[c-nsp] ASA5512x VPN route issue

Ulrik Ivers ulrik.ivers at excanto.se
Tue Jul 1 03:58:02 EDT 2014 

Hi,

Two things to check:

1. Make sure you have the following in the config:
same-security-traffic permit intra-interface

2. Make sure you have a the NAT rules configured correctly so that the traffic between the VPN clients and the remote LAN is NOT translated (or in fact are NAT:ed to themselves...". Also, the order of the NAT rules are important.

Here's a pretty good writeup:
http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/

/Ulrik

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lee Starnes
Sent: den 30 juni 2014 23:23
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5512x VPN route issue

Hello,

We just setup a new ASA 5512x running v9.1(2). We have about 30 remote Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able to get all the VPN connections up and passing traffic such that remote VPNs can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs can get Internet access via NAT. The one thing we can't seem to get working is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these IP blocks. Doing a packet-tracer, It hangs on the following.

Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false
        hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0,
protocol=0
        src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


VPN clients are in 192.168.95.0/24
LAN is on 10.158.95.0/24
REMOTE LAN is on 10.158.58.0/24

VPN clients are setup to tunnel all traffic.

Any idea where to look to resolve this one issue?


-Lee
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list