That was it Andrey! The traffic indeed comes from outside.
Thanks
Alexei.
On 4/8/2010 12:39 PM, Andrey Tarasov wrote:
> nat (outside) 1 vpn-network 255.255.255.0 is missing.
>
> Regards,
> Andrey.
>
> On Tue, Apr 6, 2010 at 3:14 AM, Alexei Monastyrnyi<alexeim73_at_gmail.com> wrote:
>
>> Hi guys.
>>
>> I just need a fresh look at a scenario below. I have done it so many times
>> so my eyes may be folded by some wrong assumption. :-) . The only difference
>> for this one comparing to what I usually do is NAT/PAT happening on IPSec
>> tunnel.
>>
>> Cisco ASA 5505 runs code 8.2.1. It accepts SVC VPN clients and also has an
>> IPSec tunnel towards a third party. SVC VPN clients are considered internal
>> so they don't run any NAT etc, they just happily get connected and can
>> access LAN resources behind the ASA, all is well here. What doesn't work is
>> when SVC clients are trying to access a third party LAN behind the IPSec
>> tunnel.
>>
>> IPSec tunnel runs PAT and all IPs are translated to outside public IP
>> address x.x.x.x. Don't ask me why, it was not my setup from the beginning.
>> :-) From behind ASA 5505 (LAN 192.168.1.0/24) there is no problem accessing
>> the third party.
>>
>> I can capture packets from SVC clients towards the third party but they get
>> black-holed after that. They don't trigger any NAT or IPSec.
>>
>> The NAT/IPSec part is quite straightforward, below is a partial config with
>> NAT/IPSec details.
>>
>> interface Vlan1
>> nameif inside
>> security-level 100
>> ip address 192.168.1.1 255.255.255.0
>> !
>> interface Vlan2
>> nameif outside
>> security-level 0
>> ip address x.x.x.x 255.255.255.252
>> !
>> same-security-traffic permit inter-interface
>> same-security-traffic permit intra-interface
>> !
>> access-list outside_1_cryptomap extended permit ip host x.x.x.x NOMX
>> 255.255.255.254
>> access-list inside_nat0_outbound extended permit ip 192.168.1.0
>> 255.255.255.0 vpn-network 255.255.255.0
>> access-list inside_nat0_outbound extended permit ip NOMX 255.255.255.254
>> vpn-network 255.255.255.0
>> !
>> global (outside) 1 interface
>> nat (inside) 0 access-list inside_nat0_outbound
>> nat (inside) 1 0.0.0.0 0.0.0.0
>> route outside 0.0.0.0 0.0.0.0 x.x.x.x-1
>> !
>> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
>> !
>> crypto map outside_map 1 match address outside_1_cryptomap
>> crypto map outside_map 1 set peer y.y.y.y
>> crypto map outside_map 1 set transform-set ESP-AES-256-SHA
>> crypto map outside_map 1 set reverse-route
>>
>> Your thoughts would be highly appreciated.
>>
>> Cheers,
>> A.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 07 2010 - 13:16:10 ART
This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:56 ART