Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

steps for remote access client to reach vpn tunnel

Can anyone outline the steps necessary for a remote access client, which connects to a PIX 515 running 7.2, to be able to reach the network on the other end of a tunnel (ASA 5510) also being hosted by the same PIX? It's my understanding this is possible with the newer OS versions. What I'm not especially clear on is the nonat access lists and interesting traffic access lists as they relate to the remote access clients.

Thank you,

Bill

5 REPLIES
New Member

Re: steps for remote access client to reach vpn tunnel

Hello Bill,

To do this you must enable IPSec hairpinning by using the following command in config mode:

same-security-traffic permit intra-interface

All firewall rules including ACL, NAT (also nonat)will be applied before sending traffic out to the same interface.

Regards

Pradeep

New Member

Re: steps for remote access client to reach vpn tunnel

OK, I've had the same-security-traffic permit intra-interface command enabled through all my testing, but still am missing something.

Should the remote vpn access traffic be included in the same nonat and interesting traffic acls as the site to site tunnel traffic? I swear I've tried it with and without, but which is the right way?

my configuration currently stands as:

remote acceess subnet - 192.168.8.0/24

site to site tunnel network - 10.4.1.0/24

corporate LAN, inside int of firewall - 10.4.0.0/16

my crypto access list for interesting traffic

access-list outside_30_cryptomap; 1 elements

access-list outside_30_cryptomap line 1 extended permit ip 10.0.0.0 255.0.0.0 10.4.1.0 255.255.255.0 (hitcnt=33)

my nonat ACL

access-list nonat line 1 extended permit ip 10.0.0.0 255.0.0.0 192.168.8.0 255.255.255.0 (hitcnt=0) 0x412617ab

access-list nonat line 2 extended permit ip 192.168.8.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x45eb6278

access-list nonat line 3 extended permit ip 192.168.8.0 255.255.255.0 10.4.1.0 255.255.255.0 (hitcnt=0) 0xf276ed19

access-list nonat line 4 extended permit ip 10.0.0.0 255.0.0.0 10.4.1.0 255.255.255.0 (hitcnt=0) 0x990c4fae

access-list nonat line 5 extended permit ip 10.4.1.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0xb816c957

Also, I have the "Enable inbound IPSec sessions to bypass interface access lists" setting enabled. Doesn't this apply on to remote access vpn clients?

thanks,

Bill

New Member

Re: steps for remote access client to reach vpn tunnel

Hello,

Yes you will need to include it on the interesting traffic acl (you already have it on your nonat acl).

As for the "Enable inbound IPSec sessions to bypass interface access list" do you mean sysopt connection permit-ipsec? If so then the security device will bypass ACL checks for all IPsec tunnels.

Regards

Pradeep

New Member

Re: steps for remote access client to reach vpn tunnel

thanks. what's confusing about sysopt connection permit-ipsec setting, is it makes it seem like the nonat and interesting traffic ACLs will be ignored, but that's not true is it?

I found this link and adjusted my config accordingly, to include the interesting traffic and nonat ACLs on both ends. I haven't been able to test yet, but am hopeful.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

New Member

Re: steps for remote access client to reach vpn tunnel

it works!

203
Views
5
Helpful
5
Replies