Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Site to Site VPN Problem

Reply
Thread Tools

Site to Site VPN Problem

 
 
Peter Simons
Guest
Posts: n/a
 
      06-27-2007
X-No-Archive: yes

Chad Mahoney wrote:
> Peter Simons wrote:
>>

>
> 2 things
>
> 1. If you can connect to resources across the tunnel via the IP address
> but not host name, then you have DNS problems. DNS is not TCP it is UDP.


its not a DNS problem as the server name was resolving correctly

>
> 2. Are you using RPC over HTTP? Cache Mode?


neither as we use outlook 2000

>
> I see you are using this ACL on the ASA for communication between the
> sites:
>
> access-list inside_nat0_outbound extended permit ip 10.0.50.0
> 255.255.255.0 10.0.20.0 255.255.255.0
>
> So you are allowing 10.0.50.0/24 to 10.0.200/24 but I do not see where
> you are allowing 10.0.20.0/24 into the 10.0.50.0/24 network. Are you
> syslogging the ASA, can you capture some traffic and post it?


if you look at Config
access-list outside_access_in extended permit ip 10.0.20.0
255.255.255.0 10.0.50.0 255.255.255.0

and
access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0
10.0.20.0 255.255.255.0

Packet trace is all OK.

I think I will need to do some weekend working to get recored sys log
info. Just used debug mode instead of to a sysloger

I also think that the problem may be that the Local Domain controller
and global catalog server was out of phase with the domain controller at
the main site. Due to the other sytptoms such as not being able to log
into an SQL databse.

Thanks for your


Help

Peter
 
Reply With Quote
 
 
 
 
Chad Mahoney
Guest
Posts: n/a
 
      06-27-2007
Peter Simons wrote:
> X-No-Archive: yes
>
> Chad Mahoney wrote:
>> Peter Simons wrote:
>>>

>>
>> 2 things
>>
>> 1. If you can connect to resources across the tunnel via the IP
>> address but not host name, then you have DNS problems. DNS is not TCP
>> it is UDP.

>
> its not a DNS problem as the server name was resolving correctly
>


>>
>> I see you are using this ACL on the ASA for communication between the
>> sites:
>>
>> access-list inside_nat0_outbound extended permit ip 10.0.50.0
>> 255.255.255.0 10.0.20.0 255.255.255.0
>>
>> So you are allowing 10.0.50.0/24 to 10.0.200/24 but I do not see where
>> you are allowing 10.0.20.0/24 into the 10.0.50.0/24 network. Are you
>> syslogging the ASA, can you capture some traffic and post it?

>
> if you look at Config
> access-list outside_access_in extended permit ip 10.0.20.0
> 255.255.255.0 10.0.50.0 255.255.255.0
>
> and
> access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0
> 10.0.20.0 255.255.255.0
>


While that may be the case you are not applying that ACL to your no nat
statement:

nat (inside) 0 access-list inside_nat0_outbound

so the only ACL being excluded from NAT is those that are labeled with
inside_nat0_outbound


access-group inside_access_in in interface inside is being applied to
traffic from the internal network to the external, it says nothing about
traffic arriving at your external interface trying to come inbound, such
as your VPN traffic.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX - Site-to-Site VPN and VPN Client access Rick Stromberg Cisco 7 06-02-2011 11:44 PM
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
Vpn site to site + vpn cisco client access list problem. Vigarv Cisco 1 08-07-2006 03:05 PM
Weired problem with site-to-site vpn: only one side of the vpn works !? Dirk Westfal Cisco 5 03-14-2006 09:35 PM
site-to-site VPN router to PIX VPN tical Cisco 3 05-27-2004 09:00 PM



Advertisments