02-13-2009 04:19 AM - edited 02-21-2020 03:17 AM
I know this is possible with ASA and VPN3000, but I am having trouble getting it working with IOS SSL.
User SSL's to the ISR Router (2821 Ver 12.4.20T), Authenticates and creates a Tunneled Connection. Connectivity to the Internal LAN has been verified, however I am unable to get that traffic over an IPSec Lan to Lan tunnel that terminates on the same ISR.
I have attempted to run "debug IP Packet details" against an access list that includes the IP I recieved via the IP Pool and also to the destination host, but the debug does not display anything.
I have tried this using both an IP Pool address that is in the same subnet and the internal lan, as well as an IP Pool in a different subnet with a Loopback interface.
Is this possible? Has anyone else got this to work?
Thanks,
Heath
02-19-2009 03:36 PM
You need to add the following to the configuration:
nat (outside) 1 ip-pool-of-client
same-security-traffic permit intra-interface
For example:
ip local pool vpnpool 192.168.10.1-192.168.10.254
global(outside) 1 55.66.77.88
nat (outside) 1 192.168.10.0 255.255.255.0
same-security-traffic permit intra-interface
Here is a configuration example.
PIX/ASA 7.x and VPN Client for Public Internet VPN on a Stick
Configuration Example
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_
configuration_example09186a00805734ae.shtml#hw
<http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products
_configuration_example09186a00805734ae.shtml#hw>
02-20-2009 05:28 AM
This is NOT a PIX or ASA - it is IOS....
That being said, the solution was to disable CEF to allow the hairpin to work. This is a bug - CSCSR41631.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide