Client vpn hairpining/U-turn issue.

Unanswered Question
Dec 12th, 2011

Hi all,

I have two isp's connected on my ASA (outside and outside2), and SLA ISP backup is configured, now the default gateway for internet access is outside interface.

Recently i have configured SSL Vpn on my other interface (outside2) , and it is working fine, after few days,  i got a requirement from my boss, that he need to connect to exchange server, which is over the internet, after successfully connected to SSL vpn, i know there is a concept called client u-turn in cisco, so with that i have configured, the following

access-list 101 extended permit ip 10.10.10.0 255.255.255.0  host 148.45.87.65     **(10.10.10.0/24 is the ssl vpn client pool, 148.45.87.65 is the ip of exchange server).

nat (ouside2) 3  access-list 101

global (outside2) 3  121.25.6.8                                                  ** ( 121.25.6.8 is one of the ip of my outside2 wan pool)

same-security-traffic permit intra-interface

But the above configuration does not works for my requirement.

Kindly help , for the same.

Ashraf


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
ajay chauhan Mon, 12/12/2011 - 21:46

Configuration looks ok . Do you have split tunnel enabled ? also if you can attach output of packet tracer.

Thanks

Ajay

ashraf_20012 Tue, 12/13/2011 - 00:52

Hi Ajay,

There is no split tunnel configured for SSL vpn , all the client's traffic is comming to my ASA,

Few thing i missed

1. the default gateway is outside interface not the outside2 for ASA

2. do we need to allow the ssl traffic to exit from outside interface to reach exchange server, which is over the internet.

3.  if the traffic is exiting from outside interface, do we need to configure the following.

An Acl allowing all the traffic, and is applied on outside2 interface in IN direction, and global (outside) 3  119.118.12.8

(ip 119.118.12.8 is once of the ip of wan pool for outside interface.

Even i have attached Screenshot of packet tracer.

hope this give u more clarity ...

Ashraf

ajay chauhan Tue, 12/13/2011 - 01:07

Looks like default gateway is pointing to outside interface. As per your last config that should point outside2.

yes you can change the nat config global (outside) 3  119.118.12.8 this will solve the issue.

Change it and post the packet tracer once more.

thanks

ashraf_20012 Tue, 12/13/2011 - 21:58

Hi Ajay,

I have applied an ACL on outside2 interface in IN direction with permit any any statement, and added

global (outside) 3  119.118.12.8

still no luck, no change in the  packet tracer it is still the same.

Ashraf

Actions

Login or Register to take actions

This Discussion

Posted December 12, 2011 at 9:33 PM
Stats:
Replies:5 Avg. Rating:
Views:543 Votes:0
Shares:0
Tags: client, vpn, u-turn, issue.
+

Related Content

Discussions Leaderboard