ASA 5510 and VPN access to remote site over Ext WAN

Unanswered Question
Sep 2nd, 2008
User Badges:

ASA 5510

int client IP 172.0.1.XXX /24

VPN Client IP 172.0.1.248 /29


Static routes in the ASA

1) 0.0.0.0 --- points to router1

2) 172.29.1.1 --- Points to router2

3) 172.29.1.2 --- Points to router2




Router1 Internet connection // VPN access in path



Router2 Dedicated line to offsite hosting // Dedicated routes in ASA

................../---- ROUTER 1

..Inside -- ASA --- outside (switch 2 rtrs)

..................\---- ROUTER 2


If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2


At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.


Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2


I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.



3000 packets captured

1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360

2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512

3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360

4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456

5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482





Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Tue, 09/02/2008 - 22:24
User Badges:
  • Silver, 250 points or more

Hi,

Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0


Something like this:-


access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0


nat (Inside) 0 access-list NONAT

D0nprintup_2 Wed, 09/03/2008 - 04:24
User Badges:

I didnt think I needed too because it works from the local lan to 172.29. Its only an issue when you VPN into the ASA

D0nprintup_2 Wed, 09/03/2008 - 05:39
User Badges:

its encrypting everything


I did same-security ... intra already and it didnt work.


I shoul then add the no nat statement

Will that mess anything up with the internal connection?


Actions

This Discussion