Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn accessing multiple vlans asa8.3

looking for some help. going batty on this one.

I have ASA 5510 running 8.3

it acts as router, firewall and vpn.

the underlying network runs fine.

when i connect via VPN I can only access my .41 network and not the .42 network. when i try to ping .42 i get this error:

5      Oct 18 2010      00:33:13            192.168.42.11      3389                   Asymmetric NAT rules matched for forward and reverse  flows; Connection for tcp src Outside:192.168.43.200/2916 dst servers:192.168.42.11/3389 denied due to NAT reverse path failure


if i flip these rules in config order then i can access .42 via vpn but not .41

nat (servers,any) source static any any destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,any) source static any any destination static obj-vpnpool obj-vpnpool

i'm confused because this is all a new config and i used the wizard in asdm and couldn't access squat (maybe it doesn't know how to handle vlans)?

the ASA can ping all networks fine.

devices on the network can ping each other fine

just via ipsec vpn i can't access both networks.

thoughts?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: vpn accessing multiple vlans asa8.3

Please configure a more specific NAT statements as follows:

object network obj-iscsimgmt
subnet 192.168.42.0 255.255.255.0


nat (servers,Outside) source static obj-servers obj-servers destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,Outside) source static obj-iscsimgmt obj-iscsimgmt destination static obj-vpnpool obj-vpnpool

And pls remove the following:

nat (servers,any) source static any any destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,any) source static any any destination static obj-vpnpool obj-vpnpool

Then "clear xlate" after the above changes.

Hope that helps.

5 REPLIES
Super Bronze

Re: vpn accessing multiple vlans asa8.3

Sorry, seems like you have attached configuration from a different ASA (it's version 8.0.3 instead of 8.3.x). Also, couldn't find interfaces that's named "servers" and "iscsimgmt"

New Member

Re: vpn accessing multiple vlans asa8.3

posted the correct one.. whoops

Super Bronze

Re: vpn accessing multiple vlans asa8.3

Please configure a more specific NAT statements as follows:

object network obj-iscsimgmt
subnet 192.168.42.0 255.255.255.0


nat (servers,Outside) source static obj-servers obj-servers destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,Outside) source static obj-iscsimgmt obj-iscsimgmt destination static obj-vpnpool obj-vpnpool

And pls remove the following:

nat (servers,any) source static any any destination static obj-vpnpool obj-vpnpool
nat (iscsimgmt,any) source static any any destination static obj-vpnpool obj-vpnpool

Then "clear xlate" after the above changes.

Hope that helps.

New Member

Re: vpn accessing multiple vlans asa8.3

this worked perfectly you are the BEST!!!!!!!!!

Super Bronze

Re: vpn accessing multiple vlans asa8.3

Excellent stuff.. thanks for the rating.

949
Views
0
Helpful
5
Replies