IPSEC tunnel address spoofing errors

Unanswered Question
Nov 3rd, 2008
User Badges:

I have an ASA 5520 cofigured for IPSEC

and i inted to tunnel all internet traffic through the tunnel to get ( no split tunneling)

The ASA is sitting behhind and external firewall and i had to do NAT transaltions for the outside interface .

My problem is this: Remote access VPN connection is fine and i can access all the resources on my remote network as well as all internal websites.

but i cannot access other internet traffic.

i had to enable same-security traffic on the outside interface because the firewall oth the ASA sees the traffic as a loop and drops it.

but on the other hand my external firewall sees the traffic as an ip spoof and drops it as well,because it sees the internet traffic request coming form it's internal interfaces.

any suggestions

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 11/03/2008 - 11:57
User Badges:
  • Green, 3000 points or more

You could try...

no ip verify reverse-path interface inside

sp9348505 Mon, 11/03/2008 - 19:09
User Badges:

Tried that it didn't work for me,

i believe what needs to be achieved is a sort of translation of the internet source address to appear as if coming from the HQ end of the IPSEC tunnel, i'm trying to access the internet through the perimeter firewall at HQ, but this same firewall see the real source address of the http request as that of the remote user depite tunneling all the traffic through the iPSEC tunnel..

your feedback would be apprciated..

sp9348505 Tue, 11/04/2008 - 05:59
User Badges:

You rock!!!!!!

after a little tweaking, it worked like a charm...

Thnaks !

Farrukh Haroon Tue, 11/04/2008 - 06:03
User Badges:
  • Red, 2250 points or more

No problem buddy, glad to know its working :)

Please rate if helpful.




This Discussion