cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
914
Views
0
Helpful
8
Replies

Is this a hairpinning issue - ASA 5510, v8.4?

dwhyte1985
Level 1
Level 1

Hello,

Having some major headaches with the configuration of an ASA5510.

Scenario

We have an inside interface, 192.168.10.0/23

We have an outside interface, public ip...

We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24

Problem

When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1042114 and I am confused even more!

Simply, I need the client VPN to be able to connect to all sites.

Please advise and if possible in the context of v8.4 . Please find attached santized cfg.

8 Replies 8

tahequivoice
Level 2
Level 2

You need a before NAT statement to translate the client VPN IP's to the remote networks IP static to themselves. In ASDM setup outside clientVPN pool and outside remote network, leave the rest the same and be sure it is at or near the top of the list.

CLI Example

nat (outside,outside) source static EZVPN EZVPN destination static ClientVPN ClientVPN

Hi Tahequivoice,

I've tried this:

nat (outside,outside) source static objVPN objVPN destination static obj20 obj20

To put it in context

Where objVPN is the local vpn client pool/ips = 192.168.70.0/24

&

where obj20 is the remote network 192.168.20.0/24.

Still no joy, not sure what else I should be doing!

tahequivoice
Level 2
Level 2

Dang, hit the wrong button, now forgot what I had typed.

3 places the ClientVPN pool needs to be in,

NAT exempt. All networks that the VPN pool needs to reach need to be setup as above for 8.4.

Split Tunnel, if used, all networks to be reached need to be in that list.

Encrypted traffic, all VPN ACL's will need the Client VPN pool in it.

The remote locations also have to have the client VPN network in its encryption list.

If you meet the above, then it should work.  

Hello tahequivoice,

I think i've done as asked, I've only done it for 1 network, 192.168.20.0/24.

It's attached, It's not so easy to read because of ASDM - if you have a moment, would be super grateful if you could advise.

Cheers,

Hello,

here are the parts of the configuration you have worked on:

Site to Site tunnel configuration:

access-list Outside_cryptomap extended permit ip 192.168.10.0 255.255.254.0 192.168.20.0 255.255.255.0

access-list Outside_cryptomap extended permit ip object objVPN 192.168.20.0 255.255.255.0

nat (Outside,Outside) source static objVPN objVPN destination static obj20 obj20

access-list TunnelList standard permit 192.168.20.0 255.255.255.0

access-list TunnelList standard permit 192.168.30.0 255.255.255.0

access-list TunnelList standard permit 192.168.40.0 255.255.255.0

access-list TunnelList standard permit 192.168.50.0 255.255.255.0

access-list TunnelList standard permit 192.168.60.0 255.255.255.0

access-list TunnelList standard permit 192.168.10.0 255.255.254.0

access-list TunnelList standard permit 192.168.70.0 255.255.255.0

Everything looks as it should, now if you want the Obj20 to start the communication you would also need this nat:

nat (Outside,Outside) source static  destination static obj20 obj20 objVPN objVPN

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

This is not working, worked out the command was in the wrong order, woops - helps if I read the command...

These are my nat statements:

nat (Outside,Outside) source static objVPN objVPN destination static obj20 obj20

nat (inside,Outside) source static any any destination static obj10 obj10

nat (inside,Outside) source static any any destination static obj40 obj40

nat (inside,Outside) source static any any destination static obj50 obj50

nat (inside,Outside) source static any any destination static obj30 obj30

nat (inside,Outside) source static any any destination static obj20 obj20

nat (inside,Outside) source static any any destination static obj100 obj100

nat (inside,Outside) source static any any destination static obj60 obj60

nat (inside,Outside) source static any any destination static objVPN objVPN

nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN

nat (Outside,Outside) source static obj20 obj20 destination static objVPN objVPN

Is there anything that sticks out... this still does not work.

Cheers,

Hello,

What is this doing here?

nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN

Please do the following:

no nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN

no nat (Outside,Outside) source static obj20 obj20 destination static objVPN objVPN

nat (Outside,Outside) 1 source static obj20 obj20 destination static objVPN objVPN

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

Have done as asked, 192.168.20.0/24 still not reachable, any other suggestions?

Many thanks for everyones help so far

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: