Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
1
Replies

vpn client cannot connect to NAT cluster IP

user_2010
Level 1
Level 1

‎06-11-2010 04:47 PM

I have two Cisco VPN 3060 concentrator configured with load balancing sitting behind ASA firewall.

Concentrator A with public interface ip address is 172.1.1.10  -> static NAT to 192.20.1.10

Concentrator B with public interface ip address is 172.1.1.20  -> static NAT to 192.20.1.20

Load balancing is configured between these two concentrators with cluster ip address 172.1.1.100  -> static NAT to 192.20.1.100

I'm able to connect to the cluster ip address 172.1.1.100 when the vpn client reside on the 172.1.1.x subnet

(I adjusted the load balance settings to 0.0.0.0 since the client is behind the firewall.)

But when the vpn client connects from DSL it fails to connect to the NAT address of the cluster 192.20.1.100.

The vpn client is able to connect to the external/Nat addresses of Concentrator A and B.

The ASA firewall is set to allow 'all' IP inbound to the cluster IP 192.20.1.100.

Any ideas?

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-12-2010 12:45 AM

By any chance when you connect to cluster IP, doesn't it respond with "connect to PRIVATE_IP_ADDRESS"?

Logging on client will tell you more.

If you suspect ASA - get a packet capture on inside and outside for this client.

0 Helpful
Customers Also Viewed These Support Documents