Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
0
Helpful
5
Replies

VPN access to remote networks via ASA

Go to solution
moises7777
Level 1
Level 1

‎04-15-2011 08:00 AM

Hi,

I am trying to give access to a remote network via a vpn connection from our ASA.  Essentially, a user will vpn in to the main network, from the main network they need access to a remote network that connects to the main network via site to site vpn tunnel. For vpn access we use the ASA as well as a vpn concentrator. The remote network is reachable when a user logs in via the vpn concentrator, but they do not have access when they log in via the ASA.

To make it work on the concentrator a route was added to send the traffic to the router that has the vpn tunnel and the remote network was added to the route list. This worked for that. However, when I did the same on the ASA, it did not work.

This is how the traffic should flow:

Vpn access – connect to ASA – ASA routes the traffic  to the router that has the VPN tunnel to the remote network – at this point this router should route the traffic through, but it doesn’t.

I can ping the remote network from the ASA and trace to it, but the vpn user can not.

I would appreciate anyone’s help on this, thanks.

Moises Moreno

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mvsheik123
Level 7
Level 7
In response to moises7777

‎04-15-2011 09:09 AM

Hi,

Try adding same security  as well. Also, make sure your ASA configuration has 'hairpin ACL' applied to outside interface. The traffic from remote site when retun back the ASA need to send it via the same interface without doing any nat.

if you still have issues, enable 'debug icmp trace' on ASA and check where the traffic being dropped.

hth

MS

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mvsheik123
Level 7
Level 7

‎04-15-2011 08:28 AM

Hi,

Do you have 'same-security-traffic permit intra-interface' enabled on ASA?

thx

MS

0 Helpful

Go to solution
moises7777
Level 1
Level 1
In response to mvsheik123

‎04-15-2011 09:01 AM

The command was not in the config, but after entering it, I still can't get to the remote site, thanks.

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to moises7777

‎04-15-2011 09:09 AM

Hi,

Try adding same security  as well. Also, make sure your ASA configuration has 'hairpin ACL' applied to outside interface. The traffic from remote site when retun back the ASA need to send it via the same interface without doing any nat.

if you still have issues, enable 'debug icmp trace' on ASA and check where the traffic being dropped.

hth

MS

0 Helpful

Go to solution
moises7777
Level 1
Level 1
In response to mvsheik123

‎04-15-2011 10:22 AM

I found this in the syslog:

04-15-2011    11:18:57    Local4.Error    50.80.10.3    Apr 15 2011 10:18:58: %ASA-3-305005: No translation group found for icmp src outside:50.50.70.9 dst inside:129.17.51.17 (type 8, code 0)

It seems a nat rule maybe needed, just not sure.

0 Helpful

Go to solution
moises7777
Level 1
Level 1
In response to mvsheik123

‎04-15-2011 12:44 PM

It was a static nat rule that was needed, thank you for your  help.

0 Helpful
Customers Also Viewed These Support Documents