• Advertisement

IPSEC VPN Hairpinning/Uturn Problems with internal net connections

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.

IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Postby Guest » Sat Jan 08, 2011 1:26 pm

I have an ASA 5505 that I connect to remotely.  I use this as a remote IPSEC VPN with hairpinning/uturn to allow me to surf the Internet with my home IP address.

 

I am unable to access any of the internal computers on my home network.  I have been able to successfully do this in the past on an older ASA IOS, but I am now on a new ASA running 8.21 and I am unable to connect internally.

 

I would like to connect to my Slingbox and Tivo which is at my home.  I have tried pinging both boxes and no luck.  In the past, when this worked I was able to ping the devices.

 

I am attaching my config.

 

Thanks in advance.

 

Jon

Guest
 

Advertisement

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Postby Guest » Sat Jan 08, 2011 2:33 pm

Jon,

 

Try this:

 

access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (outside) 0 access-list LOCAL

 

Federico.

Guest
 

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Postby Guest » Sat Jan 08, 2011 3:59 pm

Federico,

 

Thanks for the advice.  I applied what you recommended and I still have the same problem.  Here is the logging information.  192.168.1.6 is my slingbox and I am remotely connecting via 192.168.1.103.

 

 

3|Jan 31 2011|10:51:28|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/53501 dst inside:192.168.1.6/5001

Guest
 

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Postby Guest » Sat Jan 08, 2011 4:25 pm

The problem is definitely NAT. 
If you can do a test by removing the lines I gave you:
no access-list LOCAL permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
no nat (outside) 0 access-list LOCAL

 

And adding:
global (inside) 1 interface
nat (outside) 1 uturn 255.255.255.240 outside

 

Another thing I would like to mention is that you might want to have a separate non-overlapping range defined for the VPN clients (not 192.168.1.x)

 

Federico.

Guest
 

Re:IPSEC VPN Hairpinning/Uturn Problems with internal net connections

Postby Guest » Sat Jan 08, 2011 5:51 pm

I was able to enter the no access list command.  But when I entered the second command (no nat (outside) 0 access-list LOCAL) I get the following error.

 

Result of the command: "no nat (outside) 0 access-list LOCAL"

 

ERROR: access-list LOCAL not bound nat 0

 

 

The remaining commands seem to work, however here is my new error when trying to ping the Slingbox.

 

3|Jan 31 2011|11:18:02|305005|192.168.1.6|5001|||No translation group found for tcp src outside:192.168.1.103/54067 dst inside:192.168.1.6/5001

 

 

As for changing the IP range for the VPN clients.  Since my internal network at home uses 192.168.1.0, if I assign 192.168.2.0 will this cause problems? Would I have to setup any special type of routing.NATing?

 

I am attaching the current config.


Thanks,

 

Jon

Guest
 



  • Advertisement


Similar topics


Return to Virtual Private Networks

Who is online

Users browsing this forum: No registered users and 1 guest