Solved: Tunnel Remote VPN Internet and Remote VPN to Site-to-Site VPN Traffic?

will.cada · ‎07-01-2009

Hello,

We are trying to tunnel our Remote VPN User's traffic through our ASA 5510 as well as allow the Remote VPN Users's traffic access to the other end of all our site-to-site VPN's connected to the same ASA. Basically we want whoever VPN's into the network to be able to access all of our company networks. We are trying to get away with this without using Split-Tunneling.

I can currently get the remote VPN User's internal traffic to reach all the other site-to-site vpn tunnels, without the internet being tunneled. The problem is when I add the following NAT statement:

nat (outside) 1 10.10.19.0 255.255.255.0 *10.10.19.0 is the Remote VPN Client addresses

The internet traffic for the Remote VPN starts to get tunneled, but I loose the ability to reach any of the other site-to-site tunnels through the Remote VPN tunnel.

I also start receiving the following errors in the ASA log

3 Jul 01 2009 12:34:18 305005 10.10.19.255 137 No translation group found for udp src outside:10.10.19.3/137 dst outside:10.10.19.255/137

Any help with how the NAT statements should be set to get this to work would be appreciated.

Thank you,

Will

JORGE RODRIGUEZ · ‎07-01-2009

Will,

reference the link within this post for your hub&spoke vpn scenario,you problem may lie on exempt nat rules.

Have a second look at your nonat rules.

make sure to elimiate split tunnel rules pertaining to RA if any to not let it get in the way.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

If still issues discribe topology for l2ls and RA logical info and sanatized config of hub asa.. but I think if you look at the above thread you should be able to resolve it.

Regards

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎07-01-2009

Will,

reference the link within this post for your hub&spoke vpn scenario,you problem may lie on exempt nat rules.

Have a second look at your nonat rules.

make sure to elimiate split tunnel rules pertaining to RA if any to not let it get in the way.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2e0f6/4

If still issues discribe topology for l2ls and RA logical info and sanatized config of hub asa.. but I think if you look at the above thread you should be able to resolve it.

Regards

Jorge Rodriguez

will.cada · ‎07-06-2009

jorgemcse,

I really appreciate the help! This information assisted me in resolving the issue. I created an object-group(InsideVPN) containing all the internal networks I need the RA tunnels to access. I then created a separate access-list (outside_nat0_outbound) and NAT Exempt the access-list on the outside interface to get everything to work.

-InsideVPN is the object-group I used.

-10.10.19.0/24 our VPN pool.

access-list outside_nat0_outbound extended permit ip 10.10.19.0 255.255.255.0 object-group InsideVPN

access-list outside_nat0_outbound extended permit ip 10.10.19.0 255.255.255.0 10.10.19.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound

Thanks again,

Will

JORGE RODRIGUEZ · ‎07-06-2009

Will, glad we could help.. thanks for rating.

Rgds

Jorge

Jorge Rodriguez

robbie.teo · ‎07-13-2009

Hi guys,

I have a similar setup but i can't ping to my site-site network after remote via vpn client.

Ping to internal network no issue.

Do i have to able anything on the ASA?

Please advice. Thanks.

JORGE RODRIGUEZ · ‎07-14-2009

What does ASDM log tells you , have you properly configured nonat rules.

Jorge Rodriguez