cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1019
Views
0
Helpful
4
Replies
Highlighted
Beginner

ASA 8.4.2 U-turn problem

Hi,

I have a problem with ASA 8.4.2 and U turn for remote vpn traffic that needs to exit from Remote VPN and then to make a u turn on outside interface to enter another site to site VPN.

Interesting traffic access list is modified as needed, routing is ok, but  debug icmp trace 20 is showing that icmp packet from remote vpn client address to the host on the other side of maintained site to site tunnel is going to the inside - not  to the outside as it should go.

Route

S    172.17.1.2 255.255.255.255 [1/0] via Internet Provider, outside

ASA# ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=159 len=32

ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=160 len=32

ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=161 len=32

Same security intra interface command is entered

Any idea?

Thank You in advance

Vladimir

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

So, I guess you have remote-vpn client coming on "172.16.10.0/24" and you also have a L2L tunnel is terminated on the same ASA.  Your remote-vpn clients need to access resources located at remote-end of L2L tunnel terminated on the same FW, right? If answer is yes, then you need to a "no-nat" on the outside interface of the ASA, so follow the example shown below and ACL must go both directoins.

same-security-traffic permit intra-interface

access-list outside_nat0 extended permit ip 172.16.10.0 255.255.255.0 host 172.17.1.2

access-list outside_nat0 extended permit ip host 172.17.1.2 172.16.10.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

Hope that helps.

thanks

Rizwan Rafeek

View solution in original post

4 REPLIES 4
Highlighted
Rising star

Your description of the problem is not clear.

Highlighted

Ok, i will try again.

Remote user from IP local pool 172.16.10.0/24 on the outside interface are trying to access the server on the other remote location that has site to site VPN with the same ASA, so remote client needs to make a uturn on the same interface, outside. Server on the remote location has IP address 172.17.1.2.

Interesting traffic acl is configured, routing also, same security interface command is entered

debug on asa, debug ICMP trace 20 is showing that the packet from the remote client is going to the inside interface, NOT the outside as it should go beacuse of the routing

S    172.17.1.2 255.255.255.255 [1/0] via Internet Provider ip address, outside

Any idea?

Thank You

Vladimir

Highlighted

So, I guess you have remote-vpn client coming on "172.16.10.0/24" and you also have a L2L tunnel is terminated on the same ASA.  Your remote-vpn clients need to access resources located at remote-end of L2L tunnel terminated on the same FW, right? If answer is yes, then you need to a "no-nat" on the outside interface of the ASA, so follow the example shown below and ACL must go both directoins.

same-security-traffic permit intra-interface

access-list outside_nat0 extended permit ip 172.16.10.0 255.255.255.0 host 172.17.1.2

access-list outside_nat0 extended permit ip host 172.17.1.2 172.16.10.0 255.255.255.0

nat (outside) 0 access-list outside_nat0

Hope that helps.

thanks

Rizwan Rafeek

View solution in original post

Highlighted

Hi,

the problem were in the oposit direction nat from the remote host to the remote client. In created nat i just put one direction.

Thank You

Vladimir

Content for Community-Ad