[c-nsp] ASA5512x VPN route issue

Lee Starnes lee.t.starnes at gmail.com
Wed Jul 2 15:49:46 EDT 2014


One final reply on this. All works if you setup everything as described in
the link you provided Ulrik. The issue we had was caused by the remote side
of the IPsec tunnel ACL not allowing access for the VPN clients IP block.

Thanks again.

-Lee



On Tue, Jul 1, 2014 at 4:43 PM, Lee Starnes <lee.t.starnes at gmail.com> wrote:

> Thanks Ulrik.
>
> Confirmed that how that shows to setup is how I have it but still can't
> pass traffic. I suspect the remote office might be filtering it. This was a
> cutover from a Fortinet to an ASA but the other side is till a Fortinet
> when they created the new tunnel. Great link. Thanks for the help.
>
> -Lee
>
>
> On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers <ulrik.ivers at excanto.se>
> wrote:
>
>> Hi,
>>
>> Two things to check:
>>
>> 1. Make sure you have the following in the config:
>> same-security-traffic permit intra-interface
>>
>> 2. Make sure you have a the NAT rules configured correctly so that the
>> traffic between the VPN clients and the remote LAN is NOT translated (or in
>> fact are NAT:ed to themselves...". Also, the order of the NAT rules are
>> important.
>>
>> Here's a pretty good writeup:
>> http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/
>>
>> /Ulrik
>>
>> -----Original Message-----
>> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
>> Lee Starnes
>> Sent: den 30 juni 2014 23:23
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] ASA5512x VPN route issue
>>
>> Hello,
>>
>> We just setup a new ASA 5512x running v9.1(2). We have about 30 remote
>> Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able
>> to get all the VPN connections up and passing traffic such that remote VPNs
>> can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs
>> can get Internet access via NAT. The one thing we can't seem to get working
>> is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these
>> IP blocks. Doing a packet-tracer, It hangs on the following.
>>
>> Phase: 7
>> Type: WEBVPN-SVC
>> Subtype: in
>> Result: DROP
>> Config:
>> Additional Information:
>>  Forward Flow based lookup yields rule:
>>  in  id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false
>>         hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0,
>> protocol=0
>>         src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0
>>         dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
>>         input_ifc=outside, output_ifc=any
>>
>> Result:
>> input-interface: outside
>> input-status: up
>> input-line-status: up
>> output-interface: inside
>> output-status: up
>> output-line-status: up
>> Action: drop
>> Drop-reason: (acl-drop) Flow is denied by configured rule
>>
>>
>> VPN clients are in 192.168.95.0/24
>> LAN is on 10.158.95.0/24
>> REMOTE LAN is on 10.158.58.0/24
>>
>> VPN clients are setup to tunnel all traffic.
>>
>> Any idea where to look to resolve this one issue?
>>
>>
>> -Lee
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>


More information about the cisco-nsp mailing list