Site to Site VPN . Cant Connect To Inside Router Interfaces

Discussion in 'Cisco' started by GNY, Aug 5, 2007.

  1. GNY

    GNY Guest

    Hello..

    I have a lan to lan tunnel between 2 sites. Lets say the internal
    networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
    can talk, ping, connect and everything with one another. However I
    cant get the router inside interfaces where each lan lives.

    So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
    versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
    thinking this has to do directly with the ASA interface security, but
    i cant figure it out.

    All NAT rules, and IP traffic is allowed between these LANs. There
    shouldnt be any reason, but again I think it has to do with security.
    Any help is appreciated!

    GNY
    GNY, Aug 5, 2007
    #1
    1. Advertising

  2. GNY

    Chris Guest

    On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:

    > Hello..
    >
    > I have a lan to lan tunnel between 2 sites. Lets say the internal
    > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
    > can talk, ping, connect and everything with one another. However I
    > cant get the router inside interfaces where each lan lives.
    >
    > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
    > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
    > thinking this has to do directly with the ASA interface security, but
    > i cant figure it out.
    >
    > All NAT rules, and IP traffic is allowed between these LANs. There
    > shouldnt be any reason, but again I think it has to do with security.
    > Any help is appreciated!
    >
    > GNY


    This is quite normal with Pix/ASA. Traffic that enters on interface must
    exit another and so you won't be able to access the LAN interface on the
    remote device as that would require hairpinning the traffic which the ASA
    will not do. It't the same reason that with a Pix/ASA on the LAN, you can
    ping the LAN interface (nearest to you) but not the WAN interface.

    Chris.
    Chris, Aug 5, 2007
    #2
    1. Advertising

  3. GNY

    Merv Guest

    Merv, Aug 5, 2007
    #3
  4. GNY

    GNY Guest

    On Aug 5, 2:56 pm, Chris <> wrote:
    > On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:
    > > Hello..

    >
    > > I have a lan to lan tunnel between 2 sites. Lets say the internal
    > > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
    > > can talk, ping, connect and everything with one another. However I
    > > cant get the router inside interfaces where each lan lives.

    >
    > > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
    > > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
    > > thinking this has to do directly with the ASA interface security, but
    > > i cant figure it out.

    >
    > > All NAT rules, and IP traffic is allowed between these LANs. There
    > > shouldnt be any reason, but again I think it has to do with security.
    > > Any help is appreciated!

    >
    > > GNY

    >
    > This is quite normal with Pix/ASA. Traffic that enters on interface must
    > exit another and so you won't be able to access the LAN interface on the
    > remote device as that would require hairpinning the traffic which the ASA
    > will not do. It't the same reason that with a Pix/ASA on the LAN, you can
    > ping the LAN interface (nearest to you) but not the WAN interface.
    >
    > Chris.


    Chris,

    Good to see you again :)

    Thanks for the info.. I guess I'm out of luck then. I was hoping to
    store some configs using tftp on a server on the other side of the
    tunnel from the client box. So I guess I'll have to store them locally
    on a server or allow the tftp traffic from the client to the outside
    interface and dump it over the outside interface on the remote side
    also (Static NAT)... Yuck!

    See any other solutions?

    Thanks again Chris!

    GNY
    GNY, Aug 5, 2007
    #4
  5. GNY

    GNY Guest

    GNY, Aug 5, 2007
    #5
  6. GNY

    Guest

    On Aug 5, 3:43 pm, GNY <> wrote:
    > On Aug 5, 2:56 pm, Chris <> wrote:
    >
    >
    >
    >
    >
    > > On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:
    > > > Hello..

    >
    > > > I have a lan to lan tunnel between 2 sites. Lets say the internal
    > > > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
    > > > can talk, ping, connect and everything with one another. However I
    > > > cant get the router inside interfaces where each lan lives.

    >
    > > > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
    > > > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
    > > > thinking this has to do directly with the ASA interface security, but
    > > > i cant figure it out.

    >
    > > > All NAT rules, and IP traffic is allowed between these LANs. There
    > > > shouldnt be any reason, but again I think it has to do with security.
    > > > Any help is appreciated!

    >
    > > > GNY

    >
    > > This is quite normal with Pix/ASA. Traffic that enters on interface must
    > > exit another and so you won't be able to access the LAN interface on the
    > > remote device as that would require hairpinning the traffic which the ASA
    > > will not do. It't the same reason that with a Pix/ASA on the LAN, you can
    > > ping the LAN interface (nearest to you) but not the WAN interface.

    >
    > > Chris.

    >
    > Chris,
    >
    > Good to see you again :)
    >
    > Thanks for the info.. I guess I'm out of luck then. I was hoping to
    > store some configs using tftp on a server on the other side of the
    > tunnel from the client box. So I guess I'll have to store them locally
    > on a server or allow the tftp traffic from the client to the outside
    > interface and dump it over the outside interface on the remote side
    > also (Static NAT)... Yuck!
    >
    > See any other solutions?
    >
    > Thanks again Chris!
    >
    > GNY- Hide quoted text -
    >
    > - Show quoted text -


    GNY

    take a look at this
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

    Roman Nakhmanson
    , Aug 6, 2007
    #6
  7. GNY

    GNY Guest

    On Aug 6, 10:23 am, wrote:
    > On Aug 5, 3:43 pm, GNY <> wrote:
    >
    >
    >
    > > On Aug 5, 2:56 pm, Chris <> wrote:

    >
    > > > On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:
    > > > > Hello..

    >
    > > > > I have a lan to lan tunnel between 2 sites. Lets say the internal
    > > > > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
    > > > > can talk, ping, connect and everything with one another. However I
    > > > > cant get the router inside interfaces where each lan lives.

    >
    > > > > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
    > > > > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
    > > > > thinking this has to do directly with the ASA interface security, but
    > > > > i cant figure it out.

    >
    > > > > All NAT rules, and IP traffic is allowed between these LANs. There
    > > > > shouldnt be any reason, but again I think it has to do with security.
    > > > > Any help is appreciated!

    >
    > > > > GNY

    >
    > > > This is quite normal with Pix/ASA. Traffic that enters on interface must
    > > > exit another and so you won't be able to access the LAN interface on the
    > > > remote device as that would require hairpinning the traffic which the ASA
    > > > will not do. It't the same reason that with a Pix/ASA on the LAN, you can
    > > > ping the LAN interface (nearest to you) but not the WAN interface.

    >
    > > > Chris.

    >
    > > Chris,

    >
    > > Good to see you again :)

    >
    > > Thanks for the info.. I guess I'm out of luck then. I was hoping to
    > > store some configs using tftp on a server on the other side of the
    > > tunnel from the client box. So I guess I'll have to store them locally
    > > on a server or allow the tftp traffic from the client to the outside
    > > interface and dump it over the outside interface on the remote side
    > > also (Static NAT)... Yuck!

    >
    > > See any other solutions?

    >
    > > Thanks again Chris!

    >
    > > GNY- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > GNY
    >
    > take a look at thishttp://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00...
    >
    > Roman Nakhmanson


    Roman,

    I had a look at that and I have intraface enabled.

    Thanks again though!

    GNY
    GNY, Aug 7, 2007
    #7
  8. GNY

    GNY Guest

    On Aug 7, 6:15 am, GNY <> wrote:
    > On Aug 6, 10:23 am, wrote:
    >
    >
    >
    > > On Aug 5, 3:43 pm, GNY <> wrote:

    >
    > > > On Aug 5, 2:56 pm, Chris <> wrote:

    >
    > > > > On Sun, 05 Aug 2007 15:24:02 -0000, GNY wrote:
    > > > > > Hello..

    >
    > > > > > I have a lan to lan tunnel between 2 sites. Lets say the internal
    > > > > > networks are 10.10.70.0/24 and 10.10.80.0/24. All hosts on each side
    > > > > > can talk, ping, connect and everything with one another. However I
    > > > > > cant get the router inside interfaces where each lan lives.

    >
    > > > > > So from a host on 10.10.70.0/24 I can't get to 10.10.80.1 .. and vice
    > > > > > versa (10.10.80.0/24 --> 10.10.70.1).. These are both ASA devices. I'm
    > > > > > thinking this has to do directly with the ASA interface security, but
    > > > > > i cant figure it out.

    >
    > > > > > All NAT rules, and IP traffic is allowed between these LANs. There
    > > > > > shouldnt be any reason, but again I think it has to do with security.
    > > > > > Any help is appreciated!

    >
    > > > > > GNY

    >
    > > > > This is quite normal with Pix/ASA. Traffic that enters on interface must
    > > > > exit another and so you won't be able to access the LAN interface on the
    > > > > remote device as that would require hairpinning the traffic which the ASA
    > > > > will not do. It't the same reason that with a Pix/ASA on the LAN, you can
    > > > > ping the LAN interface (nearest to you) but not the WAN interface.

    >
    > > > > Chris.

    >
    > > > Chris,

    >
    > > > Good to see you again :)

    >
    > > > Thanks for the info.. I guess I'm out of luck then. I was hoping to
    > > > store some configs using tftp on a server on the other side of the
    > > > tunnel from the client box. So I guess I'll have to store them locally
    > > > on a server or allow the tftp traffic from the client to the outside
    > > > interface and dump it over the outside interface on the remote side
    > > > also (Static NAT)... Yuck!

    >
    > > > See any other solutions?

    >
    > > > Thanks again Chris!

    >
    > > > GNY- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > GNY

    >
    > > take a look at thishttp://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00...

    >
    > > Roman Nakhmanson

    >
    > Roman,
    >
    > I had a look at that and I have intraface enabled.
    >
    > Thanks again though!
    >
    > GNY


    I have solved this issue..

    It was a combination of ACLs and the management-access INTERFACE
    command.

    I can now successfully get to the inside interface for my needs.

    Thanks everyone..

    GNY
    GNY, Aug 19, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,892
    tical
    May 27, 2004
  2. mleone
    Replies:
    1
    Views:
    1,732
    Zakkas
    Apr 27, 2007
  3. Replies:
    1
    Views:
    1,456
  4. pasatealinux
    Replies:
    1
    Views:
    2,001
    pasatealinux
    Dec 17, 2007
  5. Scott Townsend
    Replies:
    2
    Views:
    543
    Scott Townsend
    Mar 4, 2008
Loading...

Share This Page