01-08-2009 04:46 AM - edited 03-11-2019 07:34 AM
We have established an MPLS connectivity towards the remote client end. All users in the LAN are able to access the remote end servers through PAT over the MPLS circuit
nat (inside) 10 access-list mpls_traffic
global (MPLS) 10 interface
The problem is the users when dialed in through internet cannot access the remote end servers through the MPLS interface PAT.
So the access is like this for C2S users
Dial in vpn-> ASA -> MPLS interface(PAT)-> remote end servers.
--------------------------------------
Configuration
ASA Version 7.2(4)
hostname ciscoasa
enable password xxx
passwd xxx
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 125.x.x.x.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.25.25.25 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
ftp mode passive
access-list 101 extended permit ip 192.168.0.0 255.255.255.0 10.50.50.0 255.255.255.0
access-list 101 extended permit ip 192.168.100.0 255.255.255.0 10.50.50.0 255.255.255.0
access-list allowlan extended permit ip 192.168.100.0 255.255.255.0 10.50.50.0 255.255.255.0
access-list allowlan extended permit ip 10.50.50.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool mypool 192.168.100.30-192.168.100.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (dmz) 5 interface
nat (inside) 5 access-list 101
route outside 20.20.20.0 255.255.255.0 125.17.97.98 1
route dmz 10.50.50.0 255.255.255.0 10.25.25.26 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set test esp-3des esp-md5-hmac
crypto dynamic-map dyn1 20 set transform-set test
crypto map mymap 30 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
username xx password xxx encrypted
username xx password xxx encrypted privilege 15
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
address-pool mypool
tunnel-group mytunnel ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
01-08-2009 05:49 AM
hello girish
are they getting an ip address from ASA after dialing in ? I see an ip pool 192.168.100.30-40 on the ASA.. are these for the remote access users ? This could be a problem with the routing somewhere.. especially with reverse routing... check on the mpls router if you have routed the ip pool..
uff. before that.. is the VPN terminating on the inside interface ? I see a PAT for 100.0 ip pool towards the outside interface ? but i thought u said, u are doing a remote dial in from internet ?? internet zone would be outside right ?
Regards
Raj
02-04-2009 12:20 PM
You want to add an access-list for networks you do not want to have 'nat' applied to, such as VPN RA network like your config is setup for.
Try adding:
access-list NONAT_NETWORK extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
!The 0 in the next line exempts the access-list NONAT_NETWORK from being nat(ted)
nat (inside) 0 access-list NONAT_NETWORK
02-04-2009 01:18 PM
girishkumar123
From your config, did you try using the same-security-traffic permit intra-interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide