vpn client cannot connect to NAT cluster IP

Unanswered Question
Jun 11th, 2010

I have two Cisco VPN 3060 concentrator configured with load balancing sitting behind ASA firewall.

Concentrator A with public interface ip address is 172.1.1.10  -> static NAT to 192.20.1.10

Concentrator B with public interface ip address is 172.1.1.20  -> static NAT to 192.20.1.20

Load balancing is configured between these two concentrators with cluster ip address 172.1.1.100  -> static NAT to 192.20.1.100

I'm able to connect to the cluster ip address 172.1.1.100 when the vpn client reside on the 172.1.1.x subnet

(I adjusted the load balance settings to 0.0.0.0 since the client is behind the firewall.)

But when the vpn client connects from DSL it fails to connect to the NAT address of the cluster 192.20.1.100.

The vpn client is able to connect to the external/Nat addresses of Concentrator A and B.

The ASA firewall is set to allow 'all' IP inbound to the cluster IP 192.20.1.100.

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Sat, 06/12/2010 - 00:45

By any chance when you connect to cluster IP, doesn't it respond with "connect to PRIVATE_IP_ADDRESS"?

Logging on client will tell you more.

If you suspect ASA - get a packet capture on inside and outside for this client.

Actions

This Discussion