Tunnel work Split... but only for a single IP address.

Hi all

Dealing with a really frustrating problem. Our facility, roughly speaking, is as follows:

-We have a remote VPN access that users connect to any Connect; in turn, they receive a local LAN address: 10.1.11.192 - 10.1.11.200

-We have a VPN site-to site that connects to Amazon AWS Access 10.0.249.0 and other subnets and now some hosts on the Amazon * public * network (for example, 54.1.2.3). This is done via a tunnel from split.

What we see is the following:

-Users to connect to the VPN and are assigned to one of the addresses above. We use 10.1.11.192 for this example.

-They can then access anything in the 10.0.249.0 subnet (by the split tunnel) very well. It goes through two ASA devices.

-They can then access anything in the public network from Amazon (by the split tunnel) very well. This should use Remoting ASA.

So, it seemed that everything was working. When connected to the VPN, Amazon hosts in 10.x.x.x networks and public IPs I had precisely in tunnel (we plan make the transition to a VPC soon) were accessible, and access came through the VPN IP remote access (IE, when connecting to 54.1.2.3, it showed the user being logged from the address of the gateway from the Cisco IP (, as opposed to the local client IP).

Now, here's where things are weird: * public * hosts on Amazon in tunnel only works with the first address in the pool, 10.1.11.192. No other addresses don't work. 10.0.249.x is always available, regardless of the assigned IP. 54.x.y.z is only available avec.192.

I used the same computer with different assigned IPs (10.1.11.193 - 10.1.11.200), and none work. I connected using different computers... they work si.192, but not no matter what other addresses assigned. Other users report the same problem.

Transfer TCP protocol is a failure

I'll use our IRC server (and sometimes ssh server) for testing. I can see my laptop the customer with a SYN_SENT on this specific topic. I can see the IRC with a SYN_RECV and shows Server ASA a SYN timeout after 30 seconds. So, it seems that the IRC server packages cannot make their way through the ASA for my laptop the customer.

I suspect it has something to do with the dynamic static vs NAT, etc, but I've fiddled with every setting I can and come in white.

I am also puzzled as to pourquoi.192 works, but no other addresses don't.

I have attached our configuration, less keys and passwords and addresses IP/hostname. It's a little ugly because there some poor attempts to solve this, things will probably remove once it works, but... It might have something to do with randomization of TCP sequence?

Thanks in advance for any help.

Hello

I also enough to explain everything in detail. Even if sometimes it is just too much for my head when I'm tired

Have you managed to fix the problem that arised to change settings?

The output of "package Tracker" for the failed connection would be important.

But now that I look at your original configurations and consider your need for VPN Clients to access a selection of public IP addresses through the ASA it seems to me that perhaps your problem is lack of NAT configuration for this traffic. (which may indicate the "packet-tracer" )

You need a dynamic PAT from the 'outside' to 'outside' for users VPN be PATed to the external IP address of ASA

Something like this for example

network of the VPN-CLIENT-AMAZON-AWS-PAT object

10.1.12.0 subnet 255.255.255.0

dynamic NAT interface (outdoors, outdoor)

Or if your original pool of VPN is used, change the network above.

Dynamic provisioning PAT above essentially aims to intercept coming from behind 'external' VPN traffic that goes through the 'outside' interface and the dynamic application of PAT for the public IP address of the ASA. For the moment, that seems to me that address network-10 crosses the ASA without NAT essentially leading to SYN timeout newspapers.

But if I understand you are saying that one of the pool reached VPN address IP address of public destination that does not really correspond with the situation described above. However, I don't see any NAT/PAT configuration for VPN traffic to the public IP address. Look at your log messages. They mention the same IP VPN address pool twice (the other inside the () ) which means there is no NAT for the source address and the ISP traffic naturally declines.

-Jouni

Tags: Cisco Security

Similar Questions

  • Synaptics Touchpad not working not but only for log-in

    I had a little accident with my registry and lost a few settings. This may, or may not, be associated with the following question.

    On my laptop, the touch-pad works fine until I log in to my user account (admin). As soon as I do this, the touchpad stops at this work and the only way I can move the cursor with a plug in mouse. If I connect to this particular account, the touch-pad starts working again. I can connect to a different user account and the touch-pad still works. It's only one account that is affected. Any suggestions where to start looking for the problem?

    Hello

    Thank you for reaching out to us to Microsoft Community.

    As you mentioned, that the problem is specific to a user account, this can happen if the user profile is damaged. To solve the problem, I would ask to create a new user profile and then copy the data from the old damaged to the new profile.

    Your user profile is a collection of settings that make the computer look and work the way you want. It contains your settings for wallpapers, screensavers, wallpapers, pointer preferences, settings of the sound and other features. User profiles ensure that your personal preferences are used whenever you log on to Windows.

    To create a new user profile, you must first create a new user account. When the account is created, a profile is also created.

    For more information on creating a user and then profile by copying the contents of the old user profile to the new, please check the steps described in the help provided below Microsoft Article.

    Difficulty of a corrupted user profile

    Hope the helps of information provided. Do we know the State of the question, so that we can help you further.

  • Rendering problem - all the text in my Flex application is not visible, but only for a single user

    Hi all

    I have a very strange problem... we had a trouble report from a user who said that she could not see the text in a Flex application, we are working on.  It works for everyone but this one user - and still unknown, it works for me when I open as the user, on the same hardware that is using this user.

    The only difference is the remote desktop client that is used.  In my test case, I connect to the Terminal Services Server in Windows 2003 server from my workstation, and it works.  It connects on the same Services Terminal Server in Windows 2003 workstation server, using the same credentials, and it does not work.  If I don't see it with my own eyes, I'm not sure I would have believed it.

    To prove that I'm not crazy, I made a record.  Check it out:

    http://screencast.com/t/OWE0YWMzMz

    What's happening in the world!

    -Josh

    Wmode causes a lot of weird problems.  Avoid at all costs.

  • Ethernet cable to connect my windows laptop 7 to the internet. connection is very bad. It works but only for 30 minutes max.

    My internet does not work correctly. I use an ethernet cable to connect my laptop (using windows 7) to the internet. However the connection is very bad. Sometimes it works but only for 30 minutes max, and other times it does not at all, connect saying that the cable is disconnected. I tried 3 different cables to 2 different ports, then maybe the problem comes from my laptop. It connects to the wifi networks fine but not with the cable. Does anyone have any suggestions as to what could be the problem and how can I solve this problem?

    Hello

    1 did you changes to the computer?

    2 did you receive an error message?

    Method 1:

    I suggest to check and make sure that all cables are connected correctly.

    Method 2:

    Check the link and try to run the troubleshooter to check if it helps.

    Windows wireless and wired network connection problems

    http://Windows.Microsoft.com/en-us/Windows/help/wired-and-wireless-network-connection-problems-in-Windows

    Why can't I connect to the Internet?

    http://Windows.Microsoft.com/en-us/Windows7/why-can-t-I-connect-to-the-Internet

  • How to fix Adobe Application Manager code error-60 download appears corrupt but only for Photoshop CS6 app

    How to fix Adobe Application Manager code error-60 download appears corrupt but only for Photoshop CS6 Creative Suite cloud App. Several attempts have been made to install Photoshop CS6 with Adobe Application Manager without success. All the other Creative Suite apps has been downloaded successfully. I get Installation failed when trying to install Photoshop. How no one corrects it?

    PJBarbour I would recommend working with your IT Department to solve your network problems.  Aid and the trial license is only a workaround and do not solve the root cause to be able to download the Adobe Application Manager software.

    There are other offers available currently in the creative cloud, i.e. Adobe Edge and Lightroom, you need to download and install using the Adobe Application Manager to the licensed software.

  • just bought SCAN SNAP supplied with disc of Acrobat, but only for PC, I use a MAC, the serial number of the disk, how to use and get for MAC

    just bought SCAN SNAP supplied with disc of Acrobat, but only for PC, I use a MAC, the serial number of the disk, how to use and get for MAC

    Standard Acrobat's window only; Acrobat pro for mac

  • Clear ISAKMP for a single IP address

    On a PIX running 6.3, is there a way to clear his s for a single IP address isakmp?

    No, clearly clears its crypto isakmp all SA, there is no option to select what its.

  • The CTRL key on my macbook pro has suddenly stopped working, but only for

    Hello

    I have a Macbook Pro with Yosemite, and suddenly today the ctrl key stopped working but only when it comes to special characters, not to do a right click. I have accidentally set something off the coast, or what happened? I write a lot in Swedish on this computer (that I bought in the USA where I live too), I need these special characters, so is there an easy way to solve this problem?

    See you soon,.

    Leo

    Special characters would be the key to the default

  • I need BIOS update for Satellite Pro M70 (PSM75E), but only for the BACK

    Hello world

    Help me!! I'm looking for driver for BACK Bios M70. Does not exist, only for windows and my cell phone is dead.
    Bad news, because after 3 minutes, stop!

    So I have only one solution (with the diskette bootable cd).
    So I need the dos version of the Bios

    Thank you

    This version is not available on the official support page so only one chance to get it is to contact Toshiba service nearest and ask for help.
    Sorry, but I don't see another option for traditional BIOS.

  • I tried dnlding flash player @ least 30 times... Most of the time he worked, but only for 1 session... I even disabled my AV, how to keep in my system or get HTML 5

    I tried dnlding flash player @ least 30 times... Most of the time he worked, but for 1 session... I've even disabled my AV, how to keep in my system, or get HTML 5?

    Hello

    How are you trying to download Flashplayer?
    I suggest that you follow the methods provided and check if it helps to solve the problem.
    Method 1:
    See the link, then run the Fixit. This will help remove all traces that might have left a previous installation of Flash Player.
    Solve problems with programs that cannot be installed or uninstalled
    http://support.Microsoft.com/mats/Program_Install_and_Uninstall
    Method 2:
    Step 1:
    Perform a clean boot and install Flashplayer. Clean boot to disable non-Microsoft services which can otherwise cause conflicts during installation. Check out the link and follow the steps.
    How to configure Windows XP to start in a "clean boot" State
    http://support.Microsoft.com/kb/310353
     
    Important: after you have completed troubleshooting. Make sure that you follow the steps in the article to put the computer from starting in Normal mode.
    Step 2:
    See the link, download the application on your desktop computer and then run the installation.
    Alternatively, you can contact Adobe support on this issue. Check out the link.
    Flash Player Help / installation issues. Flash Player | Windows

     
     

  • When a pdf file is open in a tab, automatic scrolling of the cushion does not work in the other tabs, but only for the specific PDF tab.

    The Tablet/mouse scroll function does not work for the other tabs when a PDF file is opened.

    Hi ESNE,.

    Have you checked to see if your PDF is updated? You should take a look at the Base files display PDF in Firefox article. There are lots of good information in there. You should try both of the suggested PDF Add-ons to see if this solves the problem.

    Hope this helps!

  • Need help Urgent, a Site on the 2 areas, edge of animation works only for a single domain (not the domain clients)

    Hello

    need help with something really strange.

    I create a Restaurant website: www.arkadasch.de

    I test on my server the Site: www.bbaur.com/arkadasch

    As you can see I got the top of the page an element Ede animated.

    When I look at the site on my server www.bbaur.com/arkadasch, you see the element works correctly. You see on the two sites of the 'face' of the apearing name.

    I have download the site now the clients site and the edge of animation is showning only half? Only the name of the left site is apearing and not that of the right?

    I downloaded the same site two areas and it is always the same. My only he is on the right.

    I have delate my cache also.

    Someone has an idea?

    WOW-found the error.

    The name is written 'o'. and the psd file is named «Özden»

    I have change the name of "ozden" to "zden', delate the German symbol 'o'.

    Modify the edge of animation, save again, insert into Adobe Muse and now it works

  • Search for century link address bar but only for one word

    I fixed that in time on the century and disabled all link page and also the fixed there are in the config, but with the latest update of Firefox when I just search for a word it evokes century links, all of the other research that are more than one word I get the usual Google.

    If this happens again...

    Maybe it's a helpdesk Web of Qwest (sic) .
    http://www.dslreports.com/Forum/r26435215-Qwest-opting-out-of-CenturyLink-Web-Helper-hijacking-not-worki

    There is an 'opt-out' on this page - http://webhelper.centurylink.com/prefs.php
    Note: When you disable who have only pref is saved in a cookie. So, if you clear your cookies, you will need to return to this page and set this preference all over again; so bookmark this page, if Qwest is your ISP and you use DNS servers (which is the default, unless you have changed in the operating system).

  • Missing shell login, but only for a specific user

    Hi, I have a problem that I can not find a solution after a thorough search of google. I had two user accounts in vista - my account with administrator privileges and a second account for a friend. My system has crashed with BSD and when it restarts it let me access my own account but as soon as the connection is full it does not seem to load the shell and all I have is a white screen with no taskbar. Right click does not work and neither does Ctrl-Alt-Delete.

    The second user account starts ok. By starting in safe mode, I created a new user with administrator privileges and it works fine. From there, I can access my old directories since the damaged account.

    However, I need to restore my own account as soon as it has all my custom settings for the programs that I use, all my outlook etc settings and I don't want to have to spend a lot of time copying old books of account to the new account admin and then set up all the programs again.

    Is there a section of the registry that deals with shells of the individual user where we could become corrupted when the system crashed? I looked through the registry but can only search strings for shots of the opening General session and are not specific to users.

    Any help would be appreciated

    Hello
     
    Method 1.
    Best thing you can do is to perform a system restore just before where the problem occurred.
    I quoted an article that explains about system restore in Windows Vista.

     
     
    Method 2.
    Or you can fix the corrupted user profile by copying the damaged to the new user account settings. See the article below for more information.
    Difficulty of a corrupted user profile
    http://Windows.Microsoft.com/en-us/Windows-Vista/fix-a-corrupted-user-profile

    I hope this helps.

    Thank you, and in what concerns:
    Shekhar S - Microsoft technical support.

    Visit our Microsoft answers feedback Forum and let us know what you think.
    If this post can help solve your problem, please click the 'Mark as answer' or 'Useful' at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.

  • The Task Manager freezes, but only for my account

    I upgraded my computer to Windows 7 64-bit to 64-bit Windows 8. I noticed something that was if I opened the Task Manager, it would show a frame of stats, and that's all. The Task Manager does not block enough (he is sensitive to mouse events), but no additional data comes, it freezes. Given that there was a problem with the driver for the motherboard, I wrote chalked it up to that and will think it controlled again Asus releases an update for the motherboard.

    I connect to my RT Surface with the same Microsoft Account and noticed that the Task Manager freezes in the same way. I found that it is very strange. On any of the computers my account is running as an administrator. I checked the administrator accounts, other accounts users standard and even the guest accounts and Task Manager works very well on these accounts on the desktop computer 8 Win and the Surface RT. So somehow, a 'setting' is corrupt with my Microsoft Account and floats on any device Windows 8/RT I sign in with this account.

    Any idea on how to clarify the issue?

    Clean boot didn't do. There is potential software conflicts with a single account, and certainly not on a Windows RT device.

    Given that it was just my account I looked to for the Task Manager and found HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\TaskManager\Preferences and deleted registry settings. It resolved the problem.

    I was hoping since the problem sank through the cloud that the fix would be too, but it didn't. I ended up deleting the registry key on both machines.

Maybe you are looking for