One final reply on this. All works if you setup everything as described in the link you provided Ulrik. The issue we had was caused by the remote side of the IPsec tunnel ACL not allowing access for the VPN clients IP block.
Thanks again. -Lee On Tue, Jul 1, 2014 at 4:43 PM, Lee Starnes <lee.t.star...@gmail.com> wrote: > Thanks Ulrik. > > Confirmed that how that shows to setup is how I have it but still can't > pass traffic. I suspect the remote office might be filtering it. This was a > cutover from a Fortinet to an ASA but the other side is till a Fortinet > when they created the new tunnel. Great link. Thanks for the help. > > -Lee > > > On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers <ulrik.iv...@excanto.se> > wrote: > >> Hi, >> >> Two things to check: >> >> 1. Make sure you have the following in the config: >> same-security-traffic permit intra-interface >> >> 2. Make sure you have a the NAT rules configured correctly so that the >> traffic between the VPN clients and the remote LAN is NOT translated (or in >> fact are NAT:ed to themselves...". Also, the order of the NAT rules are >> important. >> >> Here's a pretty good writeup: >> http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ >> >> /Ulrik >> >> -----Original Message----- >> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of >> Lee Starnes >> Sent: den 30 juni 2014 23:23 >> To: cisco-nsp@puck.nether.net >> Subject: [c-nsp] ASA5512x VPN route issue >> >> Hello, >> >> We just setup a new ASA 5512x running v9.1(2). We have about 30 remote >> Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able >> to get all the VPN connections up and passing traffic such that remote VPNs >> can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs >> can get Internet access via NAT. The one thing we can't seem to get working >> is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these >> IP blocks. Doing a packet-tracer, It hangs on the following. >> >> Phase: 7 >> Type: WEBVPN-SVC >> Subtype: in >> Result: DROP >> Config: >> Additional Information: >> Forward Flow based lookup yields rule: >> in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false >> hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, >> protocol=0 >> src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 >> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 >> input_ifc=outside, output_ifc=any >> >> Result: >> input-interface: outside >> input-status: up >> input-line-status: up >> output-interface: inside >> output-status: up >> output-line-status: up >> Action: drop >> Drop-reason: (acl-drop) Flow is denied by configured rule >> >> >> VPN clients are in 192.168.95.0/24 >> LAN is on 10.158.95.0/24 >> REMOTE LAN is on 10.158.58.0/24 >> >> VPN clients are setup to tunnel all traffic. >> >> Any idea where to look to resolve this one issue? >> >> >> -Lee >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
