IPSEC VPN Hairpinning/Uturn Problems with internal net connections

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Post by Guest » Sat Jan 08, 2011 2:26 pm

I have an ASA 5505 that I connect to remotely.  I use this as a remote IPSEC VPN with hairpinning/uturn to allow me to surf the Internet with my home IP address.  I am unable to access any of the internal computers on my home network.  I have been able to successfully do this in the past on an older ASA IOS, but I am now on a new ASA running 8.21 and I am unable to connect internally. I would like to connect to my Slingbox and Tivo which is at my home.  I have tried pinging both boxes and no luck.  In the past, when this worked I was able to ping the devices. I am attaching my config. Thanks in advance. Jon

Guest

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Post by Guest » Sat Jan 08, 2011 3:33 pm

Jon, Try this: access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (outside) 0 access-list LOCAL Federico.

Guest

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Post by Guest » Sat Jan 08, 2011 4:59 pm

Federico, Thanks for the advice.  I applied what you recommended and I still have the same problem.  Here is the logging information.  192.168.1.6 is my slingbox and I am remotely connecting via 192.168.1.103.  3|Jan 31 2011|10:51:28|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/53501 dst inside:192.168.1.6/5001

Guest

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Post by Guest » Sat Jan 08, 2011 5:25 pm

The problem is definitely NAT.  If you can do a test by removing the lines I gave you: no access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0no nat (outside) 0 access-list LOCAL And adding: global (inside) 1 interface nat (outside) 1 uturn 255.255.255.240 outside Another thing I would like to mention is that you might want to have a separate non-overlapping range defined for the VPN clients (not 192.168.1.x) Federico.

Guest

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Post by Guest » Sat Jan 08, 2011 6:51 pm

I was able to enter the no access list command.  But when I entered the second command (no nat (outside) 0 access-list LOCAL) I get the following error. Result of the command: "no nat (outside) 0 access-list LOCAL" ERROR: access-list LOCAL not bound nat 0  The remaining commands seem to work, however here is my new error when trying to ping the Slingbox. 3|Jan 31 2011|11:18:02|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/54067 dst inside:192.168.1.6/5001  As for changing the IP range for the VPN clients.  Since my internal network at home uses 192.168.1.0, if I assign 192.168.2.0 will this cause problems? Would I have to setup any special type of routing.NATing? I am attaching the current config.Thanks, Jon

Post Reply