cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
493
Views
0
Helpful
6
Replies

ASA 5510 and VPN access to remote site over Ext WAN

D0nprintup_2
Level 1
Level 1

ASA 5510

int client IP 172.0.1.XXX /24

VPN Client IP 172.0.1.248 /29

Static routes in the ASA

1) 0.0.0.0 --- points to router1

2) 172.29.1.1 --- Points to router2

3) 172.29.1.2 --- Points to router2

Router1 Internet connection // VPN access in path

Router2 Dedicated line to offsite hosting // Dedicated routes in ASA

................../---- ROUTER 1

..Inside -- ASA --- outside (switch 2 rtrs)

..................\---- ROUTER 2

If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2

At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.

Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2

I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.

3000 packets captured

1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360

2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512

3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360

4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456

5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482

Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?

6 Replies 6

Hi,

Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0

Something like this:-

access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0

nat (Inside) 0 access-list NONAT

I didnt think I needed too because it works from the local lan to 172.29. Its only an issue when you VPN into the ASA

Are you encrypting everything or split-tunneling on the VPN client?

Either way you need to make sure the VPN client knows about the remote site IP subnet - and allow intra-interface communications.

HTH>

its encrypting everything

I did same-security ... intra already and it didnt work.

I shoul then add the no nat statement

Will that mess anything up with the internal connection?

No - it will be an addition to an existing access-list.

HTH>

thanks

I will try it after 5 PM EDT when they close. thanks in advance if this resolves it

ill post back

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: