Captain Colonoscopy
2[H]4U
- Joined
- Feb 19, 2004
- Messages
- 3,861
Okay, so I am having a huge brain fart this evening and know I am missing something simple cause it's late or I'm an idiot, one of the two.
I have a client with two sites that are connected via a P2P T1 that is terminated by two matching 1841 routers. Each site has their own DSL connection for internet that is protected by an ASA5505 and Untangle UTM in bridge mode. Everything is working fine except for the Remote Access VPN. Client wants to be able to connect to both sites for RDP/VNC access to desktops from one VPN connection. He only wants to VPN into the primary site to connect to machines at both sites. Not a huge deal, done this before but I'm missing something. I can't ping across the T1 from the VPN connection to SiteB, times out and I get some alerts on the ASA when I watch the log viewer. SiteA and SiteB can talk to each other just fine over their T1s so routing is working there, just not from the VPN connection.
Network Overview:
SiteA:
ASA5505 Inside: 172.20.20.254/24
Router Inside: 172.20.20.1/24
Router s0/0/0: 10.169.254.1/30
SiteB:
ASA5505 Inside: 172.20.40.254/24
Router Inside: 172.20.40.1/24
Router s0/0/0: 10.169.254.3/30
Sample of the primary ASA5505 config:
Here is one of the errors I was getting on the ASA:
I added the 172.20.40.0/24 network to the nat0 ACL and that went away but now I just keep getting this:
Anyone have an idea? I'm wondering if there is a route setup wrong on the SiteB router but it's not letting me so I might have to go onsite and console into the stupid thing tomorrow afternoon.
I have a client with two sites that are connected via a P2P T1 that is terminated by two matching 1841 routers. Each site has their own DSL connection for internet that is protected by an ASA5505 and Untangle UTM in bridge mode. Everything is working fine except for the Remote Access VPN. Client wants to be able to connect to both sites for RDP/VNC access to desktops from one VPN connection. He only wants to VPN into the primary site to connect to machines at both sites. Not a huge deal, done this before but I'm missing something. I can't ping across the T1 from the VPN connection to SiteB, times out and I get some alerts on the ASA when I watch the log viewer. SiteA and SiteB can talk to each other just fine over their T1s so routing is working there, just not from the VPN connection.
Network Overview:
SiteA:
ASA5505 Inside: 172.20.20.254/24
Router Inside: 172.20.20.1/24
Router s0/0/0: 10.169.254.1/30
SiteB:
ASA5505 Inside: 172.20.40.254/24
Router Inside: 172.20.40.1/24
Router s0/0/0: 10.169.254.3/30
Sample of the primary ASA5505 config:
access-list RemoteAccess_splitTunnelAcl standard permit 172.20.20.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 172.20.40.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 172.20.20.0 255.255.255.0 10.169.254.32 255.255.255.224
access-list INSIDE_nat0_outbound extended permit ip 172.20.40.0 255.255.255.0 10.169.254.32 255.255.255.224
access-list INSIDE_nat0_outbound extended permit ip 172.20.20.0 255.255.255.0 172.20.40.0 255.255.255.0
ip local pool VPN_POOL 10.169.254.33-10.169.254.62 mask 255.255.255.224
global (OUTSIDE) 101 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 101 0.0.0.0 0.0.0.0
route INSIDE 10.169.254.0 255.255.255.252 172.20.20.1 1
route INSIDE 172.20.40.0 255.255.255.0 172.20.20.1 1
Here is one of the errors I was getting on the ASA:
5 Mar 31 2010 23:16:40 305013 172.20.40.24 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src OUTSIDE:10.169.254.33 dst INSIDE:172.20.40.24 (type 8, code 0) denied due to NAT reverse path failure
I added the 172.20.40.0/24 network to the nat0 ACL and that went away but now I just keep getting this:
6 Mar 31 2010 23:40:41 302021 10.169.254.33 1 172.20.40.24 0 Teardown ICMP connection for faddr 10.169.254.33/1 gaddr 172.20.40.24/0 laddr 172.20.40.24/0 (manager)
6 Mar 31 2010 23:40:39 302020 10.169.254.33 1 172.20.40.24 0 Built inbound ICMP connection for faddr 10.169.254.33/1 gaddr 172.20.40.24/0 laddr 172.20.40.24/0 (manager)
Anyone have an idea? I'm wondering if there is a route setup wrong on the SiteB router but it's not letting me so I might have to go onsite and console into the stupid thing tomorrow afternoon.