Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
3
Replies

client to client connectivity on ASA5520 RAS VPN

Go to solution
weichenberger1
Level 1
Level 1

‎01-14-2015 06:26 AM

All,

 

We have an ASA5520-K8 firewall through which internal customer connect and are given 10.26.206.0/23 IP addresses. They are not however unable to ping or RDC to each other. A co-worker and I both connected to the firewall and VPN and I tried to do a packet-trace from my assigned IP internal to his assigned IP internal. The packet is dropped at Phase 10. As a newbie to ASAs, I need some assistance. 

 

Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (Outside) 10 access-list VPN_CLIENTS
  match ip Outside 10.26.206.0 255.255.254.0 Outside any
    dynamic translation to pool 10 (199.x.x.x [Interface PAT])
    translate_hits = 5268139, untranslate_hits = 397840
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc89cc760, priority=2, domain=nat, deny=false
        hits=5364150, user_data=0xc89cc6c0, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.26.206.0, mask=255.255.254.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
============================
Username     : weichenberger          Index        : 3455
Assigned IP  : 10.26.206.174          Public IP    : 70.x.x.x
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : AES128 AES256          Hashing      : SHA1
Bytes Tx     : 7573810                Bytes Rx     : 2810147
Group Policy : JDL_VPN_Users          Tunnel Group : SecureAuth-access
Login Time   : 08:25:57 EST Wed Jan 14 2015
Duration     : 0h:46m:42s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to weichenberger1

‎01-14-2015 07:41 AM

There are two configs that are needed:

1) NAT-Exemption for the outside-interface. That is similar like what you have on the inside.

access-list outside_nat0 permit ip 10.26.206.0 255.255.254.0 10.26.206.0 255.255.254.0
nat (outside) 0 access-list outside_nat0

2) allow the ASA to send traffic back on the same interface where it was received:

same-security-traffic permit intra-interface

View solution in original post

0 Helpful
3 Replies 3

Go to solution
weichenberger1
Level 1
Level 1

‎01-14-2015 07:08 AM

There is also this bit of information that may help.

ASA-RAS# sh run | in 10.26.206.
access-list inside_nat0_outbound extended permit ip 10.26.0.0 255.255.0.0 10.26.206.0 255.255.254.0
access-list VPN_CLIENTS extended permit ip 10.26.206.0 255.255.254.0 any
ip local pool VPN_Pool 10.26.206.3-10.26.207.254 mask 255.255.254.0
route inside 10.26.206.0 255.255.254.0 10.26.208.1 1

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to weichenberger1

‎01-14-2015 07:41 AM

There are two configs that are needed:

1) NAT-Exemption for the outside-interface. That is similar like what you have on the inside.

access-list outside_nat0 permit ip 10.26.206.0 255.255.254.0 10.26.206.0 255.255.254.0
nat (outside) 0 access-list outside_nat0

2) allow the ASA to send traffic back on the same interface where it was received:

same-security-traffic permit intra-interface
0 Helpful

Go to solution
weichenberger1
Level 1
Level 1
In response to Karsten Iwen

‎01-14-2015 11:27 AM

Thank You, Karsten! Your suggestion was perfect!

0 Helpful
Customers Also Viewed These Support Documents