Site to Site VPN Problem

X-No-Archive: yes Hi

Have a site to site VPN problem The network servers are Microsoft windows server both 2000 and 2003.

At the remote site using an ASA to ASA VPN clients could pick up email from an exchange server buy not send email.

The site with the exchange server could VNC to the machine that could not send email

When one browsed the network one could see only local machines. The domain controller at the remote site had lots of id event 1311 in the directory log.

Machines could not connect to an SQL server using active directory credentials but could get to a web site on the same machine.

Change the remote site to A PIX 501 solved the problem

Mugged config of remote site

Thanks in advance for any help

: Saved : ASA Version 7.2(2) ! hostname domain-name l enable password no names name 10.0.20.0 mainsite name 10.0.50.0 site a name 10.0.50.2 caffreys ! interface Vlan1 nameif inside security-level 100 ip address 10.0.50.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address aa.bb.nn.mm 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd ftp mode passive dns server-group DefaultDNS domain-name object-group service std tcp port-object eq domain port-object eq ftp port-object eq ftp-data port-object eq www port-object eq https object-group service Domain tcp-udp port-object eq domain access-list inside_access_in extended permit tcp any any object-group std access-list inside_access_in extended permit udp host 10.0.50.2 any eq domain access-list inside_access_in extended permit tcp host 10.0.50.2 any eq domain access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0

10.0.20.0 255.255.255.0 access-list outside_20_cryptomap extended permit ip 10.0.50.0 255.255.255.0 10.0.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.0.50.0 255.255.255.0 10.0.20.0 255.255.255.0 access-list outside_access_in extended permit ip 10.0.20.0 255.255.255.0 10.0.50.0 255.255.255.0 access-list outside_20_cryptomap_1 extended permit ip 10.0.50.0 255.255.255.0 10.0.20.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route inside 10.0.20.0 255.255.255.0 10.0.50.33 1 route outside 0.0.0.0 0.0.0.0 aa.bb.nn.pp 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate url-server (inside) vendor websense host 10.0.20.8 timeout 30 protocol UDP version 4 filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow http server enable

no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 match address outside_20_cryptomap_1 crypto map outside_map 20 set peer xx.yy.bb.cc crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 40 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 tunnel-group xx.yy.bb.cc type ipsec-l2l tunnel-group xx.yy.bb.cc ipsec-attributes pre-shared-key * peer-id-validate nocheck pre-shared-key * telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! dhcpd address 10.0.50.2-10.0.50.33 inside dhcpd dns 10.0.20.12 10.0.20.16 interface inside dhcpd lease 360000 interface inside dhcpd domain lowery interface inside dhcpd option 3 ip 10.0.50.1 interface inside !

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context

Perhaps you need the command:

same-security-traffic permit intra-interface

Unless miss understand the command I do not think it would help our set up is

Email------ASA-------Internet-------ASA------Client Server

I believe that command would make all sites communicate in the following set up

Email------ASA------Internet-------ASA-------Client Server | | |----------ASA-------Client

To clarify At the remote site using an ASA to ASA VPN, clients on the remote network could pick up email from an exchange server but not send email

Peter

How do the clients connect to the exchange server? Are they using POP3 or exchange profile?

One thing to also try is from a client on the remote end, open a DOS prompt and try to telnet to the server:

telnet 1.1.1.1 25

Where 1.1.1.1 is the IP of the exchange server, do you get the SMTP banner?

Exchange profile

Unfortunately I did not try that. Put ping worked fine.

An other problem was that if I tried to synchronize with the time server at the main Site I got various net work errors. such as network error

121. These cleared once a pix was used.

Also two laptops that had been used at other sites could collect mail. It was not IP dependent as if I took one laptop off the network and gave another machine its IP address that machine still could not send mail. If I gave the laptop another IP it still could send mail. I do wonder if it was a problem with netbios encapsulated as TCIP.

Currently Left Pix in place so people can work. Like to sort problem before I try the ASA again

Thanks

Peter

Ping could work all day. ICMP is not TCP, please test the telnet and post the results.

Unfortunaly I cannot do that test as I need to get the site up and working.

The main site cold establish a VNC connection on port 5900. So there seamed to be TCP connectivity. Just remembered Outlook webmail worked is you typed in the IP address of the mail server but no the server Main in a browser.

Peter

X-No-Archive: yes

Chad Mahoney wrote: > Peter Simons wrote: >>

Unfortunaly I cannot do that test as I need to get the site up and working.

The main site cold establish a VNC connection on port 5900. So there seamed to be TCP connectivity. Just remembered Outlook webmail worked is you typed in the IP address of the mail server but not the server name in a browser.

Peter

2 things

1. If you can connect to resources across the tunnel via the IP address but not host name, then you have DNS problems. DNS is not TCP it is UDP.

2. Are you using RPC over HTTP? Cache Mode?

I see you are using this ACL on the ASA for communication between the sites:

access-list inside_nat0_outbound extended permit ip 10.0.50.0

255.255.255.0 10.0.20.0 255.255.255.0

So you are allowing 10.0.50.0/24 to 10.0.200/24 but I do not see where you are allowing 10.0.20.0/24 into the 10.0.50.0/24 network. Are you syslogging the ASA, can you capture some traffic and post it?

its not a DNS problem as the server name was resolving correctly

neither as we use outlook 2000

if you look at Config access-list outside_access_in extended permit ip 10.0.20.0

255.255.255.0 10.0.50.0 255.255.255.0

and access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0

10.0.20.0 255.255.255.0

Packet trace is all OK.

I think I will need to do some weekend working to get recored sys log info. Just used debug mode instead of to a sysloger

I also think that the problem may be that the Local Domain controller and global catalog server was out of phase with the domain controller at the main site. Due to the other sytptoms such as not being able to log into an SQL databse.

Thanks for your

Help

Peter

While that may be the case you are not applying that ACL to your no nat statement:

nat (inside) 0 access-list inside_nat0_outbound

so the only ACL being excluded from NAT is those that are labeled with inside_nat0_outbound

access-group inside_access_in in interface inside is being applied to traffic from the internal network to the external, it says nothing about traffic arriving at your external interface trying to come inbound, such as your VPN traffic.