Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
5
Replies

IPSEC tunnel address spoofing errors

sp9348505
Level 1
Level 1

‎11-03-2008 11:32 AM - edited ‎02-21-2020 04:01 PM

I have an ASA 5520 cofigured for IPSEC

and i inted to tunnel all internet traffic through the tunnel to get ( no split tunneling)

The ASA is sitting behhind and external firewall and i had to do NAT transaltions for the outside interface .

My problem is this: Remote access VPN connection is fine and i can access all the resources on my remote network as well as all internal websites.

but i cannot access other internet traffic.

i had to enable same-security traffic on the outside interface because the firewall oth the ASA sees the traffic as a loop and drops it.

but on the other hand my external firewall sees the traffic as an ip spoof and drops it as well,because it sees the internet traffic request coming form it's internal interfaces.

any suggestions

Labels:
0 Helpful
5 Replies 5

acomiskey
Level 10
Level 10

‎11-03-2008 11:57 AM

You could try...

no ip verify reverse-path interface inside

0 Helpful

sp9348505
Level 1
Level 1
In response to acomiskey

‎11-03-2008 07:09 PM

Tried that it didn't work for me,

i believe what needs to be achieved is a sort of translation of the internet source address to appear as if coming from the HQ end of the IPSEC tunnel, i'm trying to access the internet through the perimeter firewall at HQ, but this same firewall see the real source address of the http request as that of the remote user depite tunneling all the traffic through the iPSEC tunnel..

your feedback would be apprciated..

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to sp9348505

‎11-04-2008 02:54 AM

This is a working example of your scenario, if you still face problems please post more details about your topology and the vendor of your perimeter firewall.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

Regards

Farrukh

0 Helpful

sp9348505
Level 1
Level 1
In response to Farrukh Haroon

‎11-04-2008 05:59 AM

You rock!!!!!!

after a little tweaking, it worked like a charm...

Thnaks !

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to sp9348505

‎11-04-2008 06:03 AM

No problem buddy, glad to know its working :)

Please rate if helpful.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents