[c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface
Aaron Riemer
ariemer at wesenergy.com.au
Wed Nov 26 02:12:00 EST 2008
Hey guys,
I am hoping someone out there has configured something similar as I am
having a lot of grief getting this working.
Essentially what we are trying to do is to allow our VPN clients to
access other L2L sites that terminate on the same outside interface. See
below for details.
VPN Client address range 10.100.1.100-200/24
VPN client default gateway 10.100.1.1/24 (Inside 3750 switch next hop
after ASA)
ASA Inside address 10.100.1.10/24
VPN tunnel peer addressing: 172.16.0.0/16
We have configured the necessary commands to allow this hairpinning..
i.e. 'same-security-traffic permit intra-interface'. The relevant VPN
rules and nonat are in place to allow the entire 10.100.1.0/24 range
across the L2L tunnel and this has been tested by attempting to telnet
to a web server at the tunnel destination via the inside 3750.
It's just the VPN clients on the outside interface can't seem to get
through the tunnel. What makes things even more confusing is that ICMP
goes across no problem but no TCP traffic will pass. (No SYN-ACK
received from the web server). I have checked the logs and they don't
indicate that any traffic is being denied. I can see the connection
being built twice from the outside back to the inside default gateway
then back from the inside (maybe this is the problem do we need to make
the vpn client pool gateway address an address on the firewall??)
2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP connection
137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) to
Inside:172.16.1.10/80 (172.16.1.10/80)
2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP connection
137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to
Inside:10.100.1.101/2523 (10.100.1.101/2523)
Thanks in advance.
Aaron.
LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
More information about the cisco-nsp
mailing list