Client vpn hairpining/U-turn issue.

Unanswered Question
Dec 12th, 2011

Hi all,

I have two isp's connected on my ASA (outside and outside2), and SLA ISP backup is configured, now the default gateway for internet access is outside interface.

Recently i have configured SSL Vpn on my other interface (outside2) , and it is working fine, after few days,  i got a requirement from my boss, that he need to connect to exchange server, which is over the internet, after successfully connected to SSL vpn, i know there is a concept called client u-turn in cisco, so with that i have configured, the following

access-list 101 extended permit ip 10.10.10.0 255.255.255.0  host 148.45.87.65     **(10.10.10.0/24 is the ssl vpn client pool, 148.45.87.65 is the ip of exchange server).

nat (ouside2) 3  access-list 101

global (outside2) 3  121.25.6.8                                                  ** ( 121.25.6.8 is one of the ip of my outside2 wan pool)

same-security-traffic permit intra-interface

But the above configuration does not works for my requirement.

Kindly help , for the same.

Ashraf


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajay chauhan Mon, 12/12/2011 - 21:46

Configuration looks ok . Do you have split tunnel enabled ? also if you can attach output of packet tracer.

Thanks

Ajay

ashraf_20012 Tue, 12/13/2011 - 00:52

Hi Ajay,

There is no split tunnel configured for SSL vpn , all the client's traffic is comming to my ASA,

Few thing i missed

1. the default gateway is outside interface not the outside2 for ASA

2. do we need to allow the ssl traffic to exit from outside interface to reach exchange server, which is over the internet.

3.  if the traffic is exiting from outside interface, do we need to configure the following.

An Acl allowing all the traffic, and is applied on outside2 interface in IN direction, and global (outside) 3  119.118.12.8

(ip 119.118.12.8 is once of the ip of wan pool for outside interface.

Even i have attached Screenshot of packet tracer.

hope this give u more clarity ...

Ashraf

ajay chauhan Tue, 12/13/2011 - 01:07

Looks like default gateway is pointing to outside interface. As per your last config that should point outside2.

yes you can change the nat config global (outside) 3  119.118.12.8 this will solve the issue.

Change it and post the packet tracer once more.

thanks

ashraf_20012 Tue, 12/13/2011 - 21:58

Hi Ajay,

I have applied an ACL on outside2 interface in IN direction with permit any any statement, and added

global (outside) 3  119.118.12.8

still no luck, no change in the  packet tracer it is still the same.

Ashraf

ajay chauhan Tue, 12/13/2011 - 22:10

Please post full cnfiguration.

Actions

Login or Register to take actions

This Discussion

Posted December 12, 2011 at 9:33 PM
Stats:
Replies:5 Overall Rating:
Views:550 Votes:0
Shares:0
Tags: client, vpn, u-turn, issue.
+

Related Content

 

Discussions Leaderboard

Rank Username Points
1
Federico Coto F...
1,913
2
Jouni Forss
1,876
3
Marvin Rhoads
1,625
4
Karsten Iwen
1,109
5
Jon Marshall
688
Rank Username Points
Adeolu Owokade
35
Marvin Rhoads
30
rizwanr74
20
Marius Gunnerud
10
johnlloyd_13
5