«

Hello..

I have a lan to lan tunnel between 2 sites. Lets say the internal
networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
can talk, ping, connect and everything with one another. However I
cant get the router inside interfaces where each lan lives.

So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
thinking this has to do directly with the ASA interface security, but
i cant figure it out.

All NAT rules, and IP traffic is allowed between these LANs. There
shouldnt be any reason, but again I think it has to do with security.
Any help is appreciated!

GNY

On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:

> Hello..
>
> I have a lan to lan tunnel between 2 sites. Lets say the internal
> networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
> can talk, ping, connect and everything with one another. However I
> cant get the router inside interfaces where each lan lives.
>
> So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
> versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
> thinking this has to do directly with the ASA interface security, but
> i cant figure it out.
>
> All NAT rules, and IP traffic is allowed between these LANs. There
> shouldnt be any reason, but again I think it has to do with security.
> Any help is appreciated!
>
> GNY

This is quite normal with Pix/ASA. Traffic that enters on interface must
exit another and so you won't be able to access the LAN interface on the
remote device as that would require hairpinning the traffic which the ASA
will not do. It't the same reason that with a Pix/ASA on the LAN, you can
ping the LAN interface (nearest to you) but not the WAN interface.

Chris.

Have a peek at:

PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface
Configuration Example

http://www.cisco.com/en/US/products/...8069bf1b.shtml

On Aug 5, 2:56 pm, Chris <mandrake...@hotmail.com> wrote:
> On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:
> > Hello..
>
> > I have a lan to lan tunnel between 2 sites. Lets say the internal
> > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
> > can talk, ping, connect and everything with one another. However I
> > cant get the router inside interfaces where each lan lives.
>
> > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
> > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
> > thinking this has to do directly with the ASA interface security, but
> > i cant figure it out.
>
> > All NAT rules, and IP traffic is allowed between these LANs. There
> > shouldnt be any reason, but again I think it has to do with security.
> > Any help is appreciated!
>
> > GNY
>
> This is quite normal with Pix/ASA. Traffic that enters on interface must
> exit another and so you won't be able to access the LAN interface on the
> remote device as that would require hairpinning the traffic which the ASA
> will not do. It't the same reason that with a Pix/ASA on the LAN, you can
> ping the LAN interface (nearest to you) but not the WAN interface.
>
> Chris.

Chris,

Good to see you again

Thanks for the info.. I guess I'm out of luck then. I was hoping to
store some configs using tftp on a server on the other side of the
tunnel from the client box. So I guess I'll have to store them locally
on a server or allow the tftp traffic from the client to the outside
interface and dump it over the outside interface on the remote side
also (Static NAT)... Yuck!

See any other solutions?

Thanks again Chris!

GNY

On Aug 5, 3:31 pm, Merv <merv.hr...@rogers.com> wrote:
> Have a peek at:
>
> PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface
> Configuration Example
>
> http://www.cisco.com/en/US/products/...roducts_config...

Merv,

I have all of this configured and worked up already. The problem is
what Chris pointed out.

On Aug 5, 3:43 pm, GNY <geekfro...@gmail.com> wrote:
> On Aug 5, 2:56 pm, Chris <mandrake...@hotmail.com> wrote:
>
>
>
>
>
> > On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:
> > > Hello..
>
> > > I have a lan to lan tunnel between 2 sites. Lets say the internal
> > > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
> > > can talk, ping, connect and everything with one another. However I
> > > cant get the router inside interfaces where each lan lives.
>
> > > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
> > > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
> > > thinking this has to do directly with the ASA interface security, but
> > > i cant figure it out.
>
> > > All NAT rules, and IP traffic is allowed between these LANs. There
> > > shouldnt be any reason, but again I think it has to do with security.
> > > Any help is appreciated!
>
> > > GNY
>
> > This is quite normal with Pix/ASA. Traffic that enters on interface must
> > exit another and so you won't be able to access the LAN interface on the
> > remote device as that would require hairpinning the traffic which the ASA
> > will not do. It't the same reason that with a Pix/ASA on the LAN, you can
> > ping the LAN interface (nearest to you) but not the WAN interface.
>
> > Chris.
>
> Chris,
>
> Good to see you again
>
> Thanks for the info.. I guess I'm out of luck then. I was hoping to
> store some configs using tftp on a server on the other side of the
> tunnel from the client box. So I guess I'll have to store them locally
> on a server or allow the tftp traffic from the client to the outside
> interface and dump it over the outside interface on the remote side
> also (Static NAT)... Yuck!
>
> See any other solutions?
>
> Thanks again Chris!
>
> GNY- Hide quoted text -
>
> - Show quoted text -

GNY

take a look at this
http://www.cisco.com/en/US/products/...80734db7.shtml

Roman Nakhmanson

On Aug 6, 10:23 am, nakhman...@gmail.com wrote:
> On Aug 5, 3:43 pm, GNY <geekfro...@gmail.com> wrote:
>
>
>
> > On Aug 5, 2:56 pm, Chris <mandrake...@hotmail.com> wrote:
>
> > > On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:
> > > > Hello..
>
> > > > I have a lan to lan tunnel between 2 sites. Lets say the internal
> > > > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
> > > > can talk, ping, connect and everything with one another. However I
> > > > cant get the router inside interfaces where each lan lives.
>
> > > > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
> > > > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
> > > > thinking this has to do directly with the ASA interface security, but
> > > > i cant figure it out.
>
> > > > All NAT rules, and IP traffic is allowed between these LANs. There
> > > > shouldnt be any reason, but again I think it has to do with security.
> > > > Any help is appreciated!
>
> > > > GNY
>
> > > This is quite normal with Pix/ASA. Traffic that enters on interface must
> > > exit another and so you won't be able to access the LAN interface on the
> > > remote device as that would require hairpinning the traffic which the ASA
> > > will not do. It't the same reason that with a Pix/ASA on the LAN, you can
> > > ping the LAN interface (nearest to you) but not the WAN interface.
>
> > > Chris.
>
> > Chris,
>
> > Good to see you again
>
> > Thanks for the info.. I guess I'm out of luck then. I was hoping to
> > store some configs using tftp on a server on the other side of the
> > tunnel from the client box. So I guess I'll have to store them locally
> > on a server or allow the tftp traffic from the client to the outside
> > interface and dump it over the outside interface on the remote side
> > also (Static NAT)... Yuck!
>
> > See any other solutions?
>
> > Thanks again Chris!
>
> > GNY- Hide quoted text -
>
> > - Show quoted text -
>
> GNY
>
> take a look at thishttp://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00...
>
> Roman Nakhmanson

Roman,

I had a look at that and I have intraface enabled.

Thanks again though!

GNY

On Aug 7, 6:15 am, GNY <geekfro...@gmail.com> wrote:
> On Aug 6, 10:23 am, nakhman...@gmail.com wrote:
>
>
>
> > On Aug 5, 3:43 pm, GNY <geekfro...@gmail.com> wrote:
>
> > > On Aug 5, 2:56 pm, Chris <mandrake...@hotmail.com> wrote:
>
> > > > On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:
> > > > > Hello..
>
> > > > > I have a lan to lan tunnel between 2 sites. Lets say the internal
> > > > > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
> > > > > can talk, ping, connect and everything with one another. However I
> > > > > cant get the router inside interfaces where each lan lives.
>
> > > > > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
> > > > > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
> > > > > thinking this has to do directly with the ASA interface security, but
> > > > > i cant figure it out.
>
> > > > > All NAT rules, and IP traffic is allowed between these LANs. There
> > > > > shouldnt be any reason, but again I think it has to do with security.
> > > > > Any help is appreciated!
>
> > > > > GNY
>
> > > > This is quite normal with Pix/ASA. Traffic that enters on interface must
> > > > exit another and so you won't be able to access the LAN interface on the
> > > > remote device as that would require hairpinning the traffic which the ASA
> > > > will not do. It't the same reason that with a Pix/ASA on the LAN, you can
> > > > ping the LAN interface (nearest to you) but not the WAN interface.
>
> > > > Chris.
>
> > > Chris,
>
> > > Good to see you again
>
> > > Thanks for the info.. I guess I'm out of luck then. I was hoping to
> > > store some configs using tftp on a server on the other side of the
> > > tunnel from the client box. So I guess I'll have to store them locally
> > > on a server or allow the tftp traffic from the client to the outside
> > > interface and dump it over the outside interface on the remote side
> > > also (Static NAT)... Yuck!
>
> > > See any other solutions?
>
> > > Thanks again Chris!
>
> > > GNY- Hide quoted text -
>
> > > - Show quoted text -
>
> > GNY
>
> > take a look at thishttp://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00...
>
> > Roman Nakhmanson
>
> Roman,
>
> I had a look at that and I have intraface enabled.
>
> Thanks again though!
>
> GNY

I have solved this issue..

It was a combination of ACLs and the management-access INTERFACE
command.

I can now successfully get to the inside interface for my needs.

Thanks everyone..

GNY