traffic routing between SVC vpn clients and L2L IPSec tunnel from Alexei Monastyrnyi on 2010-04-06 (Ccielab archives 04/2010)

From: Alexei Monastyrnyi <alexeim73_at_gmail.com>
Date: Tue, 06 Apr 2010 20:14:33 +1000

Hi guys.

I just need a fresh look at a scenario below. I have done it so many
times so my eyes may be folded by some wrong assumption. :-) . The only
difference for this one comparing to what I usually do is NAT/PAT
happening on IPSec tunnel.

Cisco ASA 5505 runs code 8.2.1. It accepts SVC VPN clients and also has
an IPSec tunnel towards a third party. SVC VPN clients are considered
internal so they don't run any NAT etc, they just happily get connected
and can access LAN resources behind the ASA, all is well here. What
doesn't work is when SVC clients are trying to access a third party LAN
behind the IPSec tunnel.

IPSec tunnel runs PAT and all IPs are translated to outside public IP
address x.x.x.x. Don't ask me why, it was not my setup from the
beginning. :-) From behind ASA 5505 (LAN 192.168.1.0/24) there is no
problem accessing the third party.

I can capture packets from SVC clients towards the third party but they
get black-holed after that. They don't trigger any NAT or IPSec.

The NAT/IPSec part is quite straightforward, below is a partial config
with NAT/IPSec details.

interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.255.252
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list outside_1_cryptomap extended permit ip host x.x.x.x NOMX
255.255.255.254
access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 vpn-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip NOMX 255.255.255.254
vpn-network 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x-1
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer y.y.y.y
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set reverse-route

Your thoughts would be highly appreciated.

Cheers,
A.

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 06 2010 - 20:14:33 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:56 ART