Thanks Ulrik. Confirmed that how that shows to setup is how I have it but still can't pass traffic. I suspect the remote office might be filtering it. This was a cutover from a Fortinet to an ASA but the other side is till a Fortinet when they created the new tunnel. Great link. Thanks for the help.
-Lee On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers <ulrik.iv...@excanto.se> wrote: > Hi, > > Two things to check: > > 1. Make sure you have the following in the config: > same-security-traffic permit intra-interface > > 2. Make sure you have a the NAT rules configured correctly so that the > traffic between the VPN clients and the remote LAN is NOT translated (or in > fact are NAT:ed to themselves...". Also, the order of the NAT rules are > important. > > Here's a pretty good writeup: > http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ > > /Ulrik > > -----Original Message----- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Lee Starnes > Sent: den 30 juni 2014 23:23 > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] ASA5512x VPN route issue > > Hello, > > We just setup a new ASA 5512x running v9.1(2). We have about 30 remote > Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able > to get all the VPN connections up and passing traffic such that remote VPNs > can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs > can get Internet access via NAT. The one thing we can't seem to get working > is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these > IP blocks. Doing a packet-tracer, It hangs on the following. > > Phase: 7 > Type: WEBVPN-SVC > Subtype: in > Result: DROP > Config: > Additional Information: > Forward Flow based lookup yields rule: > in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false > hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, > protocol=0 > src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 > dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 > input_ifc=outside, output_ifc=any > > Result: > input-interface: outside > input-status: up > input-line-status: up > output-interface: inside > output-status: up > output-line-status: up > Action: drop > Drop-reason: (acl-drop) Flow is denied by configured rule > > > VPN clients are in 192.168.95.0/24 > LAN is on 10.158.95.0/24 > REMOTE LAN is on 10.158.58.0/24 > > VPN clients are setup to tunnel all traffic. > > Any idea where to look to resolve this one issue? > > > -Lee > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/