Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
0
Helpful
5
Replies

vpn accessing multiple vlans asa8.3

Go to solution
dszuberla
Level 1
Level 1

‎10-19-2010 07:24 PM

looking for some help. going batty on this one.

I have ASA 5510 running 8.3

it acts as router, firewall and vpn.

the underlying network runs fine.

when i connect via VPN I can only access my .41 network and not the .42 network. when i try to ping .42 i get this error:

5      Oct 18 2010      00:33:13            192.168.42.11      3389                   Asymmetric NAT rules matched for forward and reverse  flows; Connection for tcp src Outside:192.168.43.200/2916 dst servers:192.168.42.11/3389 denied due to NAT reverse path failure


if i flip these rules in config order then i can access .42 via vpn but not .41

nat (servers,any) source static any any destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,any) source static any any destination static obj-vpnpool obj-vpnpool

i'm confused because this is all a new config and i used the wizard in asdm and couldn't access squat (maybe it doesn't know how to handle vlans)?

the ASA can ping all networks fine.

devices on the network can ping each other fine

just via ipsec vpn i can't access both networks.

thoughts?

Labels:
73765-asa.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to dszuberla

‎10-19-2010 08:05 PM

Please configure a more specific NAT statements as follows:

object network obj-iscsimgmt
subnet 192.168.42.0 255.255.255.0


nat (servers,Outside) source static obj-servers obj-servers destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,Outside) source static obj-iscsimgmt obj-iscsimgmt destination static obj-vpnpool obj-vpnpool

And pls remove the following:

nat (servers,any) source static any any destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,any) source static any any destination static obj-vpnpool obj-vpnpool

Then "clear xlate" after the above changes.

Hope that helps.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-19-2010 07:57 PM

Sorry, seems like you have attached configuration from a different ASA (it's version 8.0.3 instead of 8.3.x). Also, couldn't find interfaces that's named "servers" and "iscsimgmt"

0 Helpful

Go to solution
dszuberla
Level 1
Level 1
In response to Jennifer Halim

‎10-19-2010 07:59 PM

posted the correct one.. whoops

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to dszuberla

‎10-19-2010 08:05 PM

Please configure a more specific NAT statements as follows:

object network obj-iscsimgmt
subnet 192.168.42.0 255.255.255.0


nat (servers,Outside) source static obj-servers obj-servers destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,Outside) source static obj-iscsimgmt obj-iscsimgmt destination static obj-vpnpool obj-vpnpool

And pls remove the following:

nat (servers,any) source static any any destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,any) source static any any destination static obj-vpnpool obj-vpnpool

Then "clear xlate" after the above changes.

Hope that helps.

0 Helpful

Go to solution
dszuberla
Level 1
Level 1
In response to Jennifer Halim

‎10-19-2010 08:14 PM

this worked perfectly you are the BEST!!!!!!!!!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to dszuberla

‎10-19-2010 08:16 PM

Excellent stuff.. thanks for the rating.

0 Helpful
Customers Also Viewed These Support Documents