Cisco ASA Brain Fart

C

Captain Colonoscopy

2[H]4U
Joined
Feb 19, 2004
Messages
3,861
Okay, so I am having a huge brain fart this evening and know I am missing something simple cause it's late or I'm an idiot, one of the two.

I have a client with two sites that are connected via a P2P T1 that is terminated by two matching 1841 routers. Each site has their own DSL connection for internet that is protected by an ASA5505 and Untangle UTM in bridge mode. Everything is working fine except for the Remote Access VPN. Client wants to be able to connect to both sites for RDP/VNC access to desktops from one VPN connection. He only wants to VPN into the primary site to connect to machines at both sites. Not a huge deal, done this before but I'm missing something. I can't ping across the T1 from the VPN connection to SiteB, times out and I get some alerts on the ASA when I watch the log viewer. SiteA and SiteB can talk to each other just fine over their T1s so routing is working there, just not from the VPN connection.

Network Overview:

SiteA:
ASA5505 Inside: 172.20.20.254/24
Router Inside: 172.20.20.1/24
Router s0/0/0: 10.169.254.1/30

SiteB:
ASA5505 Inside: 172.20.40.254/24
Router Inside: 172.20.40.1/24
Router s0/0/0: 10.169.254.3/30


Sample of the primary ASA5505 config:
access-list RemoteAccess_splitTunnelAcl standard permit 172.20.20.0 255.255.255.0
access-list RemoteAccess_splitTunnelAcl standard permit 172.20.40.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 172.20.20.0 255.255.255.0 10.169.254.32 255.255.255.224
access-list INSIDE_nat0_outbound extended permit ip 172.20.40.0 255.255.255.0 10.169.254.32 255.255.255.224
access-list INSIDE_nat0_outbound extended permit ip 172.20.20.0 255.255.255.0 172.20.40.0 255.255.255.0

ip local pool VPN_POOL 10.169.254.33-10.169.254.62 mask 255.255.255.224

global (OUTSIDE) 101 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 101 0.0.0.0 0.0.0.0

route INSIDE 10.169.254.0 255.255.255.252 172.20.20.1 1
route INSIDE 172.20.40.0 255.255.255.0 172.20.20.1 1
Click to expand...

Here is one of the errors I was getting on the ASA:
5 Mar 31 2010 23:16:40 305013 172.20.40.24 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src OUTSIDE:10.169.254.33 dst INSIDE:172.20.40.24 (type 8, code 0) denied due to NAT reverse path failure
Click to expand...

I added the 172.20.40.0/24 network to the nat0 ACL and that went away but now I just keep getting this:
6 Mar 31 2010 23:40:41 302021 10.169.254.33 1 172.20.40.24 0 Teardown ICMP connection for faddr 10.169.254.33/1 gaddr 172.20.40.24/0 laddr 172.20.40.24/0 (manager)

6 Mar 31 2010 23:40:39 302020 10.169.254.33 1 172.20.40.24 0 Built inbound ICMP connection for faddr 10.169.254.33/1 gaddr 172.20.40.24/0 laddr 172.20.40.24/0 (manager)
Click to expand...


Anyone have an idea? I'm wondering if there is a route setup wrong on the SiteB router but it's not letting me so I might have to go onsite and console into the stupid thing tomorrow afternoon.
 
Do you have a return route to the ASA for the VPN address block on both of your 1841's?
 
yeah, I double-checked that last night and it's there.

ip route 10.169.254.32 255.255.255.224 172.20.20.254 on RouterA

ip route 10.169.254.32 255.255.255.224 s/0/0/0 on RouterB
Posted via [H] Mobile Device
 
I don't think I need to hair pin this guy, though, since there is no site-to-site VPN. They are connected via a P2P T1 line.

Here's a diagram I drew up quick:

vpnissues01.jpg

By captcolonoscopy at 2010-04-01
 
Well, the mighty maggot helped me get this fixed finally tonight. I had the subnet mask for the router at site b wrong for the 10.169.254.32 network route. oops.
 
Nice to know you work slow.. 2 months to fix the asa problem ;) Come on man!
 
Hey, it was for a non-profit and not getting paid for the job. I honestly forgot about it until last night and started bugging xphile about taking a look. Turned out I was missing something stupid and I just needed someone else to look at it and then I fingered it out.
 
You must log in or register to reply here.
Back
Top