RA-VPN over NAT-T troubleshooting

Answered Question
Jul 8th, 2008
User Badges:

hi,


Currently, my vpn works fine from the outside to the router. The problem I'm not quite sure why the traffic on the inside is not finding its way to the outside (VPNclient). I tried adding interesting traffic acl on my DynamicMap, the vpn client lock would not close, but there was a QM_IDLE isakmp session established and an IPSEC tunnel. I've also tried adding a static route on all my local routers (for test only) routing 10.0.12.0 network to my vpn router 10.0.0.188, only my network device can communicate with my VPN client host when I do this, but the hosts that belong to the network cannot communicate.


I've attached config and debug outputs.


Any suggestions?


TIA,

-Fred




Correct Answer by nomair_83 about 9 years 3 weeks ago

Hi,


Can u plz no nat acl , internal lan as source and vpn pool as destination.


Make sure that your gw router has a route towards vpn pool.


r/g

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
a.alekseev Tue, 07/08/2008 - 08:52
User Badges:
  • Gold, 750 points or more

What is the defaut gateway for internal hosts?

fredj1234 Tue, 07/08/2008 - 09:42
User Badges:

The GW for internal hosts is a different router 10.0.0.10.


10.0.0.10's default GW is 10.0.0.52 (.52 is PBR router) all traffic from 10.0.0.0/24 flows like this.


10.0.0.x/24 -> 10.0.0.10(inside Hosts Default GW) -> 10.0.0.52 (PBR router) -> 10.0.0.191(ASAC1)


the asa does the static nat for VPN router.


Also,

i've tried making Router 10.0.0.10 default GW to .191(ASAC1) to bypass the PBR, but still the problem existed.


On router 10.0.0.10 I've also tried adding the following statement: ip route 10.0.12.0 255.255.255.0 10.0.0.188 (RA VPN router)


The only thing that worked here, was my vpn client PC was able to successfully ping/telnet into the 10.0.0.10 router, but still no hosts on the 10.0.0.x/24 subnet were able to reach 10.0.12.x.

a.alekseev Tue, 07/08/2008 - 09:51
User Badges:
  • Gold, 750 points or more

you should have a static route for the vpn pool on the router which is the defaut gateway for internal users.

fredj1234 Tue, 07/08/2008 - 10:01
User Badges:

Sorry I was adding on to my post as you replied, adding the static route to the vpn pool for the router which is my default gw for internal users only worked for my router, but not my network.


If I add that static route for my internal hosts default gw, my vpn client can only access that router, but not the network itself.

Correct Answer
nomair_83 Tue, 07/08/2008 - 10:19
User Badges:
  • Bronze, 100 points or more

Hi,


Can u plz no nat acl , internal lan as source and vpn pool as destination.


Make sure that your gw router has a route towards vpn pool.


r/g

fredj1234 Tue, 07/08/2008 - 10:37
User Badges:

In conclusion,


Didn't include a nonat acl on asa for my router's vpn traffic.


Thanks for your help.


Regards,

-Fred

Actions

This Discussion