Re: OT: Remote Access VPN 8.4(2)+ from Alexei Monastyrnyi on 2012-03-26 (Ccielab archives 03/2012)

From: Alexei Monastyrnyi <alexeim73_at_gmail.com>
Date: Mon, 26 Mar 2012 20:22:13 +1100

depending on your setup, you may need out,out, say if you coming as a
remove client and want to out out say L2L VPN terminated on the same
ASA. That L2L VPN say dictates you have your source address translated ...

On 3/26/2012 7:55 AM, Jay McMickle wrote:
> I'm not in front of an ASA, but I don't believe you need the out,out nat. That's mainly for DNS rewrite.
>
> Have you applied "permit same-security traffic intra"? If the hairpin VPN was working prior to the upgrade, I doubt it's that. Next, I thought of proxy-arp, but you mentioned that's been done. The only other item could be your 8.4 equivalent of no-nat.
>
> What does your nat statement look like for the VPN subnets?
>
> Regards,
> Jay McMickle- CCNP,CCSP,CCDP
> Sent from iJay
>
> On Mar 25, 2012, at 2:10 PM, Ryan West<rwest_at_zyedge.com> wrote:
>
>> Before I go the TAC route, I'm wondering if anyone has come across this one. I was running 8.4(1)11 and had fully migrated all NAT rules to working 8.3+ versions. After the upgrade to 8.4(3), I ran into issues with proxy-arp, which have been solved. Remote access VPNs with destinations across site to site tunnels is where I'm stuck. A twice nat (outside,outside) makes sense to me, but does not work. The previous method of no nat that translates into a twice nat is also failing.
>>
>> Has anyone come across this type of config and can post a sanitized snippet for the twice nat?
>>
>> For illustration, let's say my ip local pool is 10.1.1.0/24 and the fw has a site to site tunnel to 10.1.2.0/24. Assume that I have same-security permit intra-interface already configure as well. I'll post configs later.
>>
>> Thanks!
>>
>> -ryan
>>
>> Sent from handheld
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 26 2012 - 20:22:13 ART

This archive was generated by hypermail 2.2.0 : Sun Apr 01 2012 - 07:56:52 ART