Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
2
Replies

Hairpinning VPN inside host not able to access

searskarthik
Level 1
Level 1

‎01-25-2013 05:56 AM

Hi

Cisco ASA 5540 -

Cisco Adaptive Security Appliance Software Version 8.2(3)5

  • If you are using cisco any connect VPN client (SSL-DTLS) able to ping inside hosts.
  • While using cisco any connect VPN client from ASA inside interface able to ping remote VPN subnet

  • When we connecting IPSEC –remote access VPN client ,from ASA outside interface able to ping remote access VPN subnet but not from inside interface.

if routing or NONAT issue then should not be access able from anyconnect cleint.Only issue with Remote access vpn client.

Please help.

thanks

Karthik

Labels:
0 Helpful
2 Replies 2

Michal Garcarz
Cisco Employee
Cisco Employee

‎01-25-2013 08:08 AM

Hi Karthikeyan,

1. ipsec remote configuration uses the same POOL that SSL users ? if not - what is the difference in nat config ?

2. what is the difference in packet-tracer results ? (ssl compared to ipsec users) ?

---

Michal

0 Helpful

searskarthik
Level 1
Level 1
In response to Michal Garcarz

‎01-26-2013 05:27 AM

Michal,

1) Yes , same VPN POOL using Ipsec remote acees vpn and SSL.

2) Packet trace how do want?  like from Inside with source remote access vpn Pool destination would be inside work  or outside interface.

please let me know how do you want to proceed with packet trace . (remote VPN Pool 172.29.65.1 -254)


ASA5540# packet-tracer input outside icmp 172.29.65.14 10 100 172.29.64.104

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.29.64.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group from_outside in interface outside
access-list from_outside extended deny ip any any
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA5540# ping 172.29.65.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.29.65.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 130/222/360 ms
ASA5540# ping
Interface: outside
Target IP address: 172.29.65.14
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.29.65.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 130/140/150 ms
ASA5540#

thanks

Karthik

0 Helpful
Customers Also Viewed These Support Documents