cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1600
Views
0
Helpful
11
Replies

IPSEC VPN Hairpinning/Uturn Problems with internal net connections

jon.mcknight
Level 1
Level 1

I have an ASA 5505 that I connect to remotely.  I use this as a remote IPSEC VPN with hairpinning/uturn to allow me to surf the Internet with my home IP address.

I am unable to access any of the internal computers on my home network.  I have been able to successfully do this in the past on an older ASA IOS, but I am now on a new ASA running 8.2(1) and I am unable to connect internally.

I would like to connect to my Slingbox and Tivo which is at my home.  I have tried pinging both boxes and no luck.  In the past, when this worked I was able to ping the devices.

I am attaching my config.

Thanks in advance.

Jon

1 Accepted Solution

Accepted Solutions

Jon,

If you're able to PING 192.168.1.1 from the VPN client, it means traffic is reaching the ASA's inside interface correctly.

Now, the ASA should forward the packets to 192.168.1.6 when received.

Do this:

Just add the keyword outside

to this statement:

nat (outside) 1 192.168.2.0 255.255.255.0 outside

Try again. If it does not work make sure the only NAT statements that you have are the following (you can copy/paste):

access-list NAT0OUT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NAT0IN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

no global (inside) 1 interface

nat (inside) 0 access-list NAT0IN

nat (inside) 1 192.168.1.0 255.255.255.0

nat (outside) 0 access-list NAT0OUT

nat (outside) 1 192.168.2.0 255.255.255.0

Federico.

View solution in original post

11 Replies 11

Jon,

Try this:

access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (outside) 0 access-list LOCAL

Federico.

Federico,

Thanks for the advice.  I applied what you recommended and I still have the same problem.  Here is the logging information.  192.168.1.6 is my slingbox and I am remotely connecting via 192.168.1.103.

3|Jan 31 2011|10:51:28|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/53501 dst inside:192.168.1.6/5001

The problem is definitely NAT. 
If you can do a test by removing the lines I gave you:
no access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
no nat (outside) 0 access-list LOCAL

And adding:
global (inside) 1 interface
nat (outside) 1 uturn 255.255.255.240 outside

Another thing I would like to mention is that you might want to have a separate non-overlapping range defined for the VPN clients (not 192.168.1.x)

Federico.

I was able to enter the no access list command.  But when I entered the second command (no nat (outside) 0 access-list LOCAL) I get the following error.

Result of the command: "no nat (outside) 0 access-list LOCAL"

ERROR: access-list LOCAL not bound nat 0

The remaining commands seem to work, however here is my new error when trying to ping the Slingbox.

3|Jan 31 2011|11:18:02|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/54067 dst inside:192.168.1.6/5001

As for changing the IP range for the VPN clients.  Since my internal network at home uses 192.168.1.0, if I assign 192.168.2.0 will this cause problems? Would I have to setup any special type of routing.NAT'ing?

I am attaching the current config.


Thanks,

Jon

Assuming the VPN client range will now be 192.168.2.0/24

Need to make this changes:

no ip local pool VPN-Addys 192.168.1.25-192.168.1.35 mask 255.255.255.0
ip local pool VPN-Addys 192.168.2.1-192.168.1.254 mask 255.255.255.0

The NAT configuration (should look like this):

access-list NAT0OUT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (outside) 0 access-list NONAT0OUT

access-list NAT0IN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NAT0IN

nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 192.168.2.0 255.255.255.0
global (outside) 1 interface

Make sure that (show run nat) does not show any other NAT statements and test both Internet and local access from the remote VPN client.

Federico.

Federico,

Thank you for your help.  Still no luck.

Here is the output from show run nat

Result of the command: "show run nat"

nat (inside) 0 access-list NAT0IN

nat (inside) 1 highVPN 255.255.255.240

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list NAT0OUT

nat (outside) 1 highVPN 255.255.255.240

nat (outside) 1 192.168.1.0 255.255.255.0

nat (outside) 1 192.168.2.0 255.255.255.0

nat (outside) 1 uturn 255.255.255.240 outside

I attached the latest config.

Here is the output from the firewall log when trying to connect to the Slingbox and sending a ping to the Slingbox.

6|Jan 31 2011|12:32:06|302013|192.168.2.25|55091|192.168.1.6|5001|Built inbound TCP connection 59469 for outside:192.168.2.25/55091 (192.168.2.25/55091) to inside:192.168.1.6/5001 (192.168.1.6/5001) (jojo)

6|Jan 31 2011|12:32:02|302021|192.168.2.25|15368|192.168.1.6|0|Teardown ICMP connection for faddr 192.168.2.25/15368 gaddr 192.168.1.6/0 laddr 192.168.1.6/0 (jojo)

6|Jan 31 2011|12:32:01|302014|192.168.2.25|55091|192.168.1.6|5001|Teardown TCP connection 59405 for outside:192.168.2.25/55091 to inside:192.168.1.6/5001 duration 0:00:30 bytes 0 SYN Timeout (jojo)

6|Jan 31 2011|12:31:56|302020|192.168.2.25|15368|192.168.1.6|0|Built inbound ICMP connection for faddr 192.168.2.25/15368 gaddr 192.168.1.6/0 laddr 192.168.1.6/0 (jojo)

6|Jan 31 2011|12:31:31|302013|192.168.2.25|55091|192.168.1.6|5001|Built inbound TCP connection 59405 for outside:192.168.2.25/55091 (192.168.2.25/55091) to inside:192.168.1.6/5001 (192.168.1.6/5001) (jojo)

I would only leave this ones:

nat (inside) 0 access-list NAT0IN0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (outside) 0 access-list NAT0OUT

nat (outside) 1 192.168.2.0 255.255.255.0

Also, please confirm that when connected via VPN, the VPN client can PING 192.168.1.1 (inside IP of the ASA).

Please confirm that the VPN client is able to get to the Internet with the current config... and that is able to PING the above IP.

Federico.

Attached the latest config.  Still no luck. 

I am able to ping 192.168.1.1 but not 192.168.1.6 (which I know it up and running).

Here are the current firewall logs when I try to ping .6

3|Jan 31 2011|13:25:24|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)

3|Jan 31 2011|13:25:23|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)

3|Jan 31 2011|13:25:22|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)

3|Jan 31 2011|13:25:21|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)

Jon,

If you're able to PING 192.168.1.1 from the VPN client, it means traffic is reaching the ASA's inside interface correctly.

Now, the ASA should forward the packets to 192.168.1.6 when received.

Do this:

Just add the keyword outside

to this statement:

nat (outside) 1 192.168.2.0 255.255.255.0 outside

Try again. If it does not work make sure the only NAT statements that you have are the following (you can copy/paste):

access-list NAT0OUT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NAT0IN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

no global (inside) 1 interface

nat (inside) 0 access-list NAT0IN

nat (inside) 1 192.168.1.0 255.255.255.0

nat (outside) 0 access-list NAT0OUT

nat (outside) 1 192.168.2.0 255.255.255.0

Federico.

Still no luck.

3|Jan 31 2011|21:34:02|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)

3|Jan 31 2011|21:34:01|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)

3|Jan 31 2011|21:34:00|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)

Does the 'global (outside) 1 interface' need to be in there?

I attached the latest running config.


Thanks again.

Jon

Success!

My apologies, reading your last post I disabled my ICMP access list which resulted in blocked pings.  Additionally, my Slingbox went offline so I was pinging a non existent IP. 

I cleaned out the NAT rules like you said and it works.

Thanks again for your patience.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: