[c-nsp] VPN issues

Joel M Snyder Joel.Snyder at Opus1.COM
Tue Jan 15 02:02:05 EST 2008 

You probably don't have a matching SPD on the remote site.  That's my guess.

If the user is coming in and having an IP address assigned, then that IP address 
has to be in the protected network on both ends.  Did you remember to put the 
set of assigned IP addresses in the SPD on the remote site that the user is 
trying to get to?

Look at the IPsec selectors on the tunnel at the remote site and make sure that 
the source & destinations you're using (the assigned IP and the remote network) 
are covered.

In addition, the ASA has to be smart enough to decrypt/encrypt on the same 
packet.  That used to be a strange feature, but I can't imagine that the ASA 
won't do it (the PIX used to, anyway).  However, it's possible that you need to 
kick on some feature to allow that in the 'anything we didn't used to do, you 
now have to explicitly ask for like cef even though everyone wants it' theory.

jms

Aaron R wrote:
> Hey guys, 
> 
> This is a quick one. Has anyone had problems with VPN remote access clients
> accessing resources over a LAN to LAN or site to site VPN before? Can anyone
> illustrate what considerations need to be made typically for this kind of
> setup? Below is my situation.
> 
> 1. Client connects to our network via Cisco VPN Client to ASA.
> 2. Client attempts to access resources at a remote site via a Site-to-Site
> Tunnel configured on the same ASA.
> 3. I can see outbound connection is made but I see nothing after this point
> (I am using syslogs here)
> 4. I see no deny or drops after this point but the connection is not made
> back to the existing VPN client.
> 
> 
> Cheers,
> 
> Aaron.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms

More information about the cisco-nsp mailing list