access to inside from ASA vpn client with the same IP addressing

Unanswered Question
Sep 28th, 2010

I need give the network ip pool client vpn 10.70.253.0/24, and the network in inside is 10.70.255.0/24, when I connect VPN client from internet I can reach all network in the LAN  but the segment 10.70.255.0 is imposible.


How I can do a walkarround of this problem?. I can`t change the network of pool vpn.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 09/28/2010 - 14:06

Hi,

I don't understand your problem.

The VPN pool and the internal segment are not overlapping.

Please clarify.

Federico.

jaime.gonzalez@... Tue, 09/28/2010 - 15:07

ok, but, If i try to reach other network it work, please see the config below:

access-list Admin extended permit ip host 9.9.9.9 10.70.253.0 255.255.255.0
access-list Admin extended permit icmp 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0
access-list Admin extended permit ip 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0
access-list Admin extended permit ip 145.125.0.0 255.255.0.0 10.70.253.0 255.255.255.0
access-list Admin extended permit ip 129.0.0.0 255.0.0.0 10.70.253.0 255.255.255.0
access-list Admin extended permit icmp 145.125.0.0 255.255.0.0 10.70.253.0 255.255.255.0
access-list Admin extended permit icmp 129.0.0.0 255.0.0.0 10.70.253.0 255.255.255.0
ip local pool Admin 10.70.253.1-10.70.253.254 mask 255.255.255.0
group-policy Admin internal
group-policy Admin attributes
split-tunnel-network-list value Admin
address-pools value Admin
tunnel-group Admin type remote-access
tunnel-group Admin general-attributes
address-pool Admin
default-group-policy Admin
tunnel-group Admin ipsec-attributes

the "debug icmp trace" show a correct response.

Federico Coto F... Tue, 09/28/2010 - 15:18

Do you also have the traffic between 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0
included in the NONAT ACL?

In other words, you have something like this?

access-list NAME permit ip 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0
nat (inside) 0 access-list NAME

The debug icmp trace shows requests/responses fine?

Question.

The 10.70.255.0/24 has a default gateway which points to the ASA's internal IP?

If there's a router in between you might want to check if that device is blocking this traffic?

What is the result of the packet tracer from the VPN client when connected to the 10.70.255.0/24 network?

Do you see packets encrypted/decrypted for that security association?  sh cry ips sa

Federico.

jaime.gonzalez@... Tue, 09/28/2010 - 16:14

I made a mistake with the information , the network inside is 10.70.0.0/16 and the ip pool vpn is 10.70.253.0....sorry. I beleave it is overlaping.

and it`s the result of  :

Result:      
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (rpf-violated) Reverse-path verify failed

I read about and I`m fear the ASA  see an attempt of spoofing.

praprama Tue, 09/28/2010 - 17:06

Hi,

Can you paste the entire output of the packet-tracer? You might have to disable "ip verify reverse-path INTERFACE" on the interface you are getting that error.

Regards,

Prapanch

Actions

This Discussion