[c-nsp] ASA5512x VPN route issue

Lee Starnes lee.t.starnes at gmail.com
Tue Jul 1 19:43:19 EDT 2014


Thanks Ulrik.

Confirmed that how that shows to setup is how I have it but still can't
pass traffic. I suspect the remote office might be filtering it. This was a
cutover from a Fortinet to an ASA but the other side is till a Fortinet
when they created the new tunnel. Great link. Thanks for the help.

-Lee


On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers <ulrik.ivers at excanto.se> wrote:

> Hi,
>
> Two things to check:
>
> 1. Make sure you have the following in the config:
> same-security-traffic permit intra-interface
>
> 2. Make sure you have a the NAT rules configured correctly so that the
> traffic between the VPN clients and the remote LAN is NOT translated (or in
> fact are NAT:ed to themselves...". Also, the order of the NAT rules are
> important.
>
> Here's a pretty good writeup:
> http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/
>
> /Ulrik
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Lee Starnes
> Sent: den 30 juni 2014 23:23
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA5512x VPN route issue
>
> Hello,
>
> We just setup a new ASA 5512x running v9.1(2). We have about 30 remote
> Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able
> to get all the VPN connections up and passing traffic such that remote VPNs
> can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs
> can get Internet access via NAT. The one thing we can't seem to get working
> is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these
> IP blocks. Doing a packet-tracer, It hangs on the following.
>
> Phase: 7
> Type: WEBVPN-SVC
> Subtype: in
> Result: DROP
> Config:
> Additional Information:
>  Forward Flow based lookup yields rule:
>  in  id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false
>         hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0,
> protocol=0
>         src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0
>         dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
>         input_ifc=outside, output_ifc=any
>
> Result:
> input-interface: outside
> input-status: up
> input-line-status: up
> output-interface: inside
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
>
>
> VPN clients are in 192.168.95.0/24
> LAN is on 10.158.95.0/24
> REMOTE LAN is on 10.158.58.0/24
>
> VPN clients are setup to tunnel all traffic.
>
> Any idea where to look to resolve this one issue?
>
>
> -Lee
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list