Tunnel Remote VPN Internet and Remote VPN to Site-to-Site VPN Traffic?

Answered Question
Jul 1st, 2009
User Badges:

Hello,


We are trying to tunnel our Remote VPN User's traffic through our ASA 5510 as well as allow the Remote VPN Users's traffic access to the other end of all our site-to-site VPN's connected to the same ASA. Basically we want whoever VPN's into the network to be able to access all of our company networks. We are trying to get away with this without using Split-Tunneling.


I can currently get the remote VPN User's internal traffic to reach all the other site-to-site vpn tunnels, without the internet being tunneled. The problem is when I add the following NAT statement:


nat (outside) 1 10.10.19.0 255.255.255.0 *10.10.19.0 is the Remote VPN Client addresses


The internet traffic for the Remote VPN starts to get tunneled, but I loose the ability to reach any of the other site-to-site tunnels through the Remote VPN tunnel.


I also start receiving the following errors in the ASA log


3 Jul 01 2009 12:34:18 305005 10.10.19.255 137 No translation group found for udp src outside:10.10.19.3/137 dst outside:10.10.19.255/137


Any help with how the NAT statements should be set to get this to work would be appreciated.


Thank you,


Will

Correct Answer by JORGE RODRIGUEZ about 7 years 9 months ago

Will,


reference the link within this post for your hub&spoke vpn scenario,you problem may lie on exempt nat rules.


Have a second look at your nonat rules.

make sure to elimiate split tunnel rules pertaining to RA if any to not let it get in the way.


http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4




If still issues discribe topology for l2ls and RA logical info and sanatized config of hub asa.. but I think if you look at the above thread you should be able to resolve it.


Regards



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Wed, 07/01/2009 - 12:02
User Badges:
  • Green, 3000 points or more

Will,


reference the link within this post for your hub&spoke vpn scenario,you problem may lie on exempt nat rules.


Have a second look at your nonat rules.

make sure to elimiate split tunnel rules pertaining to RA if any to not let it get in the way.


http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4




If still issues discribe topology for l2ls and RA logical info and sanatized config of hub asa.. but I think if you look at the above thread you should be able to resolve it.


Regards



will.cada Mon, 07/06/2009 - 05:48
User Badges:

jorgemcse,


I really appreciate the help! This information assisted me in resolving the issue. I created an object-group(InsideVPN) containing all the internal networks I need the RA tunnels to access. I then created a separate access-list (outside_nat0_outbound) and NAT Exempt the access-list on the outside interface to get everything to work.


-InsideVPN is the object-group I used.

-10.10.19.0/24 our VPN pool.


access-list outside_nat0_outbound extended permit ip 10.10.19.0 255.255.255.0 object-group InsideVPN

access-list outside_nat0_outbound extended permit ip 10.10.19.0 255.255.255.0 10.10.19.0 255.255.255.0


nat (outside) 0 access-list outside_nat0_outbound


Thanks again,


Will


JORGE RODRIGUEZ Mon, 07/06/2009 - 07:10
User Badges:
  • Green, 3000 points or more

Will, glad we could help.. thanks for rating.


Rgds

Jorge

robbie.teo Mon, 07/13/2009 - 21:31
User Badges:

Hi guys,


I have a similar setup but i can't ping to my site-site network after remote via vpn client.

Ping to internal network no issue.

Do i have to able anything on the ASA?

Please advice. Thanks.

JORGE RODRIGUEZ Tue, 07/14/2009 - 12:28
User Badges:
  • Green, 3000 points or more

What does ASDM log tells you , have you properly configured nonat rules.

Actions

This Discussion