cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

209
Views
0
Helpful
1
Replies
Highlighted
Beginner

Remote connect through VPN, through backup interface?

I have a 5506-X to be used with a cellular modem attached to a 2nd interface for redundancy. The ASA is using IKEv1 for redundant tunnels as well. Through the VPN I can connect to the inside interface of the ASA as well as devices behind it.

 

What I would like to do is connect to the cell modem as well that is directly connected to the 'backup' interface.  I sorted out asymetric NAT errors, but now I am stuck. I don't know if what I am trying accomplish is beyond the scope of what the ASA will allow. 

 

Essentially I will be connecting through a tunnel to it's "outside" interface to egress out the "backup" interface to collect data (SNMP) and return from backup to outside to the tunnel. Feels like I am missing something minor that I overlooked.

 

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 8.x.xx.xx 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.190.3.1 255.255.255.0 
!
interface GigabitEthernet1/8
 nameif backup
 security-level 0
 ip address 10.12.3.2 255.255.255.248 
!
access-list RVW extended permit ip host 10.190.3.1 host 10.50.6.20 
access-list RVW extended permit ip host 10.12.3.1 host 10.50.6.20  
access-list RVW extended permit ip host 10.12.3.2 host 10.50.6.20  
!
nat (inside,outside) source static obj-10.190.3.1 obj-10.190.3.1 destination static obj-10.10.6.150 obj-10.50.6.20 no-proxy-arp route-lookup
nat (backup,outside) source static obj-10.12.3.1 obj-10.12.3.1 destination static obj-10.50.6.20 obj-10.50.6.20 no-proxy-arp route-lookup
nat (backup,outside) source static obj-10.12.3.2 obj-10.12.3.2 destination static obj-10.50.6.20 obj-10.50.6.20 no-proxy-arp route-lookup

I reversed the NAT to:

 

nat (inside,backup) source static obj-10.50.6.20 obj-10.50.6.20 destination static obj-10.12.3.1 obj-10.12.3.1 no-proxy-arp route-lookup
nat (inside,backup) source static obj-10.50.6.20 obj-10.50.6.20 destination static obj-10.12.3.2 obj-10.12.3.2 no-proxy-arp route-lookup

 

And best I get so far is: "Failed to locate egress interface for ICMP from outside:10.50.6.20/29733 to 10.12.3.2/0"

1 REPLY 1
Highlighted
VIP Advisor

Re: Remote connect through VPN, through backup interface?

Hi

What you want is access devices behind backup interface from vpn, right?
On your nat you inverted, why using inside instead of outside?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question