Site to Site VPN Problem

Discussion in 'Cisco' started by Peter Simons, Jun 27, 2007.

  1. Peter Simons

    Peter Simons Guest

    X-No-Archive: yes
    Hi

    Have a site to site VPN problem
    The network servers are Microsoft windows server both 2000 and 2003.

    At the remote site using an ASA to ASA VPN clients could pick up email
    from an exchange server buy not send email.

    The site with the exchange server could VNC to the machine that could
    not send email

    When one browsed the network one could see only local machines. The
    domain controller at the remote site had lots of id event 1311 in the
    directory log.

    Machines could not connect to an SQL server using active directory
    credentials but could get to a web site on the same machine.

    Change the remote site to A PIX 501 solved the problem


    Mugged config of remote site


    Thanks in advance for any help

    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname
    domain-name l
    enable password
    no names
    name 10.0.20.0 mainsite
    name 10.0.50.0 site a
    name 10.0.50.2 caffreys
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.50.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address aa.bb.nn.mm 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd
    ftp mode passive
    dns server-group DefaultDNS
    domain-name
    object-group service std tcp
    port-object eq domain
    port-object eq ftp
    port-object eq ftp-data
    port-object eq www
    port-object eq https
    object-group service Domain tcp-udp
    port-object eq domain
    access-list inside_access_in extended permit tcp any any object-group std
    access-list inside_access_in extended permit udp host 10.0.50.2 any eq
    domain
    access-list inside_access_in extended permit tcp host 10.0.50.2 any eq
    domain
    access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0
    10.0.20.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 10.0.50.0
    255.255.255.0 10.0.20.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.50.0
    255.255.255.0 10.0.20.0 255.255.255.0
    access-list outside_access_in extended permit ip 10.0.20.0 255.255.255.0
    10.0.50.0 255.255.255.0
    access-list outside_20_cryptomap_1 extended permit ip 10.0.50.0
    255.255.255.0 10.0.20.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route inside 10.0.20.0 255.255.255.0 10.0.50.33 1
    route outside 0.0.0.0 0.0.0.0 aa.bb.nn.pp 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    client-firewall none
    client-access-rule none
    webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria
    have not been met or due to some specific group policy, you do not have
    permission to use any of the VPN features. Contact your IT administrator
    for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    url-server (inside) vendor websense host 10.0.20.8 timeout 30 protocol
    UDP version 4
    filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    http server enable

    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 match address outside_20_cryptomap_1
    crypto map outside_map 20 set peer xx.yy.bb.cc
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp nat-traversal 20
    crypto isakmp ipsec-over-tcp port 10000
    tunnel-group xx.yy.bb.cc type ipsec-l2l
    tunnel-group xx.yy.bb.cc ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    pre-shared-key *
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    !
    dhcpd address 10.0.50.2-10.0.50.33 inside
    dhcpd dns 10.0.20.12 10.0.20.16 interface inside
    dhcpd lease 360000 interface inside
    dhcpd domain lowery interface inside
    dhcpd option 3 ip 10.0.50.1 interface inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
     
    Peter Simons, Jun 27, 2007
    #1
    1. Advertising

  2. Peter Simons

    Mike W. Guest

    Peter Simons wrote:
    > X-No-Archive: yes
    > Hi
    >
    > Have a site to site VPN problem
    > The network servers are Microsoft windows server both 2000 and 2003.
    >
    > At the remote site using an ASA to ASA VPN clients could pick up email
    > from an exchange server buy not send email.




    Perhaps you need the command:

    same-security-traffic permit intra-interface
     
    Mike W., Jun 27, 2007
    #2
    1. Advertising

  3. Peter Simons

    Peter Simons Guest

    X-No-Archive: yes

    Mike W. wrote:
    > Peter Simons wrote:
    >> X-No-Archive: yes
    >> Hi
    >>
    >> Have a site to site VPN problem
    >> The network servers are Microsoft windows server both 2000 and 2003.
    >>
    >> At the remote site using an ASA to ASA VPN clients could pick up
    >> email from an exchange server buy not send email.

    >
    >
    >
    > Perhaps you need the command:
    >
    > same-security-traffic permit intra-interface


    Unless miss understand the command I do not think it would help our set
    up is


    Email------ASA-------Internet-------ASA------Client
    Server

    I believe that command would make all sites communicate in the following
    set up


    Email------ASA------Internet-------ASA-------Client
    Server |
    |
    |----------ASA-------Client
     
    Peter Simons, Jun 27, 2007
    #3
  4. Peter Simons

    Peter Simons Guest

    X-No-Archive: yes
    Peter Simons wrote:
    > X-No-Archive: yes
    > Hi
    >
    > Have a site to site VPN problem
    > The network servers are Microsoft windows server both 2000 and 2003.
    >
    > At the remote site using an ASA to ASA VPN clients could pick up email
    > from an exchange server buy not send email.
    >


    To clarify
    At the remote site using an ASA to ASA VPN, clients on the remote
    network could pick up email from an exchange server but not send email

    Peter
     
    Peter Simons, Jun 27, 2007
    #4
  5. Peter Simons

    Chad Mahoney Guest

    Peter Simons wrote:
    >
    > X-No-Archive: yes
    > Peter Simons wrote:
    >> X-No-Archive: yes
    >> Hi
    >>
    >> Have a site to site VPN problem
    >> The network servers are Microsoft windows server both 2000 and 2003.
    >>
    >> At the remote site using an ASA to ASA VPN clients could pick up
    >> email from an exchange server buy not send email.
    >>

    >
    > To clarify
    > At the remote site using an ASA to ASA VPN, clients on the remote
    > network could pick up email from an exchange server but not send email
    >
    > Peter



    How do the clients connect to the exchange server? Are they using POP3
    or exchange profile?

    One thing to also try is from a client on the remote end, open a DOS
    prompt and try to telnet to the server:

    telnet 1.1.1.1 25

    Where 1.1.1.1 is the IP of the exchange server, do you get the SMTP banner?
     
    Chad Mahoney, Jun 27, 2007
    #5
  6. Peter Simons

    Peter Simons Guest

    Chad Mahoney wrote:
    > Peter Simons wrote:
    >>
    >> X-No-Archive: yes
    >> Peter Simons wrote:
    >>> X-No-Archive: yes
    >>> Hi
    >>>
    >>> Have a site to site VPN problem
    >>> The network servers are Microsoft windows server both 2000 and 2003.
    >>>
    >>> At the remote site using an ASA to ASA VPN clients could pick up
    >>> email from an exchange server buy not send email.
    >>>

    >>
    >> To clarify
    >> At the remote site using an ASA to ASA VPN, clients on the remote
    >> network could pick up email from an exchange server but not send email
    >>
    >> Peter

    >
    >
    > How do the clients connect to the exchange server? Are they using POP3
    > or exchange profile?


    Exchange profile

    >
    > One thing to also try is from a client on the remote end, open a DOS
    > prompt and try to telnet to the server:
    >
    > telnet 1.1.1.1 25
    >
    > Where 1.1.1.1 is the IP of the exchange server, do you get the SMTP banner?


    Unfortunately I did not try that. Put ping worked fine.

    An other problem was that if I tried to synchronize with the time server
    at the main Site I got various net work errors. such as network error
    121. These cleared once a pix was used.

    Also two laptops that had been used at other sites could collect mail.
    It was not IP dependent as if I took one laptop off the network and gave
    another machine its IP address that machine still could not send mail.
    If I gave the laptop another IP it still could send mail. I do wonder
    if it was a problem with netbios encapsulated as TCIP.

    Currently Left Pix in place so people can work. Like to sort problem
    before I try the ASA again

    Thanks

    Peter
     
    Peter Simons, Jun 27, 2007
    #6
  7. Peter Simons

    Chad Mahoney Guest

    Peter Simons wrote:
    >


    > Unfortunately I did not try that. Put ping worked fine.
    >



    Ping could work all day. ICMP is not TCP, please test the telnet and
    post the results.
     
    Chad Mahoney, Jun 27, 2007
    #7
  8. Peter Simons

    Peter Simons Guest

    X-No-Archive: yes

    Chad Mahoney wrote:
    > Peter Simons wrote:
    >>

    >
    >> Unfortunately I did not try that. Put ping worked fine.
    >>

    >
    >
    > Ping could work all day. ICMP is not TCP, please test the telnet and
    > post the results.


    Unfortunaly I cannot do that test as I need to get the site up and working.

    The main site cold establish a VNC connection on port 5900. So there
    seamed to be TCP connectivity. Just remembered Outlook webmail worked is
    you typed in the IP address of the mail server but no the server Main in
    a browser.


    Peter
     
    Peter Simons, Jun 27, 2007
    #8
  9. Peter Simons

    Peter Simons Guest

    X-No-Archive: yes

    Chad Mahoney wrote:
    > Peter Simons wrote:
    >>

    >
    >> Unfortunately I did not try that. Put ping worked fine.
    >>

    >
    >
    > Ping could work all day. ICMP is not TCP, please test the telnet and

    post the results.

    Unfortunaly I cannot do that test as I need to get the site up and working.

    The main site cold establish a VNC connection on port 5900. So there
    seamed to be TCP connectivity. Just remembered Outlook webmail worked is
    you typed in the IP address of the mail server but not the server name
    in a browser.


    Peter
     
    Peter Simons, Jun 27, 2007
    #9
  10. Peter Simons

    Chad Mahoney Guest

    Peter Simons wrote:
    > X-No-Archive: yes
    >
    > Chad Mahoney wrote:
    >> Peter Simons wrote:
    >>>

    >>
    >>> Unfortunately I did not try that. Put ping worked fine.
    >>>

    >>
    >>
    >> Ping could work all day. ICMP is not TCP, please test the telnet and
    >> post the results.

    >
    > Unfortunaly I cannot do that test as I need to get the site up and working.
    >
    > The main site cold establish a VNC connection on port 5900. So there
    > seamed to be TCP connectivity. Just remembered Outlook webmail worked is
    > you typed in the IP address of the mail server but no the server Main in
    > a browser.
    >
    >
    > Peter



    2 things

    1. If you can connect to resources across the tunnel via the IP address
    but not host name, then you have DNS problems. DNS is not TCP it is UDP.

    2. Are you using RPC over HTTP? Cache Mode?

    I see you are using this ACL on the ASA for communication between the sites:

    access-list inside_nat0_outbound extended permit ip 10.0.50.0
    255.255.255.0 10.0.20.0 255.255.255.0

    So you are allowing 10.0.50.0/24 to 10.0.200/24 but I do not see where
    you are allowing 10.0.20.0/24 into the 10.0.50.0/24 network. Are you
    syslogging the ASA, can you capture some traffic and post it?
     
    Chad Mahoney, Jun 27, 2007
    #10
  11. Peter Simons

    Peter Simons Guest

    X-No-Archive: yes

    Chad Mahoney wrote:
    > Peter Simons wrote:
    >>

    >
    > 2 things
    >
    > 1. If you can connect to resources across the tunnel via the IP address
    > but not host name, then you have DNS problems. DNS is not TCP it is UDP.


    its not a DNS problem as the server name was resolving correctly

    >
    > 2. Are you using RPC over HTTP? Cache Mode?


    neither as we use outlook 2000

    >
    > I see you are using this ACL on the ASA for communication between the
    > sites:
    >
    > access-list inside_nat0_outbound extended permit ip 10.0.50.0
    > 255.255.255.0 10.0.20.0 255.255.255.0
    >
    > So you are allowing 10.0.50.0/24 to 10.0.200/24 but I do not see where
    > you are allowing 10.0.20.0/24 into the 10.0.50.0/24 network. Are you
    > syslogging the ASA, can you capture some traffic and post it?


    if you look at Config
    access-list outside_access_in extended permit ip 10.0.20.0
    255.255.255.0 10.0.50.0 255.255.255.0

    and
    access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0
    10.0.20.0 255.255.255.0

    Packet trace is all OK.

    I think I will need to do some weekend working to get recored sys log
    info. Just used debug mode instead of to a sysloger

    I also think that the problem may be that the Local Domain controller
    and global catalog server was out of phase with the domain controller at
    the main site. Due to the other sytptoms such as not being able to log
    into an SQL databse.

    Thanks for your


    Help

    Peter
     
    Peter Simons, Jun 27, 2007
    #11
  12. Peter Simons

    Chad Mahoney Guest

    Peter Simons wrote:
    > X-No-Archive: yes
    >
    > Chad Mahoney wrote:
    >> Peter Simons wrote:
    >>>

    >>
    >> 2 things
    >>
    >> 1. If you can connect to resources across the tunnel via the IP
    >> address but not host name, then you have DNS problems. DNS is not TCP
    >> it is UDP.

    >
    > its not a DNS problem as the server name was resolving correctly
    >


    >>
    >> I see you are using this ACL on the ASA for communication between the
    >> sites:
    >>
    >> access-list inside_nat0_outbound extended permit ip 10.0.50.0
    >> 255.255.255.0 10.0.20.0 255.255.255.0
    >>
    >> So you are allowing 10.0.50.0/24 to 10.0.200/24 but I do not see where
    >> you are allowing 10.0.20.0/24 into the 10.0.50.0/24 network. Are you
    >> syslogging the ASA, can you capture some traffic and post it?

    >
    > if you look at Config
    > access-list outside_access_in extended permit ip 10.0.20.0
    > 255.255.255.0 10.0.50.0 255.255.255.0
    >
    > and
    > access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0
    > 10.0.20.0 255.255.255.0
    >


    While that may be the case you are not applying that ACL to your no nat
    statement:

    nat (inside) 0 access-list inside_nat0_outbound

    so the only ACL being excluded from NAT is those that are labeled with
    inside_nat0_outbound


    access-group inside_access_in in interface inside is being applied to
    traffic from the internal network to the external, it says nothing about
    traffic arriving at your external interface trying to come inbound, such
    as your VPN traffic.
     
    Chad Mahoney, Jun 27, 2007
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,942
    tical
    May 27, 2004
  2. Rick Stromberg
    Replies:
    7
    Views:
    9,938
    luisjimher
    Jun 3, 2011
  3. Dirk Westfal
    Replies:
    5
    Views:
    9,125
    Dirk Westfal
    Mar 14, 2006
  4. Vigarv
    Replies:
    1
    Views:
    1,547
    Walter Roberson
    Aug 7, 2006
  5. pasatealinux
    Replies:
    1
    Views:
    2,067
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page