Proxy mismatch on remote end or NAT exempt missing are the first
things that come to mind. Intra-interface covers your outside to
outside tunnel. I assume you're running sysopt permit-VPN as well.
Anything of use in the logs?
Sent from handheld.
On Apr 7, 2010, at 6:18 AM, "Alexei Monastyrnyi" <alexeim73_at_gmail.com>
wrote:
> Hi guys.
>
> I just need a fresh look at a scenario below. I have done it so many
> times so my eyes may be folded by some wrong assumption. :-) . The
> only difference for this one comparing to what I usually do is NAT/
> PAT happening on IPSec tunnel.
>
> Cisco ASA 5505 runs code 8.2.1. It accepts SVC VPN clients and also
> has an IPSec tunnel towards a third party. SVC VPN clients are
> considered internal so they don't run any NAT etc, they just happily
> get connected and can access LAN resources behind the ASA, all is
> well here. What doesn't work is when SVC clients are trying to
> access a third party LAN behind the IPSec tunnel.
>
> IPSec tunnel runs PAT and all IPs are translated to outside public
> IP address x.x.x.x. Don't ask me why, it was not my setup from the
> beginning. :-) From behind ASA 5505 (LAN 192.168.1.0/24) there is no
> problem accessing the third party.
>
> I can capture packets from SVC clients towards the third party but
> they get black-holed after that. They don't trigger any NAT or IPSec.
>
> The NAT/IPSec part is quite straightforward, below is a partial
> config with NAT/IPSec details.
>
> interface Vlan1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address x.x.x.x 255.255.255.252
> !
> same-security-traffic permit inter-interface
> same-security-traffic permit intra-interface
> !
> access-list outside_1_cryptomap extended permit ip host x.x.x.x NOMX 255.255.255.254
> access-list inside_nat0_outbound extended permit ip 192.168.1.0
> 255.255.255.0 vpn-network 255.255.255.0
> access-list inside_nat0_outbound extended permit ip NOMX 255.255.255.254
> vpn-network 255.255.255.0
> !
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
> route outside 0.0.0.0 0.0.0.0 x.x.x.x-1
> !
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> !
> crypto map outside_map 1 match address outside_1_cryptomap
> crypto map outside_map 1 set peer y.y.y.y
> crypto map outside_map 1 set transform-set ESP-AES-256-SHA
> crypto map outside_map 1 set reverse-route
>
> Your thoughts would be highly appreciated.
>
> Cheers,
> A.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 07 2010 - 11:49:48 ART
This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:56 ART