Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
3
Replies

Problem with ASA 5505 VPN config

Reedik Leitsar
Level 1
Level 1

‎09-26-2012 03:51 PM

Hi to all,

I have a problem with ASA 5505 remote access vpn. I have site-to-site VPN and I need that my VPN clients can access IP subnets that I have behind site-to-site VPN. All that I have tried I get and error to my log “Flow is a loopback”.

So what I need : for example I need that vpn client with ip 10.0.0.1 can go to 192.168.1.2

My config:

access-list Test_splitTunnelAcl standard permit host 10.0.2.3

access-list Test_splitTunnelAcl standard permit host 10.0.2.4

access-list Test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list nonat_outside extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

ip local pool VPN_Client_Pool2 10.0.0.1-10.0.0.200 mask 255.255.255.0

nat (outside) 0 access-list nonat_outside

nat (outside) 1 10.0.0.0 255.255.255.0

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Test_splitTunnelAcl

Site-to-Site:

crypto map outside_map 3 set peer 195.233.x.x

access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4

object-group network DM_INLINE_NETWORK_2

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

object-group network DM_INLINE_NETWORK_4

network-object host 192.168.2.70

network-object host 192.168.3.55

network-object 192.168.1.0 255.255.255.0

I hope that someone can post an answer and solve my problem

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-26-2012 07:52 PM

A few things are required:

1) You don't need the following 2 lines, so it can be removed:

nat (outside) 0 access-list nonat_outside

nat (outside) 1 10.0.0.0 255.255.255.0

2) On the ASA, you need to configure:

same-security-traffic permit intra-interface

3) Object group: DM_INLINE_NETWORK_2 needs to include 10.0.0.0/24

4) On the remote lan-to-lan end, the crypto ACL also needs to include 10.0.0.0/24 as the destination subnet.

5) The NAT exemption (NONAT) on the remote lan-to-lan end also needs to include 10.0.0.0/24 as the destination subnet.

Hope that will resolve your problem.

0 Helpful

Reedik Leitsar
Level 1
Level 1
In response to Jennifer Halim

‎09-26-2012 11:43 PM

Thank you for your response. But still no luck, remote lan-to-lan administrator told me that he has done this configuration allready. But right now there is no error Flow is loopback.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Reedik Leitsar

‎09-27-2012 06:44 AM

Have you clear the tunnel on both end, and try again? Once you've created the additional subnet, the vpn tunnel needs to be cleared so it builds SA on the new subnet as well.

Once you have cleared the tunnel, pls kindly try again, and if it still doesn't work, please share the output of:

show cry isa sa

show cry ipsec sa

0 Helpful
Customers Also Viewed These Support Documents