Clicky

Out of the blue - I'm starting to have an odd VPN issue. Our main location has several branches - and we have users that connect from home. We have an ASA 5510 and the branches have ASA 5505's. Users typically use the Cisco IPSEC client. My users suddenly cannot see the branch locations when connecting to the VPN from home. They can only see the main location. I've been pulling my hair out and I can't seem to figure out why. Any ideas where I can start looking? My ACL's haven't changed and I've even rebuilt a branch VPN to ensure that all of my tunneling is OK. Thanks so much.

asked 12/09/2011 09:25

prlit's gravatar image

prlit ♦♦


5 Answers:
have you done any changes i policy for branch locations or remote users?

if not then do one thing...please check the following ports are opened or not...if not please open them


isakmp-4500       4500( source port)       4500 (destination port)      udp      ( protocol)
 
isakmp-500       500       (source port)       500 (destination port)     udp(protocol)      
 


vpn-esp                                                                                            esp(protocol)




you can open netbios ports(137,138 445) and netbios ssntcp and netbios ssnudp(139)


if you have antivirus server in all the remote location...please disable them ,,,while testing and if this is not possible atleast disable firewall in antivirus server..


ICMP is allow in in vpn?
if not ....please allow the same....

if your branches are using windows operation system.....if possible please run network setup wizard once gain.
link

answered

diprajbasu's gravatar image

diprajbasu

ICMP is allowed, ports are opened. Let me try to explain it some more with some examples

VPN pool - 192.168.253.x
Corporate pool - 192.168.1.x
branch pool - 192.168.31.x

Corporate and Branch are connected via site to site VPN, no traffic issues there. VPN can access the corporate network without issue (1.x), however I can't see the branch pool (31.x).

I've double checked to make sure VPN ACLs matched, nat exempts, etc. I haven't made a single change to the corporate router at all, nor have I with any branch router. (We have 50+ branches, luckily only 3 need to be accessed in the above sense).
link

answered 2011-12-09 at 23:09:55

prlit's gravatar image

prlit

I should also state, when I run the Packet Tracer in the ASDM, it says the packet is allowed.
link

answered 2011-12-12 at 07:32:32

prlit's gravatar image

prlit

Figured this out. Somehow, same-security-traffic permit intra-interface was missing from my config. It was there previously, so not sure how it was removed. Thanks Cheers.
link

answered 2011-12-12 at 07:35:49

prlit's gravatar image

prlit

same-security-traffic permit intra-interface

link

answered 2011-12-12 at 08:40:22

prlit's gravatar image

prlit

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 12/09/2011 09:25

Seen: 395 times

Last updated: 12/16/2011 05:19