cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
682
Views
0
Helpful
12
Replies
kajumblies15
Beginner

RA VPN to VTI remote network

Hello, 

I wanted to post a question to see if I could get some help in understanding/getting the below problem to work. 

I have a Remote Access VPN that terminates on an ASA and from there thru NAT I am able to get RA VPN users to access a network that sits behind a site to site VPN that runs on the the same ASA. The questions/problem I have is how can I get RA VPN users to get to a remote network that sits behind an IPSec VTI that is configured on the same ASA?

 

Thank You!

1 ACCEPTED SOLUTION

Accepted Solutions

Well I assume your traffic is currently unintentially being translated over the VPN? packet-tracer would confirm this.

 

Do you want a NAT exemption rule to avoid this problem?

 

To allow Site B's RAVPN to communicate over the VTI VPN, try this on Site B ASA:

 

object network SITEB-RAVPN
subnet 192.168.30.0 255.255.255.0
!
object network VTI-NET
subnet 10.10.0.0 255.255.255.0
!
nat (OUTSIDE,any) source static SITEB-RAVPN SITEB-RAVPN destination static VTI-NET VTI-NET

RAVPN traffic is always sourced from the outside interface, hence why the nat rule above is source "outside", destination is "any" because there is no nameif for a VTI. The objects represents the source and destination networks, the original/translated source and original/translated destination are the same object, to ensure traffic is not translated.

View solution in original post

12 REPLIES 12
Amine ZAKARIA
Beginner

Hi @kajumblies15 ,

 

I'm not sure if i misunderstand you but, that's depend on the architecture in the RA VPN you are using a RA VPN Pool for the authenticated Users, that pool should be routed on the ASA IPsec VTI peer and on the network equipements behind that ASA.

 

Example : RA VPN pool 10.99.0.0/24 the route in ASA should be like "route VTI_S2S 10.99.0.0 255.255.255.0 Peer_Tunnel_interface_Address" .

 

Make sure to do same in Core/Distributed ... switch to route that RA VPN Pool.

 

If there's a firewall in between which is always the case, don't forget to open the flow, If you are applying access-group on the ASA VTI Interface add ACE for the RA pool flow.

 

Same if there's a NAT in the way, make sure to exclude the RA VPN Pool.

If you need anything else let me know.

 

--

 

Don't forget to rate helpful posts.

 

Yes let me explain a bit better, 

We have two geographical sites A and B and RA VPN users can go to ether one of those. Both sites are connected to each out via a site to site VPN and RA VPN users are able to get to resources on both sites when VPN'd. Both sites also have IPsec site to site tunnels to AWS and RA VPN users are able to get the remote AWS networks. We had a problem where Site A RA VPN users were able to get to AWS resources through the IPSec AWS tunnel and Site B RA VPN users were not. After investigating one of the issues I saw was that the RA VPN pool on Site A was a chunk of IPs taken from the inside network. The Site B RA VPN pool was a completely different subnet all together. To resolve Site B RA VPN users being allowed to get to the AWS resources through the IPSec AWS tunnel I got assistance from this forum in creating a NAT statement that essentially NATed the RA VPN pool network to the Inside network subnet and then NATed it to the specific remote network behind the IPSec AWS tunnel. 

 

For this questions it appears that im running into a similar issue but this time dealing with VTI. There is already a route in place to get to the remote network through the VTI. Site A RA VPN users are able to get to that remote network, however Site B is not. My thought was that i needed to create a NAT statement that would make that work just not sure how to do it. 

I can provide a better break down with IPs and the current Nat statements if that helps

Thank You

@kajumblies15 

So you want RAVPN users to access a Site-to-Site VPN configured on the same ASA, and the VPN is a static VTI?

 

Does the other end of the VPN have a route via the VTI for your RAVPN IP address range? If not it won't know how to return the traffic.

 

Is traffic even being sent over the VPN tunnel, check the counters "show crypto ipsec sa" and see if they increase.

 

Run packet-tracer to determine if permitted.

 

Is NAT causing a problem here (check output of packet-tracer)? If so using a VTI you cannot assign a nameif, a nat rule would have to use "any" instead of a nameif. If you do need to do that, then be as specific with the source and destination networks as possible.

Rob, 

Your first question is correct.

Let me give some IPs to help make it easier to understand. 

 

Site B

1. The remote network that sits through the VTI is 10.10.0.0/24

2. The RA VPN pool is 192.168.30.0/24

3. The ASA inside network is 192.168.105.0/24

4. Static route in place that point to the remote network and uses the VTI as the gateway

 

Site A

1. The remote network that sits through the VTI is 10.10.0.0/24

2. The RA VPN Pool is 192.168.100.50-100/24

3. The ASA inside network is 192.168.100.0/24

4. Static route in place that point to the remote network and uses the VTI as the gateway

 

Both Site A and Site B ASA's inside networks are able to to talk to the 10.10.0.0/24. Site A RA VPN users are able to talk to

10.10.0.0/24 but Site B is not. There is a NAT statement thats on site A that I blieve is making this work and its written 

 

nat (Inside,Any) source static ASA INSIDE NETWORK destination static RAVPN POOL  no-proxy-arp route-lookup

 Let me know if that is more helpful. 

Thank You

 

Well I assume your traffic is currently unintentially being translated over the VPN? packet-tracer would confirm this.

 

Do you want a NAT exemption rule to avoid this problem?

 

To allow Site B's RAVPN to communicate over the VTI VPN, try this on Site B ASA:

 

object network SITEB-RAVPN
subnet 192.168.30.0 255.255.255.0
!
object network VTI-NET
subnet 10.10.0.0 255.255.255.0
!
nat (OUTSIDE,any) source static SITEB-RAVPN SITEB-RAVPN destination static VTI-NET VTI-NET

RAVPN traffic is always sourced from the outside interface, hence why the nat rule above is source "outside", destination is "any" because there is no nameif for a VTI. The objects represents the source and destination networks, the original/translated source and original/translated destination are the same object, to ensure traffic is not translated.

View solution in original post

@Rob Ingram 

Thank You I will test the above out.

Thank you

 

@Rob Ingram 

I tried the above NAT statement and it did not work. Do you have any other suggestions. Previously when you helped me with the IPSec VPN to AWS I had to do a Translation of the RAVPN to the Local Network. From my local network I can get to the remote part of the VTI if that helps. Any ideas?

 

Thank You

 

@kajumblies15 you'll need to provide more information.

Run packet-tracer from the CLI and provide the output for review, provide the output of "show nat detail", provide your configuration.

@Rob Ingram 

 
No problem. while I gather that info, when the rule above was applied and I was to ping the vti  remote network, would the source ip going to the vti originate from the RA VPN pool subnet? If so should I ensure that the remote vti network knows about the RA VPN network? 

Thank You

@kajumblies15 well that would depend on your NAT rule. If you exempted the traffic and used the original source IP and the remote end does not have a route back, then it won't work. So yes like I previously stated you need to ensure the other end of the VPN needs to have a route via the VTI for your RAVPN IP address range

@Rob Ingram 

Once we updated the remote end with the RA VPN network everything worked. 

Thank You so much!!!!!!!!

@kajumblies15 ,

 


I can provide a better break down with IPs and the current Nat statements if that helps

 


Yes please, including the architecture.