01-31-2011 09:13 AM - edited 02-21-2020 05:07 PM
I have an ASA 5505 that I connect to remotely. I use this as a remote IPSEC VPN with hairpinning/uturn to allow me to surf the Internet with my home IP address.
I am unable to access any of the internal computers on my home network. I have been able to successfully do this in the past on an older ASA IOS, but I am now on a new ASA running 8.2(1) and I am unable to connect internally.
I would like to connect to my Slingbox and Tivo which is at my home. I have tried pinging both boxes and no luck. In the past, when this worked I was able to ping the devices.
I am attaching my config.
Thanks in advance.
Jon
Solved! Go to Solution.
01-31-2011 01:45 PM
Jon,
If you're able to PING 192.168.1.1 from the VPN client, it means traffic is reaching the ASA's inside interface correctly.
Now, the ASA should forward the packets to 192.168.1.6 when received.
Do this:
Just add the keyword outside
to this statement:
nat (outside) 1 192.168.2.0 255.255.255.0 outside
Try again. If it does not work make sure the only NAT statements that you have are the following (you can copy/paste):
access-list NAT0OUT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NAT0IN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
no global (inside) 1 interface
nat (inside) 0 access-list NAT0IN
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 0 access-list NAT0OUT
nat (outside) 1 192.168.2.0 255.255.255.0
Federico.
01-31-2011 10:39 AM
Jon,
Try this:
access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (outside) 0 access-list LOCAL
Federico.
01-31-2011 11:03 AM
Federico,
Thanks for the advice. I applied what you recommended and I still have the same problem. Here is the logging information. 192.168.1.6 is my slingbox and I am remotely connecting via 192.168.1.103.
3|Jan 31 2011|10:51:28|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/53501 dst inside:192.168.1.6/5001
01-31-2011 11:14 AM
The problem is definitely NAT.
If you can do a test by removing the lines I gave you:
no access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
no nat (outside) 0 access-list LOCAL
And adding:
global (inside) 1 interface
nat (outside) 1 uturn 255.255.255.240 outside
Another thing I would like to mention is that you might want to have a separate non-overlapping range defined for the VPN clients (not 192.168.1.x)
Federico.
01-31-2011 11:30 AM
I was able to enter the no access list command. But when I entered the second command (no nat (outside) 0 access-list LOCAL) I get the following error.
Result of the command: "no nat (outside) 0 access-list LOCAL"
ERROR: access-list LOCAL not bound nat 0
The remaining commands seem to work, however here is my new error when trying to ping the Slingbox.
3|Jan 31 2011|11:18:02|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/54067 dst inside:192.168.1.6/5001
As for changing the IP range for the VPN clients. Since my internal network at home uses 192.168.1.0, if I assign 192.168.2.0 will this cause problems? Would I have to setup any special type of routing.NAT'ing?
I am attaching the current config.
Thanks,
Jon
01-31-2011 12:18 PM
Assuming the VPN client range will now be 192.168.2.0/24
Need to make this changes:
no ip local pool VPN-Addys 192.168.1.25-192.168.1.35 mask 255.255.255.0
ip local pool VPN-Addys 192.168.2.1-192.168.1.254 mask 255.255.255.0
The NAT configuration (should look like this):
access-list NAT0OUT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (outside) 0 access-list NONAT0OUT
access-list NAT0IN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NAT0IN
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 192.168.2.0 255.255.255.0
global (outside) 1 interface
Make sure that (show run nat) does not show any other NAT statements and test both Internet and local access from the remote VPN client.
Federico.
01-31-2011 12:44 PM
Federico,
Thank you for your help. Still no luck.
Here is the output from show run nat
Result of the command: "show run nat"
nat (inside) 0 access-list NAT0IN
nat (inside) 1 highVPN 255.255.255.240
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list NAT0OUT
nat (outside) 1 highVPN 255.255.255.240
nat (outside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 192.168.2.0 255.255.255.0
nat (outside) 1 uturn 255.255.255.240 outside
I attached the latest config.
Here is the output from the firewall log when trying to connect to the Slingbox and sending a ping to the Slingbox.
6|Jan 31 2011|12:32:06|302013|192.168.2.25|55091|192.168.1.6|5001|Built inbound TCP connection 59469 for outside:192.168.2.25/55091 (192.168.2.25/55091) to inside:192.168.1.6/5001 (192.168.1.6/5001) (jojo)
6|Jan 31 2011|12:32:02|302021|192.168.2.25|15368|192.168.1.6|0|Teardown ICMP connection for faddr 192.168.2.25/15368 gaddr 192.168.1.6/0 laddr 192.168.1.6/0 (jojo)
6|Jan 31 2011|12:32:01|302014|192.168.2.25|55091|192.168.1.6|5001|Teardown TCP connection 59405 for outside:192.168.2.25/55091 to inside:192.168.1.6/5001 duration 0:00:30 bytes 0 SYN Timeout (jojo)
6|Jan 31 2011|12:31:56|302020|192.168.2.25|15368|192.168.1.6|0|Built inbound ICMP connection for faddr 192.168.2.25/15368 gaddr 192.168.1.6/0 laddr 192.168.1.6/0 (jojo)
6|Jan 31 2011|12:31:31|302013|192.168.2.25|55091|192.168.1.6|5001|Built inbound TCP connection 59405 for outside:192.168.2.25/55091 (192.168.2.25/55091) to inside:192.168.1.6/5001 (192.168.1.6/5001) (jojo)
01-31-2011 12:49 PM
I would only leave this ones:
nat (inside) 0 access-list NAT0IN0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 0 access-list NAT0OUT
nat (outside) 1 192.168.2.0 255.255.255.0
Also, please confirm that when connected via VPN, the VPN client can PING 192.168.1.1 (inside IP of the ASA).
Please confirm that the VPN client is able to get to the Internet with the current config... and that is able to PING the above IP.
Federico.
01-31-2011 01:37 PM
Attached the latest config. Still no luck.
I am able to ping 192.168.1.1 but not 192.168.1.6 (which I know it up and running).
Here are the current firewall logs when I try to ping .6
3|Jan 31 2011|13:25:24|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)
3|Jan 31 2011|13:25:23|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)
3|Jan 31 2011|13:25:22|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)
3|Jan 31 2011|13:25:21|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)
01-31-2011 01:45 PM
Jon,
If you're able to PING 192.168.1.1 from the VPN client, it means traffic is reaching the ASA's inside interface correctly.
Now, the ASA should forward the packets to 192.168.1.6 when received.
Do this:
Just add the keyword outside
to this statement:
nat (outside) 1 192.168.2.0 255.255.255.0 outside
Try again. If it does not work make sure the only NAT statements that you have are the following (you can copy/paste):
access-list NAT0OUT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NAT0IN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
no global (inside) 1 interface
nat (inside) 0 access-list NAT0IN
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 0 access-list NAT0OUT
nat (outside) 1 192.168.2.0 255.255.255.0
Federico.
01-31-2011 09:47 PM
Still no luck.
3|Jan 31 2011|21:34:02|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)
3|Jan 31 2011|21:34:01|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)
3|Jan 31 2011|21:34:00|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)
Does the 'global (outside) 1 interface' need to be in there?
I attached the latest running config.
Thanks again.
Jon
01-31-2011 10:33 PM
Success!
My apologies, reading your last post I disabled my ICMP access list which resulted in blocked pings. Additionally, my Slingbox went offline so I was pinging a non existent IP.
I cleaned out the NAT rules like you said and it works.
Thanks again for your patience.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide