08-20-2010 09:22 AM
We have multiple VPN profiles configured for multiple remote VPN users, dependent on what their job function is determines which profile they get.
One in question is giving me fits.
Remote usere connects to co-lo and attempts to reach host at main office. We have a site-to-site tunnel from the co-lo to the main office. Regular employee's this works fine and I can't for the life of me figure out why the xuser group is any different. it seems as though traffic destined for the main office from the xuser group never gets pushed through the tunnel.
xuser: 10.10.22.0/24
ruser: 10.10.23.0/24
host: 10.1.1.52/32
If I do a packet trace from xuser > host it gets rejected:
......
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface inside
access-list Inside_access_in extended permit tcp object VPN_xuser object host eq www
......
Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
......
If I do a packet tracer form ruser > host it gets past that and continues on:
....
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface inside <snipped>
........
Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: ALLOW
Config:
Additional Information:...and so on.
Can someone help me out?
08-20-2010 09:38 AM
please check if you have identity nat for this specific traffic
08-20-2010 09:54 AM
xuser:
Additional Information:
Static translate 10.10.22.111/80 to 10.10.22.111/80
ruser:
Additional Information:
Static translate 10.10.23.108/80 to 10.10.23.108/80
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: