07-01-2009 08:59 AM
Hello,
We are trying to tunnel our Remote VPN User's traffic through our ASA 5510 as well as allow the Remote VPN Users's traffic access to the other end of all our site-to-site VPN's connected to the same ASA. Basically we want whoever VPN's into the network to be able to access all of our company networks. We are trying to get away with this without using Split-Tunneling.
I can currently get the remote VPN User's internal traffic to reach all the other site-to-site vpn tunnels, without the internet being tunneled. The problem is when I add the following NAT statement:
nat (outside) 1 10.10.19.0 255.255.255.0 *10.10.19.0 is the Remote VPN Client addresses
The internet traffic for the Remote VPN starts to get tunneled, but I loose the ability to reach any of the other site-to-site tunnels through the Remote VPN tunnel.
I also start receiving the following errors in the ASA log
3 Jul 01 2009 12:34:18 305005 10.10.19.255 137 No translation group found for udp src outside:10.10.19.3/137 dst outside:10.10.19.255/137
Any help with how the NAT statements should be set to get this to work would be appreciated.
Thank you,
Will
Solved! Go to Solution.
07-01-2009 12:02 PM
Will,
reference the link within this post for your hub&spoke vpn scenario,you problem may lie on exempt nat rules.
Have a second look at your nonat rules.
make sure to elimiate split tunnel rules pertaining to RA if any to not let it get in the way.
If still issues discribe topology for l2ls and RA logical info and sanatized config of hub asa.. but I think if you look at the above thread you should be able to resolve it.
Regards
07-01-2009 12:02 PM
Will,
reference the link within this post for your hub&spoke vpn scenario,you problem may lie on exempt nat rules.
Have a second look at your nonat rules.
make sure to elimiate split tunnel rules pertaining to RA if any to not let it get in the way.
If still issues discribe topology for l2ls and RA logical info and sanatized config of hub asa.. but I think if you look at the above thread you should be able to resolve it.
Regards
07-06-2009 05:48 AM
jorgemcse,
I really appreciate the help! This information assisted me in resolving the issue. I created an object-group(InsideVPN) containing all the internal networks I need the RA tunnels to access. I then created a separate access-list (outside_nat0_outbound) and NAT Exempt the access-list on the outside interface to get everything to work.
-InsideVPN is the object-group I used.
-10.10.19.0/24 our VPN pool.
access-list outside_nat0_outbound extended permit ip 10.10.19.0 255.255.255.0 object-group InsideVPN
access-list outside_nat0_outbound extended permit ip 10.10.19.0 255.255.255.0 10.10.19.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
Thanks again,
Will
07-06-2009 07:10 AM
Will, glad we could help.. thanks for rating.
Rgds
Jorge
07-13-2009 09:31 PM
Hi guys,
I have a similar setup but i can't ping to my site-site network after remote via vpn client.
Ping to internal network no issue.
Do i have to able anything on the ASA?
Please advice. Thanks.
07-14-2009 12:28 PM
What does ASDM log tells you , have you properly configured nonat rules.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide