IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

by Guest » Sun Jan 09, 2011 1:27 am

Success! My apologies, reading your last post I disabled my ICMP access list which resulted in blocked pings.  Additionally, my Slingbox went offline so I was pinging a non existent IP.   I cleaned out the NAT rules like you said and it works. Thanks again for your patience. Jon

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

by Guest » Sun Jan 09, 2011 12:43 am

Still no luck.  3|Jan 31 2011|21:34:02|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)3|Jan 31 2011|21:34:01|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)3|Jan 31 2011|21:34:00|305006|192.168.1.6||||portmap translation creation failed for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)  Does the global (outside) 1 interface need to be in there? I attached the latest running config.Thanks again. Jon

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

by Guest » Sun Jan 09, 2011 12:23 am

Jon, If you
e able to PING 192.168.1.1 from the VPN client, it means traffic is reaching the ASAs inside interface correctly.Now, the ASA should forward the packets to 192.168.1.6 when received. Do this:Just add the keyword outsideto this statement:nat (outside) 1 192.168.2.0 255.255.255.0 outside  Try again. If it does not work make sure the only NAT statements that you have are the following (you can copy/paste): access-list NAT0OUT permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0access-list NAT0IN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0no global (inside) 1 interfacenat (inside) 0 access-list NAT0INnat (inside) 1 192.168.1.0 255.255.255.0nat (outside) 0 access-list NAT0OUTnat (outside) 1 192.168.2.0 255.255.255.0 Federico.

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

by Guest » Sun Jan 09, 2011 12:20 am

Attached the latest config.  Still no luck.   I am able to ping 192.168.1.1 but not 192.168.1.6 (which I know it up and running). Here are the current firewall logs when I try to ping .6 3|Jan 31 2011|13:25:24|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)3|Jan 31 2011|13:25:23|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)3|Jan 31 2011|13:25:22|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0)3|Jan 31 2011|13:25:21|305005|192.168.1.6||||No translation group found for icmp src outside:192.168.2.25 dst inside:192.168.1.6 (type 8, code 0) 

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

by Guest » Sat Jan 08, 2011 10:48 pm

I would only leave this ones: nat (inside) 0 access-list NAT0IN0nat (inside) 1 192.168.1.0 255.255.255.0nat (outside) 0 access-list NAT0OUTnat (outside) 1 192.168.2.0 255.255.255.0 Also, please confirm that when connected via VPN, the VPN client can PING 192.168.1.1 (inside IP of the ASA). Please confirm that the VPN client is able to get to the Internet with the current config... and that is able to PING the above IP. Federico.

Top