Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4237
Views
0
Helpful
5
Replies

ASA asymmetric routing

Go to solution
agumeniuc
Level 1
Level 1

‎10-26-2016 12:41 PM

Hello Everyone,

A have an ASA running anyconnect and s2s tunnels.

Aim: enable anyconnect users to access resources over ipsec tunnel.

Problem: anyconnect users and s2s tunnels are using the same outside interface.

Applied configuration:

1. enabled same-security-traffic permit intra-interface

2. configured policy map to bypass tcp connections on the outside interface

But these steps did not help. RA users are not able to reach s2s subnet.

Please advise how to achieve this aim.

Thank you in advance

Alex

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-26-2016 01:13 PM

You should not need the bypass policy map.

You will need a NAT exemption for the VPN pool to the remote subnet(s). Ethan Banks has a nice article on exactly this configuration here: 

http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to agumeniuc

‎10-27-2016 05:42 AM

Have you exempted traffic sourced from the remote (server) subnet from NAT when destination is the address pool used by the remote access VPN clients?

Also, you should have icmp inspection enabled at both ends.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-26-2016 01:13 PM

You should not need the bypass policy map.

You will need a NAT exemption for the VPN pool to the remote subnet(s). Ethan Banks has a nice article on exactly this configuration here: 

http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/

0 Helpful

Go to solution
agumeniuc
Level 1
Level 1
In response to Marvin Rhoads

‎10-26-2016 11:17 PM

Hi Marvin,

Thanks for the link.

I removed policy map and added nat rule, but AC client still cannot reach a server behind the ipsec tunnel.

Additional information:

- According to the wireshark dump on the server, it is sending icmp replies back to the AC client.

- Captured ESP traffic on ASA outside interface. Was able to see other site sending ESP replies.

- The funnies part: I am able to ping AC client from a server behind the ipsec tunnel, but when trying from AC to a server a get the following error:

313004

Error Message: %ASA-4-313004:Denied ICMP type= icmp_type, from source_address on interface interface_name to dest_address :no matching session

Explanation: ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the ASA or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the ASA.

Please advice what i am missing. I am out of thoughts.

Thank you

Alex

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to agumeniuc

‎10-27-2016 05:42 AM

Have you exempted traffic sourced from the remote (server) subnet from NAT when destination is the address pool used by the remote access VPN clients?

Also, you should have icmp inspection enabled at both ends.

0 Helpful

Go to solution
agumeniuc
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2016 02:08 AM

Hello Marvin,

Thanks for your help! Got it working somehow.

The bottom line is that:

1. intra-interface is needed

2. tcp bypass not needed

3. double-check NAT settings.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to agumeniuc

‎10-28-2016 06:16 AM

You're welcome. Thanks for letting us know the solution worked for you.

0 Helpful
Customers Also Viewed These Support Documents