cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
830
Views
0
Helpful
5
Replies

VPN access to remote networks via ASA

moises7777
Level 1
Level 1

Hi,

I am trying to give access to a remote network via a vpn connection from our ASA.  Essentially, a user will vpn in to the main network, from the main network they need access to a remote network that connects to the main network via site to site vpn tunnel. For vpn access we use the ASA as well as a vpn concentrator. The remote network is reachable when a user logs in via the vpn concentrator, but they do not have access when they log in via the ASA.

To make it work on the concentrator a route was added to send the traffic to the router that has the vpn tunnel and the remote network was added to the route list. This worked for that. However, when I did the same on the ASA, it did not work.

This is how the traffic should flow:

Vpn access – connect to ASA – ASA routes the traffic  to the router that has the VPN tunnel to the remote network – at this point this router should route the traffic through, but it doesn’t.

I can ping the remote network from the ASA and trace to it, but the vpn user can not.

I would appreciate anyone’s help on this, thanks.

Moises Moreno

1 Accepted Solution

Accepted Solutions

Hi,

Try adding same security  as well. Also, make sure your ASA configuration has 'hairpin ACL' applied to outside interface. The traffic from remote site when retun back the ASA need to send it via the same interface without doing any nat.

if you still have issues, enable 'debug icmp trace' on ASA and check where the traffic being dropped.

hth

MS

View solution in original post

5 Replies 5

mvsheik123
Level 7
Level 7

Hi,

Do you have 'same-security-traffic permit intra-interface' enabled on ASA?

thx

MS

The command was not in the config, but after entering it, I still can't get to the remote site, thanks.

Hi,

Try adding same security  as well. Also, make sure your ASA configuration has 'hairpin ACL' applied to outside interface. The traffic from remote site when retun back the ASA need to send it via the same interface without doing any nat.

if you still have issues, enable 'debug icmp trace' on ASA and check where the traffic being dropped.

hth

MS

I found this in the syslog:

04-15-2011    11:18:57    Local4.Error    50.80.10.3    Apr 15 2011 10:18:58: %ASA-3-305005: No translation group found for icmp src outside:50.50.70.9 dst inside:129.17.51.17 (type 8, code 0)

It seems a nat rule maybe needed, just not sure.

It was a static nat rule that was needed, thank you for your  help.