Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
21548
Views
20
Helpful
4
Comments

ASA: 8.3 "Nat U-turn" Example - RA VPN Client traffic

hdashnau
Cisco Employee
Cisco Employee

on ‎06-15-2010 07:00 AM

Reference document for handling the nat aspect of U-turning RA VPN Client traffic

Example of Uturning Internet traffic (ie VPN connects with a tunnel all policy but you still need Internet access)

Topology

192.168.1.0/24  inside(ASA1)outside------------Internet

                                              |

                                             ===VPN===VPN  Client (vpnclient pool 192.168.3.0/24)

object network obj-vpnpool

     subnet 192.168.3.0 255.255.255.0

     nat (outside,outside) dynamic interface

Example of Uturning RA VPN traffic accross another L2L (ie your VPN client connects to one ASA but needs to reach remote subnets at another ASA accross a L2L tunnel)

Topology

192.168.1.0/24 inside(ASA1)outside===VPN==outside(ASA2)inside 192.168.2.0/24

                                             |

                                             ===VPN===VPN Client (vpnclient pool 192.168.3.0/24)

object network obj-vpnpool

     subnet 192.168.3.0 255.255.255.0

object network obj-remote

     subnet 192.168.2.0 255.255.255.0

nat (outside,outside) 1 source static obj-vpnpool obj-vpnpool destination static obj-remote obj-remote

You may also need the reverse (logs will indicate assymetric entry) if you are running code without the fix for CSCth72642:

nat (outside,outside) 2 source static obj-remote obj-remote destination static obj-vpnpool obj-vpnpool

*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the vpn nat statement at the top of all my nat statements.

Related Information

Labels:
Comments
CT_Dude
Level 1
Level 1
‎05-30-2012 04:37 AM

This helped me out with getting my config working!! Thank allot.

The fix for CSCth72642 is for the Asymetric error?

how do I apply this fix?

Thanks again.

guillermodiazcisco
Level 1
Level 1
‎05-14-2015 04:11 PM

Hi hdashnau,

This helped me get a little bit closer to giving my vpn l2tp/ipsec users internet access through the tunnel but it seems that I get the response from the dns server and nothing more. This is my config omitting unnecessary information:

group-policy my-policy attributes

 split-tunnel-policy tunnelall

object network vpn_client

 nat (outside,outside) dynamic interface

I also tried this other nat rule and got the same result:

nat (outside,outside) source dynamic vpn_client interface

I will really appreciate the help. Thanks in advance

razvan1979
Level 1
Level 1
‎05-15-2015 11:20 PM

Hi,

you need this command: "same-security-traffic permit  intra-interface"

 

reference:

same-security-traffic

To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Syntax Description

 

inter-interface

Permits communication between different interfaces that have the same security level.

intra-interface

Permits communication in and out of the same interface.

guillermodiazcisco
Level 1
Level 1
‎05-16-2015 09:28 AM

Thanks for the tip, I was missing exactly that. Everything is working flawlessly now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents