[c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface

Ge Moua moua0100 at umn.edu
Wed Nov 26 17:19:14 EST 2008


You could also bring up another L2L tunnel specific to your client vpn 
hosts:

pc = client vpn = asa int1 = asa int2 = l2l vpn = checkpoint

convoluted but another (static) crypto map for  l2l tunnel from  client 
vpn (off of dynamic crypto map).

Good luck.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Aaron wrote:
> We don't manage the other L2L sites. Plus the L2L tunnel is terminating at
> the other end at a checkpoint :|
>
> Cheers,
>
> Aaron.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua
> Sent: Thursday, 27 November 2008 3:33 AM
> To: Aaron Riemer
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Allowing VPN clients to access L2L tunnels terminating
> on the same outside interface
>
> What about setting up some GRE tunnels to route the traffic of interest 
> over to the other L2L sites.  I've seen configs for this on Cisco CCO.
>
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
>
> Aaron Riemer wrote:
>   
>> Hey guys,
>>  
>> I am hoping someone out there has configured something similar as I am
>> having a lot of grief getting this working.
>>  
>> Essentially what we are trying to do is to allow our VPN clients to
>> access other L2L sites that terminate on the same outside interface. See
>> below for details.
>>  
>> VPN Client address range 10.100.1.100-200/24
>> VPN client default gateway 10.100.1.1/24 (Inside 3750 switch next hop
>> after ASA)
>> ASA Inside address 10.100.1.10/24
>> VPN tunnel peer addressing: 172.16.0.0/16
>>  
>> We have configured the necessary commands to allow this hairpinning..
>> i.e. 'same-security-traffic permit intra-interface'. The relevant VPN
>> rules and nonat are in place to allow the entire 10.100.1.0/24 range
>> across the L2L tunnel and this has been tested by attempting to telnet
>> to a web server at the tunnel destination via the inside 3750. 
>>  
>> It's just the VPN clients on the outside interface can't seem to get
>> through the tunnel. What makes things even more confusing is that ICMP
>> goes across no problem but no TCP traffic will pass. (No SYN-ACK
>> received from the web server). I have checked the logs and they don't
>> indicate that any traffic is being denied. I can see the connection
>> being built twice from the outside back to the inside default gateway
>> then back from the inside (maybe this is the problem do we need to make
>> the vpn client pool gateway address an address on the firewall??)
>>  
>> 2008/11/26 15:08:48  %ASA-6-302013: Built inbound TCP connection
>> 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) to
>> Inside:172.16.1.10/80 (172.16.1.10/80) 
>> 2008/11/26 15:08:48  %ASA-6-302013: Built outbound TCP connection
>> 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to
>> Inside:10.100.1.101/2523 (10.100.1.101/2523)
>>  
>> Thanks in advance.
>>  
>> Aaron.
>>  
>>  
>>  
>>  
>>
>> LEGAL DISCLAIMER: This message contains confidential information and is
>>     
> intended only for the individual named. If you are not the named addressee
> you should not disseminate, distribute or copy this e-mail. Please notify
> the sender immediately by e-mail if you have received this e-mail by mistake
> and delete this e-mail from your system. If you are not the intended
> recipient you are notified that disclosing, copying, distributing or taking
> any action in reliance on the contents of this information is strictly
> prohibited.
>   
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   


More information about the cisco-nsp mailing list