PROBLEM: I'm unable to connect via VPN to our production network while connected to my home wireless network.
SETUP:
Internet
|
ISP router at home
|
Cisco ASA 5505 firewall
|
Buffalo wireless router/firewall
|
Wirelessly connected devices (iPhone and laptop)
- Guest wireless on ASA 5505.
- Guest wireless network on ASA 5505 is 172.16.1.0/24.
- LAN network on ASA 5505 is 172.16.2.0/24.
- Home wireless on Buffalo router.
- Home wireless network on Buffalo is 172.16.3.0/24.
SYMPTOMS:
- My PC connected to a switch port on the ASA 5505 can connect via VPN to our production network.
- Devices connecting to the guest wireless on the ASA 5505 can connect via VPN.
- Devices connecting to the home wireless on the Buffalo router can't connect via VPN.
- All devices can connect to various Internet sites, i.e. Yahoo, Google, etc.
THOUGHTS?
- Can you connect to a remote VPN endpoint with several NATs in between?
- Is this a NAT issue of some kind? How would I validate that?
- Am I violating a design best practice?
- What should be my next steps to troubleshoot/resolve this?
CLARIFICATION:
– IPSec connectivity works throughout the network.
– PPTP connectivity works through all but the Buffalo wireless.
Best Answer
If both the Buffalo and the 5505 are doing NAT then yes you are bypassing best practices.
Unless you need the further level of security I would look to disable the routing abilities of the Buffalo and use it just as a wireless AP (as that is why I'm guessing you have it).
This may be as simple as turning off the DHCP server on the Buffalo and plugging the ASA into a LAN port on the Buffalo rather than the WAN port.
In terms of why your VPN doesn't work behind the Buffalo I am guessing it is blocking the VPN traffic, make sure that the Buffalo has something like 'VPN passthrough' enabled.