03-14-2012 08:26 AM
Hi,
I have a problem with ASA 8.4.2 and U turn for remote vpn traffic that needs to exit from Remote VPN and then to make a u turn on outside interface to enter another site to site VPN.
Interesting traffic access list is modified as needed, routing is ok, but debug icmp trace 20 is showing that icmp packet from remote vpn client address to the host on the other side of maintained site to site tunnel is going to the inside - not to the outside as it should go.
Route
S 172.17.1.2 255.255.255.255 [1/0] via Internet Provider, outside
ASA# ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=159 len=32
ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=160 len=32
ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=161 len=32
Same security intra interface command is entered
Any idea?
Thank You in advance
Vladimir
Solved! Go to Solution.
03-14-2012 03:46 PM
So, I guess you have remote-vpn client coming on "172.16.10.0/24" and you also have a L2L tunnel is terminated on the same ASA. Your remote-vpn clients need to access resources located at remote-end of L2L tunnel terminated on the same FW, right? If answer is yes, then you need to a "no-nat" on the outside interface of the ASA, so follow the example shown below and ACL must go both directoins.
same-security-traffic permit intra-interface
access-list outside_nat0 extended permit ip 172.16.10.0 255.255.255.0 host 172.17.1.2
access-list outside_nat0 extended permit ip host 172.17.1.2 172.16.10.0 255.255.255.0
nat (outside) 0 access-list outside_nat0
Hope that helps.
thanks
Rizwan Rafeek
03-14-2012 09:17 AM
Your description of the problem is not clear.
03-14-2012 01:26 PM
Ok, i will try again.
Remote user from IP local pool 172.16.10.0/24 on the outside interface are trying to access the server on the other remote location that has site to site VPN with the same ASA, so remote client needs to make a uturn on the same interface, outside. Server on the remote location has IP address 172.17.1.2.
Interesting traffic acl is configured, routing also, same security interface command is entered
debug on asa, debug ICMP trace 20 is showing that the packet from the remote client is going to the inside interface, NOT the outside as it should go beacuse of the routing
S 172.17.1.2 255.255.255.255 [1/0] via Internet Provider ip address, outside
Any idea?
Thank You
Vladimir
03-14-2012 03:46 PM
So, I guess you have remote-vpn client coming on "172.16.10.0/24" and you also have a L2L tunnel is terminated on the same ASA. Your remote-vpn clients need to access resources located at remote-end of L2L tunnel terminated on the same FW, right? If answer is yes, then you need to a "no-nat" on the outside interface of the ASA, so follow the example shown below and ACL must go both directoins.
same-security-traffic permit intra-interface
access-list outside_nat0 extended permit ip 172.16.10.0 255.255.255.0 host 172.17.1.2
access-list outside_nat0 extended permit ip host 172.17.1.2 172.16.10.0 255.255.255.0
nat (outside) 0 access-list outside_nat0
Hope that helps.
thanks
Rizwan Rafeek
03-15-2012 04:41 AM
Hi,
the problem were in the oposit direction nat from the remote host to the remote client. In created nat i just put one direction.
Thank You
Vladimir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide