect 255.255.255.224 SiteB_Internal_Network 255.255.252.0

access-list split-lan standard permit SiteB_Internal_Network 255.255.252.0

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

New Member

Dear Chris

Dear Chris

Do you have resolved the issue?I have a same issue with you

16025
Views
20
Helpful
27
Replies
CreatePlease to create content