09-08-2021 02:33 PM
Hello,
I wanted to post a question to see if I could get some help in understanding/getting the below problem to work.
I have a Remote Access VPN that terminates on an ASA and from there thru NAT I am able to get RA VPN users to access a network that sits behind a site to site VPN that runs on the the same ASA. The questions/problem I have is how can I get RA VPN users to get to a remote network that sits behind an IPSec VTI that is configured on the same ASA?
Thank You!
Solved! Go to Solution.
09-09-2021 06:39 AM - edited 09-15-2021 01:12 PM
Well I assume your traffic is currently unintentially being translated over the VPN? packet-tracer would confirm this.
Do you want a NAT exemption rule to avoid this problem?
To allow Site B's RAVPN to communicate over the VTI VPN, try this on Site B ASA:
object network SITEB-RAVPN
subnet 192.168.30.0 255.255.255.0
!
object network VTI-NET
subnet 10.10.0.0 255.255.255.0
!
nat (OUTSIDE,any) source static SITEB-RAVPN SITEB-RAVPN destination static VTI-NET VTI-NET
RAVPN traffic is always sourced from the outside interface, hence why the nat rule above is source "outside", destination is "any" because there is no nameif for a VTI. The objects represents the source and destination networks, the original/translated source and original/translated destination are the same object, to ensure traffic is not translated.
09-08-2021 05:24 PM
Hi @kajumblies15 ,
I'm not sure if i misunderstand you but, that's depend on the architecture in the RA VPN you are using a RA VPN Pool for the authenticated Users, that pool should be routed on the ASA IPsec VTI peer and on the network equipements behind that ASA.
Example : RA VPN pool 10.99.0.0/24 the route in ASA should be like "route VTI_S2S 10.99.0.0 255.255.255.0 Peer_Tunnel_interface_Address" .
Make sure to do same in Core/Distributed ... switch to route that RA VPN Pool.
If there's a firewall in between which is always the case, don't forget to open the flow, If you are applying access-group on the ASA VTI Interface add ACE for the RA pool flow.
Same if there's a NAT in the way, make sure to exclude the RA VPN Pool.
If you need anything else let me know.
--
Don't forget to rate helpful posts.
09-09-2021 05:06 AM
Yes let me explain a bit better,
We have two geographical sites A and B and RA VPN users can go to ether one of those. Both sites are connected to each out via a site to site VPN and RA VPN users are able to get to resources on both sites when VPN'd. Both sites also have IPsec site to site tunnels to AWS and RA VPN users are able to get the remote AWS networks. We had a problem where Site A RA VPN users were able to get to AWS resources through the IPSec AWS tunnel and Site B RA VPN users were not. After investigating one of the issues I saw was that the RA VPN pool on Site A was a chunk of IPs taken from the inside network. The Site B RA VPN pool was a completely different subnet all together. To resolve Site B RA VPN users being allowed to get to the AWS resources through the IPSec AWS tunnel I got assistance from this forum in creating a NAT statement that essentially NATed the RA VPN pool network to the Inside network subnet and then NATed it to the specific remote network behind the IPSec AWS tunnel.
For this questions it appears that im running into a similar issue but this time dealing with VTI. There is already a route in place to get to the remote network through the VTI. Site A RA VPN users are able to get to that remote network, however Site B is not. My thought was that i needed to create a NAT statement that would make that work just not sure how to do it.
I can provide a better break down with IPs and the current Nat statements if that helps
Thank You
09-09-2021 05:28 AM
So you want RAVPN users to access a Site-to-Site VPN configured on the same ASA, and the VPN is a static VTI?
Does the other end of the VPN have a route via the VTI for your RAVPN IP address range? If not it won't know how to return the traffic.
Is traffic even being sent over the VPN tunnel, check the counters "show crypto ipsec sa" and see if they increase.
Run packet-tracer to determine if permitted.
Is NAT causing a problem here (check output of packet-tracer)? If so using a VTI you cannot assign a nameif, a nat rule would have to use "any" instead of a nameif. If you do need to do that, then be as specific with the source and destination networks as possible.
09-09-2021 05:54 AM
Rob,
Your first question is correct.
Let me give some IPs to help make it easier to understand.
Site B
1. The remote network that sits through the VTI is 10.10.0.0/24
2. The RA VPN pool is 192.168.30.0/24
3. The ASA inside network is 192.168.105.0/24
4. Static route in place that point to the remote network and uses the VTI as the gateway
Site A
1. The remote network that sits through the VTI is 10.10.0.0/24
2. The RA VPN Pool is 192.168.100.50-100/24
3. The ASA inside network is 192.168.100.0/24
4. Static route in place that point to the remote network and uses the VTI as the gateway
Both Site A and Site B ASA's inside networks are able to to talk to the 10.10.0.0/24. Site A RA VPN users are able to talk to
10.10.0.0/24 but Site B is not. There is a NAT statement thats on site A that I blieve is making this work and its written
nat (Inside,Any) source static ASA INSIDE NETWORK destination static RAVPN POOL no-proxy-arp route-lookup
Let me know if that is more helpful.
Thank You
09-09-2021 06:39 AM - edited 09-15-2021 01:12 PM
Well I assume your traffic is currently unintentially being translated over the VPN? packet-tracer would confirm this.
Do you want a NAT exemption rule to avoid this problem?
To allow Site B's RAVPN to communicate over the VTI VPN, try this on Site B ASA:
object network SITEB-RAVPN
subnet 192.168.30.0 255.255.255.0
!
object network VTI-NET
subnet 10.10.0.0 255.255.255.0
!
nat (OUTSIDE,any) source static SITEB-RAVPN SITEB-RAVPN destination static VTI-NET VTI-NET
RAVPN traffic is always sourced from the outside interface, hence why the nat rule above is source "outside", destination is "any" because there is no nameif for a VTI. The objects represents the source and destination networks, the original/translated source and original/translated destination are the same object, to ensure traffic is not translated.
09-09-2021 07:57 AM
09-15-2021 01:09 PM
I tried the above NAT statement and it did not work. Do you have any other suggestions. Previously when you helped me with the IPSec VPN to AWS I had to do a Translation of the RAVPN to the Local Network. From my local network I can get to the remote part of the VTI if that helps. Any ideas?
Thank You
09-15-2021 01:13 PM
@kajumblies15 you'll need to provide more information.
Run packet-tracer from the CLI and provide the output for review, provide the output of "show nat detail", provide your configuration.
09-15-2021 01:40 PM
No problem. while I gather that info, when the rule above was applied and I was to ping the vti remote network, would the source ip going to the vti originate from the RA VPN pool subnet? If so should I ensure that the remote vti network knows about the RA VPN network?
Thank You
09-15-2021 01:46 PM
@kajumblies15 well that would depend on your NAT rule. If you exempted the traffic and used the original source IP and the remote end does not have a route back, then it won't work. So yes like I previously stated you need to ensure the other end of the VPN needs to have a route via the VTI for your RAVPN IP address range
09-16-2021 05:35 AM
Once we updated the remote end with the RA VPN network everything worked.
Thank You so much!!!!!!!!
09-09-2021 05:36 AM
I can provide a better break down with IPs and the current Nat statements if that helps
Yes please, including the architecture.
12-25-2021 11:22 PM - edited 01-01-2022 11:34 PM
Do a debug ccsip message to peer what facts that is surpassed between the router and the smartphone to if feasible see if there's some thing with that IP this is covered in the registration for remote codes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide