RE: OT: Remote Access VPN 8.4(2)+

test-fw1# show asp drop

Frame drop:

Last clearing: 05:41:27 EDT Mar 26 2012 by rwest

Flow drop:

Last clearing: 05:41:27 EDT Mar 26 2012 by rwest

Send through some pings...

test-fw1# show asp drop

Frame drop:
  Flow is denied by configured rule (acl-drop) 14
  First TCP packet not SYN (tcp-not-syn) 2

Last clearing: 05:41:27 EDT Mar 26 2012 by rwest

Flow drop:
  Expired VPN context (vpn-context-expired) 8

4 pings, 8 drops.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ryan West
Sent: Monday, March 26, 2012 5:26 AM
To: alexeim73_at_gmail.com; Jay McMickle
Cc: CCIE Lab
Subject: RE: OT: Remote Access VPN 8.4(2)+

Yeah.. out,out made the most sense to me, but I'm not doing dynamic nat for my RA clients. So, no entry at all should have worked fine. I think I'll still go the TAC route to let them know the bug exists in 8.4.3(8) as well.

-ryan

From: Alexei Monastyrnyi [mailto:alexeim73_at_gmail.com]
Sent: Monday, March 26, 2012 5:22 AM
To: Jay McMickle
Cc: Ryan West; CCIE Lab
Subject: Re: OT: Remote Access VPN 8.4(2)+

depending on your setup, you may need out,out, say if you coming as a remove client and want to out out say L2L VPN terminated on the same ASA. That L2L VPN say dictates you have your source address translated ...

On 3/26/2012 7:55 AM, Jay McMickle wrote:

I'm not in front of an ASA, but I don't believe you need the out,out nat.
That's mainly for DNS rewrite.

Have you applied "permit same-security traffic intra"? If the hairpin VPN was working prior to the upgrade, I doubt it's that. Next, I thought of proxy-arp, but you mentioned that's been done. The only other item could be your 8.4 equivalent of no-nat.

What does your nat statement look like for the VPN subnets?

Regards,

Jay McMickle- CCNP,CCSP,CCDP

Sent from iJay

On Mar 25, 2012, at 2:10 PM, Ryan West
<rwest_at_zyedge.com><mailto:rwest_at_zyedge.com> wrote:

Before I go the TAC route, I'm wondering if anyone has come across this one.
I was running 8.4(1)11 and had fully migrated all NAT rules to working 8.3+ versions. After the upgrade to 8.4(3), I ran into issues with proxy-arp, which have been solved. Remote access VPNs with destinations across site to site tunnels is where I'm stuck. A twice nat (outside,outside) makes sense to me, but does not work. The previous method of no nat that translates into a twice nat is also failing.

Has anyone come across this type of config and can post a sanitized snippet for the twice nat?

For illustration, let's say my ip local pool is 10.1.1.0/24 and the fw has a site to site tunnel to 10.1.2.0/24. Assume that I have same-security permit intra-interface already configure as well. I'll post configs later.

Thanks!

-ryan

Sent from handheld

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 26 2012 - 09:43:40 ART