Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
189
Views
0
Helpful
1
Replies

Cisco VPN Client access - u-turn

jayceep14
Beginner
Beginner

‎04-19-2015 03:29 AM

We have remote users remotely connect to our office network using Cisco VPN client through our Cisco ASA5520 firewall

DHCP range assigned to office and to remote users are in same Network ( 192.168.88.0/24)

Remote users can connect with no issue in the office lan network..

We have new requirements If possible that the remote users are able to access those 2 routers which are in same network of ASA outside interface.

For any reason,We would like to route through the VPN tunnel to ASA first then to other public Ip destination like R1 and R2.

Example: ASA Public IP can only access to R1/R2 telnet/ssh.

 

We have put the specific IP of R1 and R2 to allow in split tunnel option but we are not able to ping R1/R2.

Routes are learn in VPN cisco client but not able to connect.

Labels:
0 Helpful
1 Reply 1

David Johan Castro Fernandez
Participant
Participant

‎04-20-2015 11:15 AM

Hi,

 

On this case  you may not be able to reach those IP addresses for R1 and R2, because the Remote users reach the interface of outside and if U-turn is nor permitted the packet will be dropped, and if it is permitted they will be NATed dynamically.

 

You will need to place the following configuration:

 

-  Permit u-turn(A packet that gets to this interface and be routed through the same interface)

same-security permit intra-interface

 

- NAT exemption on the outside to avoid be dynamically NATed.

 

If your ASA is pre 8.3:

 

object network IP_POOL

  range 192.168.88.200 192.168.88.250

 

object-group network OUTSIDE_ROUTERS

  network-object host XXXXXXX -> Router 1

  network-object host YYYYYYY -> Router 2

 

access-list NAT_EXEMPT permit ip object IP_POOL object-group OUTSIDE_ROUTERS

nat (oustside) 0 access-list NAT_EXEMPT

 

If your ASA is Post 8.3:

 

object network IP_POOL

  range 192.168.88.200 192.168.88.250

 

object-group network OUTSIDE_ROUTERS

  network-object host XXXXXXX -> Router 1

  network-object host YYYYYYY -> Router 2

 

nat (outside,outside) 1 source static IP_POOL IP_POOL destination static OUTSIDE_ROUTERS OUTSIDE_ROUTERS no-proxy-arp route-lookup

 

Now you should be able to access those routers,

 

Please proceed to rate and mark as correct this Post!

 

David Castro,

 

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents