VPN Client To ASA 5505 then back out through tunnel to other ASA 5505

Unanswered Question
May 3rd, 2012

Remote Site Setup.png

I'm having some issues trying to get the Site 3: VPN Client to be able to ping to the Site 2: Server.  I have Just built the tunnel from Site1 to Site 2 and now have traffic flowing great from Site 1 to Site 2.  Site 3 clients can get to Site 1 clients with no issues at all.  But Site 3 clients can NOT get to Site 2 clients at all.

I'm guessing it has something to do with coming in on the outside (int 0) and then going back out the outside (int 0) interface.  I have enabled/used the following lines but I still can not get it to work.

1) same-security-traffic permit intra-interface (on the Site 1 ASA only)

2) I have my NAT exempt rules in places for both Site 1 and Site 2.  Site 2 is using IOS 8.2(1) and Site 1 is using the newer IOS 8.4(2).  So the Site 1 ASA is using the route-lookup switch to simulate the EXEMPT.

Any ideas why it would not be working for me?

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (1 ratings)
dancicioiu Thu, 05/03/2012 - 11:08

Hi Arvo,

Shouldnt you do nat exempt also for Site3 - Site2  on both ASAs Site 1 and Site 2 ?

As I see it in order for packet from Site3 to go on the IPsec tunnel between Site1 and Site2 , the source site3 - that I suppose that connects to Site 1 - should not be nated going to Site2 and back.

Does this make sense - or you already made that on point 2 ?

Dan

arvo.bowen Thu, 05/03/2012 - 11:33

Dan,

So I should have 2 NAT EXEMPT rules on Site 1's ASA and 1 NAT EXEMPT rule on Site 2's ASA?

dancicioiu Thu, 05/03/2012 - 11:37

Hi Arvo,

As I see it on

     site 1 you should have 2 nat exempts :

               source 10.71.1.0/24 destination 10.50.6.0/24

               source 10.71.2.0/24 destination 10.50.6.0/24
     site 2 you should exempt the same traffic from nat but the other way around :

               source 10.50.6.0/24 destination 10.71.1.0/24

               source 10.50.6.0/24 destination 10.71.2.0/24

And also the IPSEC traffic should match this traffic also

Dan

arvo.bowen Thu, 05/03/2012 - 11:57

Note:

Just to stay on a single issue all I care about is getting from the Site 3:VPN Client to Site 2: Server ...  In saying that We can ignore all the 10.71.1.0/24 rules as they do not apply to the Site 2: 10.50.6.0/24 Subnet or the Site 3: 10.71.2.0/24 Subnet.

So just dealing with the 10.71.2.0/24 subnet (VPN Clients) and the 10.50.6.0/24 subnet (Site 2) I should only need 1 EXEMPT NAT for each ASA right?  Or am I wrong? 

arvo.bowen Thu, 05/03/2012 - 13:02

OK so this is what I currently have on Site 1's ASA...

object network LAN-INSIDE

subnet 10.71.1.0 255.255.255.0

description local area network

object network LAN-FULTON

subnet 10.50.6.0 255.255.255.0

description Fulton's Network

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-FULTON LAN-FULTON route-lookup description Exempt NAT rule for traffic from the inside network to the Fulton network

Then on Site 2's ASA...

access-list inside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Does that look right?

rizwanr74 Fri, 05/04/2012 - 11:44

"But Site 3 clients can NOT get to Site 2 clients at all."

Can you please explain Site3 RA VPN client are being terminated Site1 or Site2 ASA ?  If you answer it is to Site1.

Then you need no-nat for these segments i.e. Site3-RA-VPN client and Site2 on Site1's outside interface, so you understanding is correct, with regards to this issue.

Solution as follows, I assume you are using mask /24 on your networks.

access-list outside_nonat extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0
access-list outside_nonat extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

nat (outside) 0 outside_nonat


Now, incorporate "10.71.2.0 255.255.255.0" in the tunnel between site1 and site2, i.e. in the crypto ACL.

One site2 please make sure, you have a static route as shown below.


route outside 10.71.2.0 255.255.255.0 xxx.xxx.xxx.xxx <-default-gateway on Site2 ASA.

Let me know, how this coming along.

Thanks

Rizwan Rafeek.

Message was edited by: Rizwan Mohamed

arvo.bowen Mon, 05/14/2012 - 12:58

Thanks for the VERY informative responce!  Below are some config entries that I have made still yeilding no results...

To answer your first question, Yes the VPN clients connect to the Site 1: ASA and once connected should have access to the Site 2: ASA LAN.  Second clearification is YES to everything is /24 masks.  Please keep in mind below I'm using the ASDM for everything so the names are auto created.

Site 2: ASA Version 8.2(1)

nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (outside) 0 access-list outside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 148.242.77.54 1
route outside 10.71.2.0 255.255.255.0 148.242.77.54 1

access-list outside_nat0_outbound extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0 
access-list outside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

Does that look right?

rizwanr74 Tue, 05/15/2012 - 09:43

"Does that look right?"

Yes for Site1 and please make sure that you have a static-route exists on Site2 as shown below.

route outside 10.71.2.0 255.255.255.0 xxx.xxx.xxx.xxx <-default-gateway at Site2 ASA.

You also need the below config copied on the Site2 ASA as well.

nat (outside) 0 access-list outside_nat0_outboundn

access-list outside_nat0_outbound extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

Please be sure to include below networks segment in the crypto ACL for site-to-site vpn between Site1 and Site2.

ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0

ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

Look forward to hear from you.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

Actions

Login or Register to take actions

This Discussion

Posted May 3, 2012 at 11:00 AM
Stats:
Replies:10 Avg. Rating:3
Views:3736 Votes:1
Shares:0
Tags: firewall, asa, 5505, rules
+

Related Content

Discussions Leaderboard