IPSEC VPN Hairpinning/Uturn Problems with internal net connections
IPSEC VPN Hairpinning/Uturn Problems with internal net connections
I have an ASA 5505 that I connect to remotely. I use this as a remote IPSEC VPN with hairpinning/uturn to allow me to surf the Internet with my home IP address. I am unable to access any of the internal computers on my home network. I have been able to successfully do this in the past on an older ASA IOS, but I am now on a new ASA running 8.21 and I am unable to connect internally. I would like to connect to my Slingbox and Tivo which is at my home. I have tried pinging both boxes and no luck. In the past, when this worked I was able to ping the devices. I am attaching my config. Thanks in advance. Jon
Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections
Jon, Try this: access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0 nat (outside) 0 access-list LOCAL Federico.
Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections
Federico, Thanks for the advice. I applied what you recommended and I still have the same problem. Here is the logging information. 192.168.1.6 is my slingbox and I am remotely connecting via 192.168.1.103. 3|Jan 31 2011|10:51:28|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/53501 dst inside:192.168.1.6/5001
Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections
The problem is definitely NAT. If you can do a test by removing the lines I gave you: no access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0no nat (outside) 0 access-list LOCAL And adding: global (inside) 1 interface nat (outside) 1 uturn 255.255.255.240 outside Another thing I would like to mention is that you might want to have a separate non-overlapping range defined for the VPN clients (not 192.168.1.x) Federico.
Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections
I was able to enter the no access list command. But when I entered the second command (no nat (outside) 0 access-list LOCAL) I get the following error. Result of the command: "no nat (outside) 0 access-list LOCAL" ERROR: access-list LOCAL not bound nat 0 The remaining commands seem to work, however here is my new error when trying to ping the Slingbox. 3|Jan 31 2011|11:18:02|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/54067 dst inside:192.168.1.6/5001 As for changing the IP range for the VPN clients. Since my internal network at home uses 192.168.1.0, if I assign 192.168.2.0 will this cause problems? Would I have to setup any special type of routing.NATing? I am attaching the current config.Thanks, Jon