Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1144
Views
0
Helpful
5
Replies

Client vpn hairpining/U-turn issue.

Mohammed Ashraf Ali
Level 1
Level 1

‎12-12-2011 09:33 PM

Hi all,

I have two isp's connected on my ASA (outside and outside2), and SLA ISP backup is configured, now the default gateway for internet access is outside interface.

Recently i have configured SSL Vpn on my other interface (outside2) , and it is working fine, after few days,  i got a requirement from my boss, that he need to connect to exchange server, which is over the internet, after successfully connected to SSL vpn, i know there is a concept called client u-turn in cisco, so with that i have configured, the following

access-list 101 extended permit ip 10.10.10.0 255.255.255.0  host 148.45.87.65     **(10.10.10.0/24 is the ssl vpn client pool, 148.45.87.65 is the ip of exchange server).

nat (ouside2) 3  access-list 101

global (outside2) 3  121.25.6.8                                                  ** ( 121.25.6.8 is one of the ip of my outside2 wan pool)

same-security-traffic permit intra-interface

But the above configuration does not works for my requirement.

Kindly help , for the same.

Ashraf


Labels:
0 Helpful
5 Replies 5

ajay chauhan
Level 7
Level 7

‎12-12-2011 09:46 PM

Configuration looks ok . Do you have split tunnel enabled ? also if you can attach output of packet tracer.

Thanks

Ajay

0 Helpful

Mohammed Ashraf Ali
Level 1
Level 1
In response to ajay chauhan

‎12-13-2011 12:52 AM

Hi Ajay,

There is no split tunnel configured for SSL vpn , all the client's traffic is comming to my ASA,

Few thing i missed

1. the default gateway is outside interface not the outside2 for ASA

2. do we need to allow the ssl traffic to exit from outside interface to reach exchange server, which is over the internet.

3.  if the traffic is exiting from outside interface, do we need to configure the following.

An Acl allowing all the traffic, and is applied on outside2 interface in IN direction, and global (outside) 3  119.118.12.8

(ip 119.118.12.8 is once of the ip of wan pool for outside interface.

Even i have attached Screenshot of packet tracer.

hope this give u more clarity ...

Ashraf

0 Helpful

ajay chauhan
Level 7
Level 7
In response to Mohammed Ashraf Ali

‎12-13-2011 01:07 AM

Looks like default gateway is pointing to outside interface. As per your last config that should point outside2.

yes you can change the nat config global (outside) 3  119.118.12.8 this will solve the issue.

Change it and post the packet tracer once more.

thanks

0 Helpful

Mohammed Ashraf Ali
Level 1
Level 1
In response to ajay chauhan

‎12-13-2011 09:58 PM

Hi Ajay,

I have applied an ACL on outside2 interface in IN direction with permit any any statement, and added

global (outside) 3  119.118.12.8

still no luck, no change in the  packet tracer it is still the same.

Ashraf

0 Helpful

ajay chauhan
Level 7
Level 7
In response to Mohammed Ashraf Ali

‎12-13-2011 10:10 PM

Please post full cnfiguration.

0 Helpful
Customers Also Viewed These Support Documents