cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6149
Views
3
Helpful
10
Replies

VPN Client To ASA 5505 then back out through tunnel to other ASA 5505

Arvo Bowen
Level 1
Level 1

Remote Site Setup.png

I'm having some issues trying to get the Site 3: VPN Client to be able to ping to the Site 2: Server.  I have Just built the tunnel from Site1 to Site 2 and now have traffic flowing great from Site 1 to Site 2.  Site 3 clients can get to Site 1 clients with no issues at all.  But Site 3 clients can NOT get to Site 2 clients at all.

I'm guessing it has something to do with coming in on the outside (int 0) and then going back out the outside (int 0) interface.  I have enabled/used the following lines but I still can not get it to work.

1) same-security-traffic permit intra-interface (on the Site 1 ASA only)

2) I have my NAT exempt rules in places for both Site 1 and Site 2.  Site 2 is using IOS 8.2(1) and Site 1 is using the newer IOS 8.4(2).  So the Site 1 ASA is using the route-lookup switch to simulate the EXEMPT.

Any ideas why it would not be working for me?

10 Replies 10

Hi Arvo,

Shouldnt you do nat exempt also for Site3 - Site2  on both ASAs Site 1 and Site 2 ?

As I see it in order for packet from Site3 to go on the IPsec tunnel between Site1 and Site2 , the source site3 - that I suppose that connects to Site 1 - should not be nated going to Site2 and back.

Does this make sense - or you already made that on point 2 ?

Dan

Dan,

So I should have 2 NAT EXEMPT rules on Site 1's ASA and 1 NAT EXEMPT rule on Site 2's ASA?

Hi Arvo,

As I see it on

     site 1 you should have 2 nat exempts :

               source 10.71.1.0/24 destination 10.50.6.0/24

               source 10.71.2.0/24 destination 10.50.6.0/24
     site 2 you should exempt the same traffic from nat but the other way around :

               source 10.50.6.0/24 destination 10.71.1.0/24

               source 10.50.6.0/24 destination 10.71.2.0/24

And also the IPSEC traffic should match this traffic also

Dan

Note:

Just to stay on a single issue all I care about is getting from the Site 3:VPN Client to Site 2: Server ...  In saying that We can ignore all the 10.71.1.0/24 rules as they do not apply to the Site 2: 10.50.6.0/24 Subnet or the Site 3: 10.71.2.0/24 Subnet.

So just dealing with the 10.71.2.0/24 subnet (VPN Clients) and the 10.50.6.0/24 subnet (Site 2) I should only need 1 EXEMPT NAT for each ASA right?  Or am I wrong? 

Yes , you are right.

Dan

OK so this is what I currently have on Site 1's ASA...

object network LAN-INSIDE

subnet 10.71.1.0 255.255.255.0

description local area network

object network LAN-FULTON

subnet 10.50.6.0 255.255.255.0

description Fulton's Network

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-FULTON LAN-FULTON route-lookup description Exempt NAT rule for traffic from the inside network to the Fulton network

Then on Site 2's ASA...

access-list inside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Does that look right?

That's right. Also please check the VPN access-list.

Dan

rizwanr74
Level 7
Level 7

"But Site 3 clients can NOT get to Site 2 clients at all."

Can you please explain Site3 RA VPN client are being terminated Site1 or Site2 ASA ?  If you answer it is to Site1.

Then you need no-nat for these segments i.e. Site3-RA-VPN client and Site2 on Site1's outside interface, so you understanding is correct, with regards to this issue.

Solution as follows, I assume you are using mask /24 on your networks.

access-list outside_nonat extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0
access-list outside_nonat extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

nat (outside) 0 outside_nonat


Now, incorporate "10.71.2.0 255.255.255.0" in the tunnel between site1 and site2, i.e. in the crypto ACL.

One site2 please make sure, you have a static route as shown below.


route outside 10.71.2.0 255.255.255.0 xxx.xxx.xxx.xxx <-default-gateway on Site2 ASA.

Let me know, how this coming along.

Thanks

Rizwan Rafeek.

Message was edited by: Rizwan Mohamed

Thanks for the VERY informative responce!  Below are some config entries that I have made still yeilding no results...

To answer your first question, Yes the VPN clients connect to the Site 1: ASA and once connected should have access to the Site 2: ASA LAN.  Second clearification is YES to everything is /24 masks.  Please keep in mind below I'm using the ASDM for everything so the names are auto created.

Site 2: ASA Version 8.2(1)

nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (outside) 0 access-list outside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 148.242.77.54 1
route outside 10.71.2.0 255.255.255.0 148.242.77.54 1

access-list outside_nat0_outbound extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0 
access-list outside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

Does that look right?

"Does that look right?"

Yes for Site1 and please make sure that you have a static-route exists on Site2 as shown below.

route outside 10.71.2.0 255.255.255.0 xxx.xxx.xxx.xxx <-default-gateway at Site2 ASA.

You also need the below config copied on the Site2 ASA as well.

nat (outside) 0 access-list outside_nat0_outboundn

access-list outside_nat0_outbound extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

Please be sure to include below networks segment in the crypto ACL for site-to-site vpn between Site1 and Site2.

ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0

ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

Look forward to hear from you.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: