sysopt connection permit-vpn is on by default, so they use it.
nat (outside) 1 was missing for VPN clients' source IPs.
Cheers,
A.
On 4/7/2010 9:49 PM, Ryan West wrote:
> Proxy mismatch on remote end or NAT exempt missing are the first
> things that come to mind. Intra-interface covers your outside to
> outside tunnel. I assume you're running sysopt permit-VPN as well.
> Anything of use in the logs?
>
> Sent from handheld.
>
> On Apr 7, 2010, at 6:18 AM, "Alexei Monastyrnyi"<alexeim73_at_gmail.com>
> wrote:
>
>
>> Hi guys.
>>
>> I just need a fresh look at a scenario below. I have done it so many
>> times so my eyes may be folded by some wrong assumption. :-) . The
>> only difference for this one comparing to what I usually do is NAT/
>> PAT happening on IPSec tunnel.
>>
>> Cisco ASA 5505 runs code 8.2.1. It accepts SVC VPN clients and also
>> has an IPSec tunnel towards a third party. SVC VPN clients are
>> considered internal so they don't run any NAT etc, they just happily
>> get connected and can access LAN resources behind the ASA, all is
>> well here. What doesn't work is when SVC clients are trying to
>> access a third party LAN behind the IPSec tunnel.
>>
>> IPSec tunnel runs PAT and all IPs are translated to outside public
>> IP address x.x.x.x. Don't ask me why, it was not my setup from the
>> beginning. :-) From behind ASA 5505 (LAN 192.168.1.0/24) there is no
>> problem accessing the third party.
>>
>> I can capture packets from SVC clients towards the third party but
>> they get black-holed after that. They don't trigger any NAT or IPSec.
>>
>> The NAT/IPSec part is quite straightforward, below is a partial
>> config with NAT/IPSec details.
>>
>> interface Vlan1
>> nameif inside
>> security-level 100
>> ip address 192.168.1.1 255.255.255.0
>> !
>> interface Vlan2
>> nameif outside
>> security-level 0
>> ip address x.x.x.x 255.255.255.252
>> !
>> same-security-traffic permit inter-interface
>> same-security-traffic permit intra-interface
>> !
>> access-list outside_1_cryptomap extended permit ip host x.x.x.x NOMX 255.255.255.254
>> access-list inside_nat0_outbound extended permit ip 192.168.1.0
>> 255.255.255.0 vpn-network 255.255.255.0
>> access-list inside_nat0_outbound extended permit ip NOMX 255.255.255.254
>> vpn-network 255.255.255.0
>> !
>> global (outside) 1 interface
>> nat (inside) 0 access-list inside_nat0_outbound
>> nat (inside) 1 0.0.0.0 0.0.0.0
>> route outside 0.0.0.0 0.0.0.0 x.x.x.x-1
>> !
>> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
>> !
>> crypto map outside_map 1 match address outside_1_cryptomap
>> crypto map outside_map 1 set peer y.y.y.y
>> crypto map outside_map 1 set transform-set ESP-AES-256-SHA
>> crypto map outside_map 1 set reverse-route
>>
>> Your thoughts would be highly appreciated.
>>
>> Cheers,
>> A.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>>
>
>
>
>> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 07 2010 - 13:19:34 ART
This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:56 ART