07-28-2009 08:22 PM - edited 03-11-2019 09:00 AM
Hi Team,
Can you please assist me in the following
I have ASA5510 with below confiuration
Inside:10.30.0.x/24
VPN:10.1.48.218
Outside:a.a.a.a
Internet connectivity is workin gperfactly fine with NAT translation.
VPN interface connects to a VPN Link and destination network is 10.10.10.x/24. I have configured the interface and routing in ASA but no luck with reaching the destination network 10.10.10.x/24. I do not want traffic to be NATed when it goes on VPN link though VPN interface.
runn config below
----------------------
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address a.a.a.a 255.255.255.252
!
interface Ethernet0/1
description Inside Network
nameif inside
security-level 100
ip address 10.30.0.1 255.255.255.0
!
interface Ethernet0/2
description VPN
nameif VPN
security-level 0
ip address 10.1.48.218 255.255.255.252
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server m.m.m.m
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object gre
access-list out extended permit tcp any host a.a.a.a eq 3389 log disable
access-list out extended permit icmp any any
access-list out extended permit gre any 10.30.0.0 255.255.255.0
access-list out extended permit ip any 10.30.0.0 255.255.255.0
access-list inside extended permit icmp any any
access-list inside_access_in extended permit icmp 10.30.0.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
10.30.0.0 255.255.255.0 any
access-list VPN_access_in extended permit ip any 10.30.0.0 255.255.255.0 log disable
pager lines 24
logging enable
logging asdm critical
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu VPN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 x.x.x.x 3389 netmask 255.255.255.255
access-group out in interface outside
access-group inside_access_in in interface inside
access-group VPN_access_in in interface VPN
route outside 0.0.0.0 0.0.0.0 b.b.b.b 1
route inside 10.10.10.0 255.255.255.0 10.1.48.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
----------------------
Thanks
Solved! Go to Solution.
07-28-2009 09:50 PM
looks like a nat issue, but you will get a clear picture by looking at the logs.
you should also try nat exemption
hostname(config)# access-list EXEMPT permit ip w.x.y.z netmask a.b.c.d netmask
hostname(config)# nat (inside) 0 access-list EXEMPT
07-28-2009 08:48 PM
Is this route statement correct "route inside 10.10.10.0 255.255.255.0 10.1.48.217 1 "
shouldn't it be "route VPN 10.10.10.0 255.255.255.0 10.1.48.217 1 " instead.
07-28-2009 09:11 PM
Sorry about that, Yes route is
route VPN 10.10.10.0 255.255.255.0 10.1.48.217 1
I tried to change to check if it works,
It is back on
route VPN 10.10.10.0 255.255.255.0 10.1.48.217 1
now.
Do you think it would be NAT related issue, as Packets get NAT first ?
Thanks,
07-28-2009 09:50 PM
looks like a nat issue, but you will get a clear picture by looking at the logs.
you should also try nat exemption
hostname(config)# access-list EXEMPT permit ip w.x.y.z netmask a.b.c.d netmask
hostname(config)# nat (inside) 0 access-list EXEMPT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide