Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
5
Replies

Unable to connect to remote LAN with SSLVPN established

chenbc
Level 1
Level 1

‎11-11-2010 10:42 PM

Hello all,

our network scenario in below:

                          ipsec

       lan A       <---------> lan B (remote)

  & vpn pool

                          ipsec

       lan A       <---------> lan C (remote)

  & vpn pool

where lan A is 192.168.3.0/24, vpn pool is 192.168.4.0/24, lan B is 10.255.1.0/24, lan C is 172.24.0.0/16

lan A and lan B is connected with an ipsec VPN, lan A and lan C is connected with an ipsec VPN.

Now there is a problem confusing me:

while using SSLVPN to connect, we can not ping anything on lan B.

But on lan A, we can ping all of lan B.

lan A and lan C works perfectly with ipsec VPN, both lan and SSLVPN ping. (lan A can ping lan C, vpn pool can ping lan C)

We have add access-list from lan A to lan B, but not work.

Is there any way to ping from vpn pool to lan B correctly?

Thanks a lot

Labels:
75129-asa-config-access-list.txt.zip
0 Helpful
5 Replies 5

Yudong Wu
Level 7
Level 7

‎11-12-2010 03:23 PM

It will be more helpfull, if you could post a full configuration.

I guess the issue is on ACL no-nat-0, currently, it only has the following entry.

access-list no-nat-0 extended permit ip 192.168.4.0 255.255.255.0 172.24.0.0 255.255.0.0

If it works for LAN C, you should add the following for LAN B

access-list no-nat-0 extended permit ip 192.168.4.0 255.255.255.0 10.255.1.0 255.255.255.0

0 Helpful

chenbc
Level 1
Level 1
In response to Yudong Wu

‎11-13-2010 05:47 AM

Hello Wudong

it seems not, because I have added the config before, but not work

in the attachment is the configuration file of our ASA.

75190-asa-config.txt.zip
0 Helpful

Yudong Wu
Level 7
Level 7
In response to chenbc

‎11-13-2010 01:05 PM

Since nat-control is enabled, you have to add that entry in no-nat-0 so that the packet from SSL VPN client to Lan B won't be NAT-ed when it makes U-turn on ASA.

Can you try the following,

-disconnect ssl vpn client

-clear xlate

-connect ssl vpn client again

-ping from client to LAN B,

-check the log in ASA to see if there is any error message

- run a "packet-trace" command by using outside interface as input interface, vpn client's IP as source IP  and the IP in LAN B as dest IP.

0 Helpful

chenbc
Level 1
Level 1
In response to Yudong Wu

‎11-14-2010 05:04 AM

Hello yudong,


Here is the packet tracer result

I don't know why in VPN phase 10 it drops...

on NAT Exemption I have added the ACL from 192.168.4.0 to 10.255.1.0, but no work.

Need some help about this..

Thanks a lot

75217-packet-tracer from vpnpool to LAN B.txt.zip
0 Helpful

chenbc
Level 1
Level 1
In response to chenbc

‎11-14-2010 05:20 AM

sorry for that

I found the problem is in the LAN B side....

Now it works

Sorry for bothering you too much

Thanks a lot

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents