topic Re: Remote connect through VPN, through backup interface? in Network Security https://community.cisco.com/t5/network-security/remote-connect-through-vpn-through-backup-interface/m-p/3310942#M998703 Hi <BR /><BR />What you want is access devices behind backup interface from vpn, right?<BR />On your nat you inverted, why using inside instead of outside?<BR /> Sun, 14 Jan 2018 02:28:34 GMT Francesco Molino 2018-01-14T02:28:34Z Remote connect through VPN, through backup interface? https://community.cisco.com/t5/network-security/remote-connect-through-vpn-through-backup-interface/m-p/3310907#M998697 <P>I have a 5506-X to be used with a cellular modem attached to a 2nd interface for redundancy. The ASA is using IKEv1 for redundant tunnels as well. Through the VPN I can connect to the inside interface of the ASA as well as devices behind it.</P> <P>&nbsp;</P> <P>What I would like to do is connect to the cell modem as well that is directly connected to the 'backup' interface.&nbsp; I sorted out asymetric NAT errors, but now I am stuck. I don't know if what I am trying accomplish is beyond the scope of what the ASA will allow.&nbsp;</P> <P>&nbsp;</P> <P>Essentially I will be connecting through a tunnel to it's "outside" interface to egress out the "backup" interface to collect data (SNMP) and return from backup to outside to the tunnel. Feels like I am missing something minor that I overlooked.</P> <P>&nbsp;</P> <PRE>interface GigabitEthernet1/1 nameif outside security-level 0 ip address 8.x.xx.xx 255.255.255.248 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 10.190.3.1 255.255.255.0 ! interface GigabitEthernet1/8 nameif backup security-level 0 ip address 10.12.3.2 255.255.255.248 ! access-list RVW extended permit ip host 10.190.3.1 host 10.50.6.20 access-list RVW extended permit ip host 10.12.3.1 host 10.50.6.20 access-list RVW extended permit ip host 10.12.3.2 host 10.50.6.20 ! nat (inside,outside) source static obj-10.190.3.1 obj-10.190.3.1 destination static obj-10.10.6.150 obj-10.50.6.20 no-proxy-arp route-lookup nat (backup,outside) source static obj-10.12.3.1 obj-10.12.3.1 destination static obj-10.50.6.20 obj-10.50.6.20 no-proxy-arp route-lookup nat (backup,outside) source static obj-10.12.3.2 obj-10.12.3.2 destination static obj-10.50.6.20 obj-10.50.6.20 no-proxy-arp route-lookup </PRE> <P>I reversed the NAT to:</P> <P>&nbsp;</P> <PRE>nat (inside,backup) source static obj-10.50.6.20 obj-10.50.6.20 destination static obj-10.12.3.1 obj-10.12.3.1 no-proxy-arp route-lookup nat (inside,backup) source static obj-10.50.6.20 obj-10.50.6.20 destination static obj-10.12.3.2 obj-10.12.3.2 no-proxy-arp route-lookup</PRE> <P>&nbsp;</P> <P>And best I get so far is: "Failed to locate egress interface for ICMP from outside:10.50.6.20/29733 to 10.12.3.2/0"</P> Fri, 21 Feb 2020 15:08:10 GMT https://community.cisco.com/t5/network-security/remote-connect-through-vpn-through-backup-interface/m-p/3310907#M998697 seanwaite 2020-02-21T15:08:10Z Re: Remote connect through VPN, through backup interface? https://community.cisco.com/t5/network-security/remote-connect-through-vpn-through-backup-interface/m-p/3310942#M998703 Hi <BR /><BR />What you want is access devices behind backup interface from vpn, right?<BR />On your nat you inverted, why using inside instead of outside?<BR /> Sun, 14 Jan 2018 02:28:34 GMT https://community.cisco.com/t5/network-security/remote-connect-through-vpn-through-backup-interface/m-p/3310942#M998703 Francesco Molino 2018-01-14T02:28:34Z