09-13-2013 07:52 AM - edited 03-11-2019 07:38 PM
So, we have put in a branch with only an ASA. We want to be able to reach the inside interface of the ASA, so that we can use tools for network monitoring, etc. on it.
The inside interface is unreachable from remote VPN locations, though can be reached from inside, and all inside hosts are reachable from the VPN... I have the same-security interface commands in place, but still no go...
I'm missing something, but the nat commands I'm finding are for older versions, and I'm not sure where the problem occurs. Any help/suggestions are appreciated...
Relevant parts of the config (I think I have them all) listed below:
: Saved
:
ASA Version 8.4(5)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Vlan1
description LAN_NETWORK
!
interface Vlan2
nameif outside
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network REMOTE_NETWORKS
description REMOTE LOCAL NETWORKS
network-object 10.15.6.0 255.255.254.0
object-group network LAN_NETWORKS
network-object 10.1.3.0 255.255.255.0
access-list CORPORATE_VPN_ACL extended permit ip object-group REMOTE_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_NONAT extended permit ip object-group REMOTE_NETWORKS object-group LAN_NETWORKS
ip verify reverse-path interface inside
ip verify reverse-path interface outside
nat (inside,outside) source static REMOTE_NETWORKS REMOTE_NETWORKS destination static LAN_NETWORKS LAN_NETWORKS
nat (inside,outside) source static REMOTE_NETWORKS REMOTE_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
nat (inside,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
Solved! Go to Solution.
09-13-2013 08:00 AM
Hi,
The general form of NAT you should use for the L2L VPN connections is
object network LAN
subnet
object network REMOTE-LAN
subnet
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN route-lookup
I cant be sure if your NAT configuration are correct as you have removed the "inside" interface IP address and have not shared the VPN configuration or routing configuration.
- Jouni
09-13-2013 07:55 AM
Hi,
To reach the "inside" interface through a L2L VPN or Client VPN you will have to add the following global configuration
management-access inside
This will enable you to ICMP the "inside" interface from a site thats behind the VPN connection. Otherwise its not possible
This will also give you the ability to manage the ASA using the IP address of the "inside" interface through the VPN connection.
Hope this helps
- Jouni
09-13-2013 07:58 AM
Also,
I would like to confirm the NAT configuration you have above.
It states the source interface as "inside" and destination as "outside". Yet is has an source "object" called REMOTE_NETWORKS which kind of seems strange. But as you say that the connections work through the VPN connection I guess this "object" name rather refers that the network behind "inside" is the network of a remote location?
- Jouni
09-13-2013 08:03 AM
The nat statement is as above right now. Whether it is perfect or not, unknown. Potentially it might need to be inside, inside, but since the VPN connection is to the remote end of the network, not sure what that will affect. Might need some more insight into that ...
09-13-2013 08:06 AM
Hi,
I am not sure what part of this situation is Hairpinning
I understood that you were trying to reach the "inside" interface through the L2L VPN or VPN Client connection.
I would really need to see more configurations to determine if there is any problem with the configurations.
- Jouni
09-13-2013 07:58 AM
management-access inside is already enabled. Not the answer. Thanks for the suggestion though!
09-13-2013 08:00 AM
Hi,
The general form of NAT you should use for the L2L VPN connections is
object network LAN
subnet
object network REMOTE-LAN
subnet
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN route-lookup
I cant be sure if your NAT configuration are correct as you have removed the "inside" interface IP address and have not shared the VPN configuration or routing configuration.
- Jouni
09-13-2013 08:06 AM
I think you're getting hung up on the terminology.
Change the word Remote to branch and it makes more sense. Let me try to explain:
: Saved
:
ASA Version 8.4(5) <--- Version on AsA for reference
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Vlan1
description LAN_NETWORK
!
interface Vlan2
nameif outside
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network BRANCHOFFICE_NETWORKS <--- This is the ASA at the Branch Office, so this is its internal network
description BRANCHOFFICE LOCAL NETWORKS
network-object 10.15.6.0 255.255.254.0
object-group network LAN_NETWORKS <--- These are the networks (there are more than this) at the corporate office
network-object 10.1.3.0 255.255.255.0
access-list CORPORATE_VPN_ACL extended permit ip object-group BRANCHOFFICE_NETWORKS object-group LAN_NETWORKS
access-list INSIDE_NONAT extended permit ip object-group BRANCHOFFICE_NETWORKS object-group LAN_NETWORKS
ip verify reverse-path interface inside
ip verify reverse-path interface outside
nat (inside,outside) source static BRANCHOFFICE_NETWORKS BRANCHOFFICE_NETWORKS destination static LAN_NETWORKS LAN_NETWORKS
nat (inside,outside) source static BRANCHOFFICE_NETWORKS BRANCHOFFICE_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
nat (inside,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
Thus, I believe the nat statement already covers what you stated.
09-13-2013 08:09 AM
Hi,
What is the source network for the connections that are trying to reach the ASA "inside" interface?
- Jouni
09-13-2013 08:11 AM
Answer is the route-lookup is missing on the end of the nat command.
Fixed nat command is this:
nat (inside,outside) source static BRANCHOFFICE_NETWORKS BRANCHOFFICE_NETWORKS destination static LAN_NETWORKS LAN_NETWORKS route-lookup
Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide