Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
4
Replies

ASA 8.4.2 U-turn problem

Go to solution
binelipetrov
Level 1
Level 1

‎03-14-2012 08:26 AM

Hi,

I have a problem with ASA 8.4.2 and U turn for remote vpn traffic that needs to exit from Remote VPN and then to make a u turn on outside interface to enter another site to site VPN.

Interesting traffic access list is modified as needed, routing is ok, but  debug icmp trace 20 is showing that icmp packet from remote vpn client address to the host on the other side of maintained site to site tunnel is going to the inside - not  to the outside as it should go.

Route

S    172.17.1.2 255.255.255.255 [1/0] via Internet Provider, outside

ASA# ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=159 len=32

ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=160 len=32

ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=161 len=32

Same security intra interface command is entered

Any idea?

Thank You in advance

Vladimir

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rizwanr74
Level 7
Level 7
In response to binelipetrov

‎03-14-2012 03:46 PM

So, I guess you have remote-vpn client coming on "172.16.10.0/24" and you also have a L2L tunnel is terminated on the same ASA.  Your remote-vpn clients need to access resources located at remote-end of L2L tunnel terminated on the same FW, right? If answer is yes, then you need to a "no-nat" on the outside interface of the ASA, so follow the example shown below and ACL must go both directoins.

same-security-traffic permit intra-interface

access-list outside_nat0 extended permit ip 172.16.10.0 255.255.255.0 host 172.17.1.2

access-list outside_nat0 extended permit ip host 172.17.1.2 172.16.10.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

Hope that helps.

thanks

Rizwan Rafeek

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rizwanr74
Level 7
Level 7

‎03-14-2012 09:17 AM

Your description of the problem is not clear.

0 Helpful

Go to solution
binelipetrov
Level 1
Level 1
In response to rizwanr74

‎03-14-2012 01:26 PM

Ok, i will try again.

Remote user from IP local pool 172.16.10.0/24 on the outside interface are trying to access the server on the other remote location that has site to site VPN with the same ASA, so remote client needs to make a uturn on the same interface, outside. Server on the remote location has IP address 172.17.1.2.

Interesting traffic acl is configured, routing also, same security interface command is entered

debug on asa, debug ICMP trace 20 is showing that the packet from the remote client is going to the inside interface, NOT the outside as it should go beacuse of the routing

S    172.17.1.2 255.255.255.255 [1/0] via Internet Provider ip address, outside

Any idea?

Thank You

Vladimir

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to binelipetrov

‎03-14-2012 03:46 PM

So, I guess you have remote-vpn client coming on "172.16.10.0/24" and you also have a L2L tunnel is terminated on the same ASA.  Your remote-vpn clients need to access resources located at remote-end of L2L tunnel terminated on the same FW, right? If answer is yes, then you need to a "no-nat" on the outside interface of the ASA, so follow the example shown below and ACL must go both directoins.

same-security-traffic permit intra-interface

access-list outside_nat0 extended permit ip 172.16.10.0 255.255.255.0 host 172.17.1.2

access-list outside_nat0 extended permit ip host 172.17.1.2 172.16.10.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

Hope that helps.

thanks

Rizwan Rafeek

0 Helpful

Go to solution
binelipetrov
Level 1
Level 1
In response to binelipetrov

‎03-15-2012 04:41 AM

Hi,

the problem were in the oposit direction nat from the remote host to the remote client. In created nat i just put one direction.

Thank You

Vladimir

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents