VPN Access to Intranet

**grevels** · 04-21-2012, 12:25 PM

I have been trying to get Untangle working for a couple of clients with very similar setups. My issue is getting the laptops to access a private intranet via VPN. The setup works fine without the Untangle server in place. If we put the Untangle server in line the laptops are no longer available to access the intranet. I can access the intranet sites straight from the Untangle box. The laptops VPN to the Cisco ASA and then are able to access server on the LAN and websites on the intranet. From some of the other post I have read it might be the ASA not liking the Untangle there in the middle. Can someone verify this and give me some ideas of things to check on the ASA?

Thanks,

Greg

**sky-knight** · 04-21-2012, 12:54 PM

Did you export it? If the IP range of the network isn't exported VPN client's can't touch it.

**grevels** · 04-21-2012, 02:12 PM

Thanks for the reply. I see there are some directions about exporting for the OpenVPN, but I have the clients VPN connection connecting to the ASA. Do I still need to this?

Thanks,

Greg

**sky-knight** · 04-21-2012, 02:28 PM

Oh sorry, no that's a different matter.

I assume you've put a static route into Untangle so it knows where that network is?

Untangle bridges aren't really bridges, they need a full layer 3 configuration to work properly.

**grevels** · 04-21-2012, 02:53 PM

After doing some reading on here I did add a static route and that did not solve the issue. We have figured out they are not truly a bridge.

Even if we stop the IPS data will not flow to that intranet. Luckily at one of my sites they are not using the VPN yet, but they will be very soon. I have to have an IPS/IDS in place for these sites to meet security requirements. I am going to capture some logs off of the ASA and see if I can spot something there. I will post up any finding here.

Greg

**sky-knight** · 04-21-2012, 03:23 PM

If you create a bypass rule (Config -> Networking -> Advanced -> Bypass) you can make Untangle behave like a normal bridge. Generally speaking Untangle bridges don't like having internal IP ranges coming in from the outside. So I'd try a bypass rule that uses source interface, and the IP range used on the vpn clients and see if that sorts it out.

**grevels** · 04-22-2012, 04:43 AM

I tried creating some bypass rules and it still is not working. I am not sure that I am creating them correct though. Here is what I am getting from the ASA logs.

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.5.100/49248 dst inside:10.10.93.3/53 denied due to NAT reverse path failure

Greg

**sky-knight** · 04-22-2012, 01:21 PM

https://supportforums.cisco.com/thread/1003401

??

I'm not sure why NAT is even involved here. You want the ASA to route VPN traffic into the LAN, not NAT it.

Protect

Filter

Perform

Connect

Manage

Add-Ons

Thread: VPN Access to Intranet

LinkBack

Thread Tools

VPN Access to Intranet

Tags for this Thread

Posting Permissions