0

we have two ASA 5510s one in 8.4(4) and one in 8.2(5) in a site-to-site VPN setup. All internal traffic is working smoothly.

Site/Subnet A: 192.100.0.0 - local (8.4(4)) Site/Subnet B: 192.200.0.0 - remote (8.2(5)) VPN Users: 192.100.40.0 - assigned by ASA

When you VPN into the network, all traffic hits Site A, and everything on subnet A is accessible.

Site B however, is completely inaccessible for VPN users. All machines on subnet B, the firewall itself, etc... is not reachable by ping or otherwise.

I downgraded to 8.2 and then went back up to 8.4 on the Site A ASA. Site B is now running 8.2(5).

Thank you much in advance and I hope I have been thorough enough.

Siriss
  • 209
  • 1
  • 3
  • 13
  • Sounds to me like you're maybe missing a route between your VPN network of 192.100.40.0/24 and your Site B 192.200.0.0 network. Does that route exist? – DKNUCKLES Jul 10 '12 at 19:35
  • He must have a route to 192.200.0.0, as he's able to pass traffic over the vpn tunnel. – sjw Jul 10 '12 at 21:05

2 Answers2

1

It's possible you're missing a NAT, but first make sure you've got this line added to your config, same-security-traffic permit intra-interface.

Cisco's command reference for it is here ver8.4 Command Ref. It will allow "hairpinning", which is disabled by default. In ASDM, it is located under Configuration -> Device Setup -> Interfaces. At the bottom of the page.

Before you create NATs, you should create objects to reference in the NATs:

object network obj-192.100.0.0 subnet 192.100.0.0 255.255.255.0 description Subnet A

object network obj-192.200.0.0 subnet 192.200.0.0 255.255.255.0 description Subnet B

object network obj-192.100.40.0 subnet 192.100.40.0 255.255.255.0 description Remote Access VPN Users

The NATs from your remote access subnet to your subnet B would be:

nat (outside,outside) source static obj-192.100.40.0 obj-192.100.40.0 destination static 192.200.0.0 192.200.0.0

sjw
  • 374
  • 1
  • 4
  • 9
  • Thanks, I checked that and it is there (and the checkbox is checked). I am stumped. – Siriss Jul 10 '12 at 22:58
  • I tried this, and it still does not seem to allow traffic. What outputs do you need? – Siriss Jul 11 '12 at 22:41
  • Any ideas? I have tries all variations on this I could think of. Thanks again for the help! – Siriss Jul 12 '12 at 21:57
  • Anyone? Sort of bumping this. I am really stuck here still. Cisco is taking forever to get back to me on their support. – Siriss Jul 13 '12 at 17:49
1

It turns out it was a combination of the NAT rule and the Site-to-Site ACL. For some reason, the ACL settings were not sticking because of a conflict in the configuration due to the 8.2 - 8.4 upgrade. It is complicated for me to explain, but after an 1.5 hours on the phone with Cisco, they rebuilt the site-to-site tunnel in 8.4(4) and it set the ACL correctly. If you ever run into this again and you just updated from 8.2 - 8.4, the solution seems to be to rebuild the site-to-site from scratch. Thanks for the help everyone!

Siriss
  • 209
  • 1
  • 3
  • 13