ASA Remote VPN - Routing traffic destined for 2 IP's

rjkaragrm · ‎02-16-2022

I'm struggling with an issue on our ASA and I'm not sure how to correct it. We have two SFTP sites that our users need to be able to access when connected to the VPN. They are able to access these sites when located physically on site as both SFTP sites allow traffic from our IP. However currently we are set up so that once our users are connected to the VPN, their internet traffic is routed through their home router (home/personal ISP) which is not allowed by the SFTP sites.

Essentially we need to do the following (all fake IP's for post),

Take any traffic in the 192.168.0.0 network (internal network space our VPN users are in) that is destined for either 20.1.1.1(public SFTP 1) AND/OR 30.1.1.1(public SFTP 2) and route it so that it is coming from our internal IP 40.1.1.1.

Is that something that can be done?

Rob Ingram · ‎02-16-2022

@rjkaragrm sounds like you've got split tunnel configured. You will need to add the 2 public ip addresses of the site servers to the split acl, therefore those ip addresses will be routed back to the ASA. You will then need a nat rule to nat the ravpn traffic to the internet.

Configure the command "same-security-traffic permit intra-interface" to allow the traffic to hairpin back out the outside interface.

rjkaragrm · ‎02-17-2022

Yeah, we do have a split tunnel set up. I did check and we have the command "same-security-traffic permit intra-interface" enabled. It also looks like we have the site servers added to the split ACL. Where I think we are running into the problem is with the nat side of things, not entirely sure how we would want to set up the nat.

Rob Ingram · ‎02-17-2022

@rjkaragrm example NAT rule, the source and destination interface is the name of your outside interface.

object network RAVPN_USERS
 subnet 10.4.4.0 255.255.255.0
 nat (outside,outside) dynamic interface

rjkaragrm · ‎02-22-2022

So with the nat rule, would we be sourcing it from the split tunnel internal VPN addresses? Then sending it out our ISP? Sorry not very good with NAT stuff yet.

Rob Ingram · ‎02-22-2022

@rjkaragrm no the source of the traffic would be from the VPN IP address pool range of the connected VPN clients.

rjkaragrm · ‎02-22-2022

So source it from the VPN address pool range, this is what I have so far,

Source interface: any

Source Addr: VPN Addr Pool

Dest Interface: Any

Dest Addr: FTP/SFTP public IP?

Translated

Type: Dynamic

Source Addr:

Dest Addr:

Rob Ingram · ‎02-22-2022

@rjkaragrm use the example provided, just change the subnet to reflect your vpn ip pool network and the nameif of the outside interface. Don't use "any" as the interface in the nat rule

rjkaragrm · ‎02-22-2022

Gotcha, so something like

object network OUR_VPN_POOL
subnet VPN_POOL_SUBNET 255.255.251.0
nat (outside,outside) dynamic interface

Rob Ingram · ‎02-22-2022

@rjkaragrm yes, except your subnet mask is not valid.

rjkaragrm · ‎02-22-2022

Right, sorry, that was suppose to be a "4" not a "1" at the end there. I will give this a try tomorrow, thank you!

rjkaragrm · ‎02-23-2022

Tried adding the nat rule this morning,

nat (outside,outside) dynamic interface

But it didn't work, was still not able to access the FTP site.

rjkaragrm · ‎02-23-2022

Wait, I think it did work, sorry, that looks to have done it! Thank you!

rjkaragrm · ‎02-23-2022

So while that command allowed us to ping the servers, we were not able to access the SFTP/FTP site still. Additionally I had to revert it back as it broke VPN traffic that was trying to access internal servers.

Rob Ingram · ‎02-23-2022

@rjkaragrm

Provide full configuration including the NAT rule you added.

Provide the output of "show nat detail".

Ideally run packet-tracer from the CLI with the NAT rule in place and provide the output.