[c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface

Ge Moua moua0100 at umn.edu
Wed Nov 26 13:32:57 EST 2008


What about setting up some GRE tunnels to route the traffic of interest 
over to the other L2L sites.  I've seen configs for this on Cisco CCO.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services

Aaron Riemer wrote:
> Hey guys,
>  
> I am hoping someone out there has configured something similar as I am
> having a lot of grief getting this working.
>  
> Essentially what we are trying to do is to allow our VPN clients to
> access other L2L sites that terminate on the same outside interface. See
> below for details.
>  
> VPN Client address range 10.100.1.100-200/24
> VPN client default gateway 10.100.1.1/24 (Inside 3750 switch next hop
> after ASA)
> ASA Inside address 10.100.1.10/24
> VPN tunnel peer addressing: 172.16.0.0/16
>  
> We have configured the necessary commands to allow this hairpinning..
> i.e. 'same-security-traffic permit intra-interface'. The relevant VPN
> rules and nonat are in place to allow the entire 10.100.1.0/24 range
> across the L2L tunnel and this has been tested by attempting to telnet
> to a web server at the tunnel destination via the inside 3750. 
>  
> It's just the VPN clients on the outside interface can't seem to get
> through the tunnel. What makes things even more confusing is that ICMP
> goes across no problem but no TCP traffic will pass. (No SYN-ACK
> received from the web server). I have checked the logs and they don't
> indicate that any traffic is being denied. I can see the connection
> being built twice from the outside back to the inside default gateway
> then back from the inside (maybe this is the problem do we need to make
> the vpn client pool gateway address an address on the firewall??)
>  
> 2008/11/26 15:08:48  %ASA-6-302013: Built inbound TCP connection
> 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) to
> Inside:172.16.1.10/80 (172.16.1.10/80) 
> 2008/11/26 15:08:48  %ASA-6-302013: Built outbound TCP connection
> 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to
> Inside:10.100.1.101/2523 (10.100.1.101/2523)
>  
> Thanks in advance.
>  
> Aaron.
>  
>  
>  
>  
>
> LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


More information about the cisco-nsp mailing list