cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
803
Views
3
Helpful
7
Replies

RA-VPN over NAT-T troubleshooting

fredj1234
Level 1
Level 1

hi,

Currently, my vpn works fine from the outside to the router. The problem I'm not quite sure why the traffic on the inside is not finding its way to the outside (VPNclient). I tried adding interesting traffic acl on my DynamicMap, the vpn client lock would not close, but there was a QM_IDLE isakmp session established and an IPSEC tunnel. I've also tried adding a static route on all my local routers (for test only) routing 10.0.12.0 network to my vpn router 10.0.0.188, only my network device can communicate with my VPN client host when I do this, but the hosts that belong to the network cannot communicate.

I've attached config and debug outputs.

Any suggestions?

TIA,

-Fred

1 Accepted Solution

Accepted Solutions

Hi,

Can u plz no nat acl , internal lan as source and vpn pool as destination.

Make sure that your gw router has a route towards vpn pool.

r/g

View solution in original post

7 Replies 7

a.alekseev
Level 7
Level 7

What is the defaut gateway for internal hosts?

The GW for internal hosts is a different router 10.0.0.10.

10.0.0.10's default GW is 10.0.0.52 (.52 is PBR router) all traffic from 10.0.0.0/24 flows like this.

10.0.0.x/24 -> 10.0.0.10(inside Hosts Default GW) -> 10.0.0.52 (PBR router) -> 10.0.0.191(ASAC1)

the asa does the static nat for VPN router.

Also,

i've tried making Router 10.0.0.10 default GW to .191(ASAC1) to bypass the PBR, but still the problem existed.

On router 10.0.0.10 I've also tried adding the following statement: ip route 10.0.12.0 255.255.255.0 10.0.0.188 (RA VPN router)

The only thing that worked here, was my vpn client PC was able to successfully ping/telnet into the 10.0.0.10 router, but still no hosts on the 10.0.0.x/24 subnet were able to reach 10.0.12.x.

you should have a static route for the vpn pool on the router which is the defaut gateway for internal users.

Sorry I was adding on to my post as you replied, adding the static route to the vpn pool for the router which is my default gw for internal users only worked for my router, but not my network.

If I add that static route for my internal hosts default gw, my vpn client can only access that router, but not the network itself.

Hi,

Can u plz no nat acl , internal lan as source and vpn pool as destination.

Make sure that your gw router has a route towards vpn pool.

r/g

In conclusion,

Didn't include a nonat acl on asa for my router's vpn traffic.

Thanks for your help.

Regards,

-Fred

No worries:)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: