[c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface

Aaron Riemer ariemer at wesenergy.com.au
Wed Nov 26 19:10:10 EST 2008 

Hi Guys,

We have resolved this by simply putting a static route pointing out to
the spoke VPN site's internal addressing pointing to the outside
interface on our firewall.

I believe changing the addressing of the VPN clients would have done the
same thing though. 

Thanks, 

Aaron

-----Original Message-----
From: Tony [mailto:td_miles at yahoo.com] 
Sent: Wednesday, 26 November 2008 4:48 PM
To: cisco-nsp at puck.nether.net; Aaron Riemer
Subject: Re: [c-nsp] Allowing VPN clients to access L2L tunnels
terminating on the same outside interface

Hi Aaron,

I have set this up before (was setup many years ago on PIX v7 but still
is used today) and it does work.

I would suggest you change the VPN client address pool to a totally
DIFFERENT range. At the moment it seems that it is part of the same /24
that is on the ASA inteface. 

You may need to add a static route to any internal gateways so that they
know about this new IP range you are using (this depends on your setup).

You will also need to ensure that this new address range is added to the
ACL for the match traffic on your static tunnels.


Here is a Cisco doc on doing this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl
e09186a00807f9a89.shtml

Look about halfway down the page for the section "Add a Remote Access
VPN to the Configuration". The description for this says "This section
provides the required procedures to add remote access capability and to
allow remote users to access all sites." which would appear to be
exactly what you want to do. In the example they have, they also use a
seperate subnet for the remote users.


regards,
Tony.

--- On Wed, 26/11/08, Aaron Riemer <ariemer at wesenergy.com.au> wrote:

> From: Aaron Riemer <ariemer at wesenergy.com.au>
> Subject: [c-nsp] Allowing VPN clients to access L2L tunnels
terminating on the same outside interface
> To: cisco-nsp at puck.nether.net
> Date: Wednesday, 26 November, 2008, 6:12 PM
> Hey guys,
>  
> I am hoping someone out there has configured something
> similar as I am
> having a lot of grief getting this working.
>  
> Essentially what we are trying to do is to allow our VPN
> clients to
> access other L2L sites that terminate on the same outside
> interface. See
> below for details.
>  
> VPN Client address range 10.100.1.100-200/24
> VPN client default gateway 10.100.1.1/24 (Inside 3750
> switch next hop
> after ASA)
> ASA Inside address 10.100.1.10/24
> VPN tunnel peer addressing: 172.16.0.0/16
>  
> We have configured the necessary commands to allow this
> hairpinning..
> i.e. 'same-security-traffic permit
> intra-interface'. The relevant VPN
> rules and nonat are in place to allow the entire
> 10.100.1.0/24 range
> across the L2L tunnel and this has been tested by
> attempting to telnet
> to a web server at the tunnel destination via the inside
> 3750. 
>  
> It's just the VPN clients on the outside interface
> can't seem to get
> through the tunnel. What makes things even more confusing
> is that ICMP
> goes across no problem but no TCP traffic will pass. (No
> SYN-ACK
> received from the web server). I have checked the logs and
> they don't
> indicate that any traffic is being denied. I can see the
> connection
> being built twice from the outside back to the inside
> default gateway
> then back from the inside (maybe this is the problem do we
> need to make
> the vpn client pool gateway address an address on the
> firewall??)
>  
> 2008/11/26 15:08:48  %ASA-6-302013: Built inbound TCP
> connection
> 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523)
> to
> Inside:172.16.1.10/80 (172.16.1.10/80) 
> 2008/11/26 15:08:48  %ASA-6-302013: Built outbound TCP
> connection
> 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to
> Inside:10.100.1.101/2523 (10.100.1.101/2523)
>  
> Thanks in advance.
>  
> Aaron.
>  
>  
>  
>  


--- On Wed, 26/11/08, Aaron Riemer <ariemer at wesenergy.com.au> wrote:

> From: Aaron Riemer <ariemer at wesenergy.com.au>
> Subject: [c-nsp] Allowing VPN clients to access L2L tunnels
terminating on the same outside interface
> To: cisco-nsp at puck.nether.net
> Date: Wednesday, 26 November, 2008, 6:12 PM
> Hey guys,
>  
> I am hoping someone out there has configured something
> similar as I am
> having a lot of grief getting this working.
>  
> Essentially what we are trying to do is to allow our VPN
> clients to
> access other L2L sites that terminate on the same outside
> interface. See
> below for details.
>  
> VPN Client address range 10.100.1.100-200/24
> VPN client default gateway 10.100.1.1/24 (Inside 3750
> switch next hop
> after ASA)
> ASA Inside address 10.100.1.10/24
> VPN tunnel peer addressing: 172.16.0.0/16
>  
> We have configured the necessary commands to allow this
> hairpinning..
> i.e. 'same-security-traffic permit
> intra-interface'. The relevant VPN
> rules and nonat are in place to allow the entire
> 10.100.1.0/24 range
> across the L2L tunnel and this has been tested by
> attempting to telnet
> to a web server at the tunnel destination via the inside
> 3750. 
>  
> It's just the VPN clients on the outside interface
> can't seem to get
> through the tunnel. What makes things even more confusing
> is that ICMP
> goes across no problem but no TCP traffic will pass. (No
> SYN-ACK
> received from the web server). I have checked the logs and
> they don't
> indicate that any traffic is being denied. I can see the
> connection
> being built twice from the outside back to the inside
> default gateway
> then back from the inside (maybe this is the problem do we
> need to make
> the vpn client pool gateway address an address on the
> firewall??)
>  
> 2008/11/26 15:08:48  %ASA-6-302013: Built inbound TCP
> connection
> 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523)
> to
> Inside:172.16.1.10/80 (172.16.1.10/80) 
> 2008/11/26 15:08:48  %ASA-6-302013: Built outbound TCP
> connection
> 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to
> Inside:10.100.1.101/2523 (10.100.1.101/2523)
>  
> Thanks in advance.
>  
> Aaron.
>  
>  
>  
>  
> 
> LEGAL DISCLAIMER: This message contains confidential
> information and is intended only for the individual named.
> If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify
> the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
> If you are not the intended recipient you are notified that
> disclosing, copying, distributing or taking any action in
> reliance on the contents of this information is strictly
> prohibited.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


      


LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

More information about the cisco-nsp mailing list