Re: traffic routing between SVC vpn clients and L2L IPSec from Andrey Tarasov on 2010-04-07 (Ccielab archives 04/2010)

From: Andrey Tarasov <andyvt_at_gmail.com>
Date: Wed, 7 Apr 2010 19:39:21 -0700

nat (outside) 1 vpn-network 255.255.255.0 is missing.

Regards,
Andrey.

On Tue, Apr 6, 2010 at 3:14 AM, Alexei Monastyrnyi <alexeim73_at_gmail.com> wrote:
> Hi guys.
>
> I just need a fresh look at a scenario below. I have done it so many times
> so my eyes may be folded by some wrong assumption. :-) . The only difference
> for this one comparing to what I usually do is NAT/PAT happening on IPSec
> tunnel.
>
> Cisco ASA 5505 runs code 8.2.1. It accepts SVC VPN clients and also has an
> IPSec tunnel towards a third party. SVC VPN clients are considered internal
> so they don't run any NAT etc, they just happily get connected and can
> access LAN resources behind the ASA, all is well here. What doesn't work is
> when SVC clients are trying to access a third party LAN behind the IPSec
> tunnel.
>
> IPSec tunnel runs PAT and all IPs are translated to outside public IP
> address x.x.x.x. Don't ask me why, it was not my setup from the beginning.
> :-) From behind ASA 5505 (LAN 192.168.1.0/24) there is no problem accessing
> the third party.
>
> I can capture packets from SVC clients towards the third party but they get
> black-holed after that. They don't trigger any NAT or IPSec.
>
> The NAT/IPSec part is quite straightforward, below is a partial config with
> NAT/IPSec details.
>
> interface Vlan1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address x.x.x.x 255.255.255.252
> !
> same-security-traffic permit inter-interface
> same-security-traffic permit intra-interface
> !
> access-list outside_1_cryptomap extended permit ip host x.x.x.x NOMX
> 255.255.255.254
> access-list inside_nat0_outbound extended permit ip 192.168.1.0
> 255.255.255.0 vpn-network 255.255.255.0
> access-list inside_nat0_outbound extended permit ip NOMX 255.255.255.254
> vpn-network 255.255.255.0
> !
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
> route outside 0.0.0.0 0.0.0.0 x.x.x.x-1
> !
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> !
> crypto map outside_map 1 match address outside_1_cryptomap
> crypto map outside_map 1 set peer y.y.y.y
> crypto map outside_map 1 set transform-set ESP-AES-256-SHA
> crypto map outside_map 1 set reverse-route
>
> Your thoughts would be highly appreciated.
>
> Cheers,
> A.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 07 2010 - 19:39:21 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:56 ART