Re: [c-nsp] ASA5512x VPN route issue
One final reply on this. All works if you setup everything as described in the link you provided Ulrik. The issue we had was caused by the remote side of the IPsec tunnel ACL not allowing access for the VPN clients IP block. Thanks again. -Lee On Tue, Jul 1, 2014 at 4:43 PM, Lee Starnes lee.t.star...@gmail.com wrote: Thanks Ulrik. Confirmed that how that shows to setup is how I have it but still can't pass traffic. I suspect the remote office might be filtering it. This was a cutover from a Fortinet to an ASA but the other side is till a Fortinet when they created the new tunnel. Great link. Thanks for the help. -Lee On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers ulrik.iv...@excanto.se wrote: Hi, Two things to check: 1. Make sure you have the following in the config: same-security-traffic permit intra-interface 2. Make sure you have a the NAT rules configured correctly so that the traffic between the VPN clients and the remote LAN is NOT translated (or in fact are NAT:ed to themselves Also, the order of the NAT rules are important. Here's a pretty good writeup: http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ /Ulrik -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Starnes Sent: den 30 juni 2014 23:23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5512x VPN route issue Hello, We just setup a new ASA 5512x running v9.1(2). We have about 30 remote Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able to get all the VPN connections up and passing traffic such that remote VPNs can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs can get Internet access via NAT. The one thing we can't seem to get working is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these IP blocks. Doing a packet-tracer, It hangs on the following. Phase: 7 Type: WEBVPN-SVC Subtype: in Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule VPN clients are in 192.168.95.0/24 LAN is on 10.158.95.0/24 REMOTE LAN is on 10.158.58.0/24 VPN clients are setup to tunnel all traffic. Any idea where to look to resolve this one issue? -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5512x VPN route issue
Hi, Two things to check: 1. Make sure you have the following in the config: same-security-traffic permit intra-interface 2. Make sure you have a the NAT rules configured correctly so that the traffic between the VPN clients and the remote LAN is NOT translated (or in fact are NAT:ed to themselves Also, the order of the NAT rules are important. Here's a pretty good writeup: http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ /Ulrik -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Starnes Sent: den 30 juni 2014 23:23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5512x VPN route issue Hello, We just setup a new ASA 5512x running v9.1(2). We have about 30 remote Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able to get all the VPN connections up and passing traffic such that remote VPNs can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs can get Internet access via NAT. The one thing we can't seem to get working is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these IP blocks. Doing a packet-tracer, It hangs on the following. Phase: 7 Type: WEBVPN-SVC Subtype: in Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule VPN clients are in 192.168.95.0/24 LAN is on 10.158.95.0/24 REMOTE LAN is on 10.158.58.0/24 VPN clients are setup to tunnel all traffic. Any idea where to look to resolve this one issue? -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5512x VPN route issue
Thanks Ulrik. Confirmed that how that shows to setup is how I have it but still can't pass traffic. I suspect the remote office might be filtering it. This was a cutover from a Fortinet to an ASA but the other side is till a Fortinet when they created the new tunnel. Great link. Thanks for the help. -Lee On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers ulrik.iv...@excanto.se wrote: Hi, Two things to check: 1. Make sure you have the following in the config: same-security-traffic permit intra-interface 2. Make sure you have a the NAT rules configured correctly so that the traffic between the VPN clients and the remote LAN is NOT translated (or in fact are NAT:ed to themselves Also, the order of the NAT rules are important. Here's a pretty good writeup: http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ /Ulrik -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Starnes Sent: den 30 juni 2014 23:23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5512x VPN route issue Hello, We just setup a new ASA 5512x running v9.1(2). We have about 30 remote Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able to get all the VPN connections up and passing traffic such that remote VPNs can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs can get Internet access via NAT. The one thing we can't seem to get working is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these IP blocks. Doing a packet-tracer, It hangs on the following. Phase: 7 Type: WEBVPN-SVC Subtype: in Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule VPN clients are in 192.168.95.0/24 LAN is on 10.158.95.0/24 REMOTE LAN is on 10.158.58.0/24 VPN clients are setup to tunnel all traffic. Any idea where to look to resolve this one issue? -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
