ASA 5510 and VPN access to remote site over Ext WAN

Unanswered Question
Sep 2nd, 2008

ASA 5510

int client IP 172.0.1.XXX /24

VPN Client IP 172.0.1.248 /29

Static routes in the ASA

1) 0.0.0.0 --- points to router1

2) 172.29.1.1 --- Points to router2

3) 172.29.1.2 --- Points to router2

Router1 Internet connection // VPN access in path

Router2 Dedicated line to offsite hosting // Dedicated routes in ASA

................../---- ROUTER 1

..Inside -- ASA --- outside (switch 2 rtrs)

..................\---- ROUTER 2

If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2

At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.

Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2

I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.

3000 packets captured

1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360

2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512

3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360

4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456

5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482

Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Tue, 09/02/2008 - 22:24

Hi,

Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0

Something like this:-

access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0

nat (Inside) 0 access-list NONAT

D0nprintup_2 Wed, 09/03/2008 - 04:24

I didnt think I needed too because it works from the local lan to 172.29. Its only an issue when you VPN into the ASA

D0nprintup_2 Wed, 09/03/2008 - 05:39

its encrypting everything

I did same-security ... intra already and it didnt work.

I shoul then add the no nat statement

Will that mess anything up with the internal connection?

Actions

This Discussion