Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
5
Helpful
5
Replies

steps for remote access client to reach vpn tunnel

WILLIAM STEGMAN
Level 4
Level 4

‎10-26-2006 04:23 AM - edited ‎02-21-2020 02:41 PM

Can anyone outline the steps necessary for a remote access client, which connects to a PIX 515 running 7.2, to be able to reach the network on the other end of a tunnel (ASA 5510) also being hosted by the same PIX? It's my understanding this is possible with the newer OS versions. What I'm not especially clear on is the nonat access lists and interesting traffic access lists as they relate to the remote access clients.

Thank you,

Bill

Labels:
0 Helpful
5 Replies 5

pmajumder
Level 3
Level 3

‎10-26-2006 07:18 AM

Hello Bill,

To do this you must enable IPSec hairpinning by using the following command in config mode:

same-security-traffic permit intra-interface

All firewall rules including ACL, NAT (also nonat)will be applied before sending traffic out to the same interface.

Regards

Pradeep

0 Helpful

WILLIAM STEGMAN
Level 4
Level 4
In response to pmajumder

‎10-26-2006 09:58 AM

OK, I've had the same-security-traffic permit intra-interface command enabled through all my testing, but still am missing something.

Should the remote vpn access traffic be included in the same nonat and interesting traffic acls as the site to site tunnel traffic? I swear I've tried it with and without, but which is the right way?

my configuration currently stands as:

remote acceess subnet - 192.168.8.0/24

site to site tunnel network - 10.4.1.0/24

corporate LAN, inside int of firewall - 10.4.0.0/16

my crypto access list for interesting traffic

access-list outside_30_cryptomap; 1 elements

access-list outside_30_cryptomap line 1 extended permit ip 10.0.0.0 255.0.0.0 10.4.1.0 255.255.255.0 (hitcnt=33)

my nonat ACL

access-list nonat line 1 extended permit ip 10.0.0.0 255.0.0.0 192.168.8.0 255.255.255.0 (hitcnt=0) 0x412617ab

access-list nonat line 2 extended permit ip 192.168.8.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x45eb6278

access-list nonat line 3 extended permit ip 192.168.8.0 255.255.255.0 10.4.1.0 255.255.255.0 (hitcnt=0) 0xf276ed19

access-list nonat line 4 extended permit ip 10.0.0.0 255.0.0.0 10.4.1.0 255.255.255.0 (hitcnt=0) 0x990c4fae

access-list nonat line 5 extended permit ip 10.4.1.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0xb816c957

Also, I have the "Enable inbound IPSec sessions to bypass interface access lists" setting enabled. Doesn't this apply on to remote access vpn clients?

thanks,

Bill

0 Helpful

pmajumder
Level 3
Level 3
In response to WILLIAM STEGMAN

‎10-26-2006 10:19 AM

Hello,

Yes you will need to include it on the interesting traffic acl (you already have it on your nonat acl).

As for the "Enable inbound IPSec sessions to bypass interface access list" do you mean sysopt connection permit-ipsec? If so then the security device will bypass ACL checks for all IPsec tunnels.

Regards

Pradeep

WILLIAM STEGMAN
Level 4
Level 4
In response to pmajumder

‎10-26-2006 12:08 PM

thanks. what's confusing about sysopt connection permit-ipsec setting, is it makes it seem like the nonat and interesting traffic ACLs will be ignored, but that's not true is it?

I found this link and adjusted my config accordingly, to include the interesting traffic and nonat ACLs on both ends. I haven't been able to test yet, but am hopeful.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

0 Helpful

WILLIAM STEGMAN
Level 4
Level 4
In response to WILLIAM STEGMAN

‎10-26-2006 12:17 PM

it works!

0 Helpful
Customers Also Viewed These Support Documents