Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
1
Replies

Remote connect through VPN, through backup interface?

seanwaite
Level 1
Level 1

‎01-13-2018 11:26 AM - edited ‎02-21-2020 07:08 AM

I have a 5506-X to be used with a cellular modem attached to a 2nd interface for redundancy. The ASA is using IKEv1 for redundant tunnels as well. Through the VPN I can connect to the inside interface of the ASA as well as devices behind it.

 

What I would like to do is connect to the cell modem as well that is directly connected to the 'backup' interface.  I sorted out asymetric NAT errors, but now I am stuck. I don't know if what I am trying accomplish is beyond the scope of what the ASA will allow. 

 

Essentially I will be connecting through a tunnel to it's "outside" interface to egress out the "backup" interface to collect data (SNMP) and return from backup to outside to the tunnel. Feels like I am missing something minor that I overlooked.

 

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 8.x.xx.xx 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.190.3.1 255.255.255.0 
!
interface GigabitEthernet1/8
 nameif backup
 security-level 0
 ip address 10.12.3.2 255.255.255.248 
!
access-list RVW extended permit ip host 10.190.3.1 host 10.50.6.20 
access-list RVW extended permit ip host 10.12.3.1 host 10.50.6.20  
access-list RVW extended permit ip host 10.12.3.2 host 10.50.6.20  
!
nat (inside,outside) source static obj-10.190.3.1 obj-10.190.3.1 destination static obj-10.10.6.150 obj-10.50.6.20 no-proxy-arp route-lookup
nat (backup,outside) source static obj-10.12.3.1 obj-10.12.3.1 destination static obj-10.50.6.20 obj-10.50.6.20 no-proxy-arp route-lookup
nat (backup,outside) source static obj-10.12.3.2 obj-10.12.3.2 destination static obj-10.50.6.20 obj-10.50.6.20 no-proxy-arp route-lookup

I reversed the NAT to:

 

nat (inside,backup) source static obj-10.50.6.20 obj-10.50.6.20 destination static obj-10.12.3.1 obj-10.12.3.1 no-proxy-arp route-lookup
nat (inside,backup) source static obj-10.50.6.20 obj-10.50.6.20 destination static obj-10.12.3.2 obj-10.12.3.2 no-proxy-arp route-lookup

 

And best I get so far is: "Failed to locate egress interface for ICMP from outside:10.50.6.20/29733 to 10.12.3.2/0"

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎01-13-2018 06:28 PM

Hi

What you want is access devices behind backup interface from vpn, right?
On your nat you inverted, why using inside instead of outside?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card