ASA: 8.3 "Nat U-turn" Example - RA VPN Client traffic

Document

Sat, 05/16/2015 - 09:28
Jun 15th, 2010
User Badges:
  • Cisco Employee,

Reference document for handling the nat aspect of U-turning RA VPN Client traffic


Example of Uturning Internet traffic (ie VPN connects with a tunnel all policy but you still need Internet access)


Topology

192.168.1.0/24  inside(ASA1)outside------------Internet

                                              |

                                             ===VPN===VPN  Client (vpnclient pool 192.168.3.0/24)


object network obj-vpnpool


     subnet 192.168.3.0 255.255.255.0


     nat (outside,outside) dynamic interface




Example of Uturning RA VPN traffic accross another L2L (ie your VPN client connects to one ASA but needs to reach remote subnets at another ASA accross a L2L tunnel)


Topology

192.168.1.0/24 inside(ASA1)outside===VPN==outside(ASA2)inside 192.168.2.0/24

                                             |

                                             ===VPN===VPN Client (vpnclient pool 192.168.3.0/24)


object network obj-vpnpool

     subnet 192.168.3.0 255.255.255.0


object network obj-remote

     subnet 192.168.2.0 255.255.255.0


nat (outside,outside) 1 source static obj-vpnpool obj-vpnpool destination static obj-remote obj-remote


You may also need the reverse (logs will indicate assymetric entry) if you are running code without the fix for CSCth72642:

nat (outside,outside) 2 source static obj-remote obj-remote destination static obj-vpnpool obj-vpnpool


*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the vpn nat statement at the top of all my nat statements.


Related Information

Loading.
cillie.truter Wed, 05/30/2012 - 04:37
User Badges:

This helped me out with getting my config working!! Thank allot.

The fix for CSCth72642 is for the Asymetric error?

how do I apply this fix?


Thanks again.

guillermodiazcisco Thu, 05/14/2015 - 16:11
User Badges:

Hi hdashnau,

This helped me get a little bit closer to giving my vpn l2tp/ipsec users internet access through the tunnel but it seems that I get the response from the dns server and nothing more. This is my config omitting unnecessary information:

group-policy my-policy attributes

 split-tunnel-policy tunnelall

object network vpn_client

 nat (outside,outside) dynamic interface

I also tried this other nat rule and got the same result:

nat (outside,outside) source dynamic vpn_client interface

I will really appreciate the help. Thanks in advance

razvan1979 Fri, 05/15/2015 - 23:20
User Badges:

Hi,

you need this command: "same-security-traffic permit  intra-interface"

 

reference:

same-security-traffic

To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the same interface, use the same-security-traffic command in global configuration mode. To disable the same-security traffic, use the no form of this command.

same-security-traffic permit {inter-interface | intra-interface}

no same-security-traffic permit {inter-interface | intra-interface}

Syntax Description

 

inter-interface

Permits communication between different interfaces that have the same security level.

intra-interface

Permits communication in and out of the same interface.

Actions

This Document

Related Content