09-02-2008 11:14 AM - edited 02-21-2020 03:55 PM
ASA 5510
int client IP 172.0.1.XXX /24
VPN Client IP 172.0.1.248 /29
Static routes in the ASA
1) 0.0.0.0 --- points to router1
2) 172.29.1.1 --- Points to router2
3) 172.29.1.2 --- Points to router2
Router1 Internet connection // VPN access in path
Router2 Dedicated line to offsite hosting // Dedicated routes in ASA
................../---- ROUTER 1
..Inside -- ASA --- outside (switch 2 rtrs)
..................\---- ROUTER 2
If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2
At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.
Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2
I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.
3000 packets captured
1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360
2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512
3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360
4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456
5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482
Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?
09-02-2008 10:24 PM
Hi,
Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0
Something like this:-
access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0
nat (Inside) 0 access-list NONAT
09-03-2008 04:24 AM
I didnt think I needed too because it works from the local lan to 172.29. Its only an issue when you VPN into the ASA
09-03-2008 05:34 AM
Are you encrypting everything or split-tunneling on the VPN client?
Either way you need to make sure the VPN client knows about the remote site IP subnet - and allow intra-interface communications.
HTH>
09-03-2008 05:39 AM
its encrypting everything
I did same-security ... intra already and it didnt work.
I shoul then add the no nat statement
Will that mess anything up with the internal connection?
09-03-2008 05:49 AM
No - it will be an addition to an existing access-list.
HTH>
09-03-2008 06:00 AM
thanks
I will try it after 5 PM EDT when they close. thanks in advance if this resolves it
ill post back
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: