Is this a hairpinning issue - ASA 5510, v8.4?

Unanswered Question
Mar 21st, 2012

Hello,

Having some major headaches with the configuration of an ASA5510.

Scenario

We have an inside interface, 192.168.10.0/23

We have an outside interface, public ip...

We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24

Problem

When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1042114 and I am confused even more!

Simply, I need the client VPN to be able to connect to all sites.

Please advise and if possible in the context of v8.4 . Please find attached santized cfg.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
tahequivoice Wed, 03/21/2012 - 07:12

You need a before NAT statement to translate the client VPN IP's to the remote networks IP static to themselves. In ASDM setup outside clientVPN pool and outside remote network, leave the rest the same and be sure it is at or near the top of the list.

CLI Example

nat (outside,outside) source static EZVPN EZVPN destination static ClientVPN ClientVPN

dwhyte1985 Wed, 03/21/2012 - 07:48

Hi Tahequivoice,

I've tried this:

nat (outside,outside) source static objVPN objVPN destination static obj20 obj20

To put it in context

Where objVPN is the local vpn client pool/ips = 192.168.70.0/24

&

where obj20 is the remote network 192.168.20.0/24.

Still no joy, not sure what else I should be doing!

tahequivoice Wed, 03/21/2012 - 07:56

Dang, hit the wrong button, now forgot what I had typed.

3 places the ClientVPN pool needs to be in,

NAT exempt. All networks that the VPN pool needs to reach need to be setup as above for 8.4.

Split Tunnel, if used, all networks to be reached need to be in that list.

Encrypted traffic, all VPN ACL's will need the Client VPN pool in it.

The remote locations also have to have the client VPN network in its encryption list.

If you meet the above, then it should work.  

dwhyte1985 Wed, 03/21/2012 - 08:11

Hello tahequivoice,

I think i've done as asked, I've only done it for 1 network, 192.168.20.0/24.

It's attached, It's not so easy to read because of ASDM - if you have a moment, would be super grateful if you could advise.

Cheers,

Attachment: 
Julio Carvaja Wed, 03/21/2012 - 11:18

Hello,

here are the parts of the configuration you have worked on:

Site to Site tunnel configuration:

access-list Outside_cryptomap extended permit ip 192.168.10.0 255.255.254.0 192.168.20.0 255.255.255.0

access-list Outside_cryptomap extended permit ip object objVPN 192.168.20.0 255.255.255.0

nat (Outside,Outside) source static objVPN objVPN destination static obj20 obj20

access-list TunnelList standard permit 192.168.20.0 255.255.255.0

access-list TunnelList standard permit 192.168.30.0 255.255.255.0

access-list TunnelList standard permit 192.168.40.0 255.255.255.0

access-list TunnelList standard permit 192.168.50.0 255.255.255.0

access-list TunnelList standard permit 192.168.60.0 255.255.255.0

access-list TunnelList standard permit 192.168.10.0 255.255.254.0

access-list TunnelList standard permit 192.168.70.0 255.255.255.0

Everything looks as it should, now if you want the Obj20 to start the communication you would also need this nat:

nat (Outside,Outside) source static  destination static obj20 obj20 objVPN objVPN

Regards,

Julio

dwhyte1985 Wed, 03/21/2012 - 12:55

Hi Julio,

This is not working, worked out the command was in the wrong order, woops - helps if I read the command...

These are my nat statements:

nat (Outside,Outside) source static objVPN objVPN destination static obj20 obj20

nat (inside,Outside) source static any any destination static obj10 obj10

nat (inside,Outside) source static any any destination static obj40 obj40

nat (inside,Outside) source static any any destination static obj50 obj50

nat (inside,Outside) source static any any destination static obj30 obj30

nat (inside,Outside) source static any any destination static obj20 obj20

nat (inside,Outside) source static any any destination static obj100 obj100

nat (inside,Outside) source static any any destination static obj60 obj60

nat (inside,Outside) source static any any destination static objVPN objVPN

nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN

nat (Outside,Outside) source static obj20 obj20 destination static objVPN objVPN

Is there anything that sticks out... this still does not work.

Cheers,

Julio Carvaja Wed, 03/21/2012 - 13:47

Hello,

What is this doing here?

nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN

Please do the following:

no nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN

no nat (Outside,Outside) source static obj20 obj20 destination static objVPN objVPN

nat (Outside,Outside) 1 source static obj20 obj20 destination static objVPN objVPN

Regards,

dwhyte1985 Wed, 03/21/2012 - 13:58

Hello,

Have done as asked, 192.168.20.0/24 still not reachable, any other suggestions?

Many thanks for everyones help so far

Actions

Login or Register to take actions

This Discussion

Posted March 21, 2012 at 4:49 AM
Stats:
Replies:8 Avg. Rating:
Views:452 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446