RE: OT: Remote Access VPN 8.4(2)+

Yeah.. out,out made the most sense to me, but I'm not doing dynamic nat for my
RA clients. So, no entry at all should have worked fine. I think I'll still
go the TAC route to let them know the bug exists in 8.4.3(8) as well.

-ryan

From: Alexei Monastyrnyi [mailto:alexeim73_at_gmail.com]
Sent: Monday, March 26, 2012 5:22 AM
To: Jay McMickle
Cc: Ryan West; CCIE Lab
Subject: Re: OT: Remote Access VPN 8.4(2)+

depending on your setup, you may need out,out, say if you coming as a remove
client and want to out out say L2L VPN terminated on the same ASA. That L2L
VPN say dictates you have your source address translated ...

On 3/26/2012 7:55 AM, Jay McMickle wrote:

I'm not in front of an ASA, but I don't believe you need the out,out nat.
That's mainly for DNS rewrite.

Have you applied "permit same-security traffic intra"? If the hairpin VPN was
working prior to the upgrade, I doubt it's that. Next, I thought of proxy-arp,
but you mentioned that's been done. The only other item could be your 8.4
equivalent of no-nat.

What does your nat statement look like for the VPN subnets?

Regards,

Jay McMickle- CCNP,CCSP,CCDP

Sent from iJay

On Mar 25, 2012, at 2:10 PM, Ryan West
<rwest_at_zyedge.com><mailto:rwest_at_zyedge.com> wrote:

Before I go the TAC route, I'm wondering if anyone has come across this one.
I was running 8.4(1)11 and had fully migrated all NAT rules to working 8.3+
versions. After the upgrade to 8.4(3), I ran into issues with proxy-arp, which
have been solved. Remote access VPNs with destinations across site to site
tunnels is where I'm stuck. A twice nat (outside,outside) makes sense to me,
but does not work. The previous method of no nat that translates into a twice
nat is also failing.

Has anyone come across this type of config and can post a sanitized snippet
for the twice nat?

For illustration, let's say my ip local pool is 10.1.1.0/24 and the fw has a
site to site tunnel to 10.1.2.0/24. Assume that I have same-security permit
intra-interface already configure as well. I'll post configs later.

Thanks!

-ryan

Sent from handheld

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 26 2012 - 09:25:33 ART