cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
694
Views
0
Helpful
5
Replies

access to inside from ASA vpn client with the same IP addressing

jaime.gonzalez
Level 1
Level 1

I need give the network ip pool client vpn 10.70.253.0/24, and the network in inside is 10.70.255.0/24, when I connect VPN client from internet I can reach all network in the LAN  but the segment 10.70.255.0 is imposible.


How I can do a walkarround of this problem?. I can`t change the network of pool vpn.

5 Replies 5

Hi,

I don't understand your problem.

The VPN pool and the internal segment are not overlapping.

Please clarify.

Federico.

ok, but, If i try to reach other network it work, please see the config below:

access-list Admin extended permit ip host 9.9.9.9 10.70.253.0 255.255.255.0
access-list Admin extended permit icmp 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0
access-list Admin extended permit ip 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0
access-list Admin extended permit ip 145.125.0.0 255.255.0.0 10.70.253.0 255.255.255.0
access-list Admin extended permit ip 129.0.0.0 255.0.0.0 10.70.253.0 255.255.255.0
access-list Admin extended permit icmp 145.125.0.0 255.255.0.0 10.70.253.0 255.255.255.0
access-list Admin extended permit icmp 129.0.0.0 255.0.0.0 10.70.253.0 255.255.255.0
ip local pool Admin 10.70.253.1-10.70.253.254 mask 255.255.255.0
group-policy Admin internal
group-policy Admin attributes
split-tunnel-network-list value Admin
address-pools value Admin
tunnel-group Admin type remote-access
tunnel-group Admin general-attributes
address-pool Admin
default-group-policy Admin
tunnel-group Admin ipsec-attributes

the "debug icmp trace" show a correct response.

Do you also have the traffic between 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0
included in the NONAT ACL?

In other words, you have something like this?

access-list NAME permit ip 10.70.255.0 255.255.255.0 10.70.253.0 255.255.255.0
nat (inside) 0 access-list NAME

The debug icmp trace shows requests/responses fine?

Question.

The 10.70.255.0/24 has a default gateway which points to the ASA's internal IP?

If there's a router in between you might want to check if that device is blocking this traffic?

What is the result of the packet tracer from the VPN client when connected to the 10.70.255.0/24 network?

Do you see packets encrypted/decrypted for that security association?  sh cry ips sa

Federico.

I made a mistake with the information , the network inside is 10.70.0.0/16 and the ip pool vpn is 10.70.253.0....sorry. I beleave it is overlaping.

and it`s the result of  :

Result:      
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (rpf-violated) Reverse-path verify failed

I read about and I`m fear the ASA  see an attempt of spoofing.

Hi,

Can you paste the entire output of the packet-tracer? You might have to disable "ip verify reverse-path INTERFACE" on the interface you are getting that error.

Regards,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: