10-26-2006 04:23 AM - edited 02-21-2020 02:41 PM
Can anyone outline the steps necessary for a remote access client, which connects to a PIX 515 running 7.2, to be able to reach the network on the other end of a tunnel (ASA 5510) also being hosted by the same PIX? It's my understanding this is possible with the newer OS versions. What I'm not especially clear on is the nonat access lists and interesting traffic access lists as they relate to the remote access clients.
Thank you,
Bill
10-26-2006 07:18 AM
Hello Bill,
To do this you must enable IPSec hairpinning by using the following command in config mode:
same-security-traffic permit intra-interface
All firewall rules including ACL, NAT (also nonat)will be applied before sending traffic out to the same interface.
Regards
Pradeep
10-26-2006 09:58 AM
OK, I've had the same-security-traffic permit intra-interface command enabled through all my testing, but still am missing something.
Should the remote vpn access traffic be included in the same nonat and interesting traffic acls as the site to site tunnel traffic? I swear I've tried it with and without, but which is the right way?
my configuration currently stands as:
remote acceess subnet - 192.168.8.0/24
site to site tunnel network - 10.4.1.0/24
corporate LAN, inside int of firewall - 10.4.0.0/16
my crypto access list for interesting traffic
access-list outside_30_cryptomap; 1 elements
access-list outside_30_cryptomap line 1 extended permit ip 10.0.0.0 255.0.0.0 10.4.1.0 255.255.255.0 (hitcnt=33)
my nonat ACL
access-list nonat line 1 extended permit ip 10.0.0.0 255.0.0.0 192.168.8.0 255.255.255.0 (hitcnt=0) 0x412617ab
access-list nonat line 2 extended permit ip 192.168.8.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x45eb6278
access-list nonat line 3 extended permit ip 192.168.8.0 255.255.255.0 10.4.1.0 255.255.255.0 (hitcnt=0) 0xf276ed19
access-list nonat line 4 extended permit ip 10.0.0.0 255.0.0.0 10.4.1.0 255.255.255.0 (hitcnt=0) 0x990c4fae
access-list nonat line 5 extended permit ip 10.4.1.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0xb816c957
Also, I have the "Enable inbound IPSec sessions to bypass interface access lists" setting enabled. Doesn't this apply on to remote access vpn clients?
thanks,
Bill
10-26-2006 10:19 AM
Hello,
Yes you will need to include it on the interesting traffic acl (you already have it on your nonat acl).
As for the "Enable inbound IPSec sessions to bypass interface access list" do you mean sysopt connection permit-ipsec? If so then the security device will bypass ACL checks for all IPsec tunnels.
Regards
Pradeep
10-26-2006 12:08 PM
thanks. what's confusing about sysopt connection permit-ipsec setting, is it makes it seem like the nonat and interesting traffic ACLs will be ignored, but that's not true is it?
I found this link and adjusted my config accordingly, to include the interesting traffic and nonat ACLs on both ends. I haven't been able to test yet, but am hopeful.
10-26-2006 12:17 PM
it works!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide