08-17-2019 12:11 PM
Dear Readers, i have a question which i cannot solve after reading multiple Cisco ASA 5508-X docs. The issue is the following:
We have one Cisco ASA 5508 in our firm which handles multiple IPSEC tunnels to our customers, including SNAT and DNAT configurations.
We use the L2TP Client vpn connections for our employees to connect to our local lan which is behind the inside interface.
Now the new question pops-up, our employees need also to be able to connect to the networks with are protected by the IPSEC tunnels.
If someone has any clue how to config the ASA to get it to work , that would be very helpfull..
Thanks in advance,
Jos Walters
08-17-2019 04:37 PM
You need to follow below approach :
1. what is the IP address range for the L2TP clients get from your remote VPN.
2. if your L2TP client requires to access to protected remove site ipsec tunnel site.
3. make sure you allow both the side intrested traffic of the VPN IP range.
4. i am in assumption your undelay routing can able to reach in the network, if not you required some staticcor dynamic routing to go out for that IPSEC range IP address.
example : remote vpn users get 10.10.10.x/24, this need to be allowed in IPSEC tunnel to access the resources.
make sense ?
08-18-2019 08:49 PM
Good Morning,
this is the message i receive :
Aug 19 2019 05:40:59 172.25.1.3 LOCAL 10.24.205.144 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:172.25.1.3(LOCAL\jwal) dst outside:10.24.205.144 (type 8, code 0) denied due to NAT reverse path failure
the 172.25.1.* is the asa dhcp pool and 10.24.25.144 is the final destination which is already snat-ed
If i use a second asa (5505 ) as L2TP entry device and connect both inside interface to each other ( also added routing info ) then it works without any issues, but if you use IPSEC tunnels and L2TP connections on one and the same ASA it seams to have some issues.
And ofcouse a jumphost could also be an option , but cannot sell this after investing in new security appl.
Jos
08-17-2019 09:51 PM
Personally. I would use a jumpbox to achive this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide