Branch IPSEC VPN Site with WCCP setup for vWAAS - Overthinking this

OK, I have a fairly large WAAS environment so I'm kicking myself for overthinking this.  I have a particular branch that has an 881 router that terminates an IPSEC connection back to my main location.  I have a vWAAS at this branch site, so I'm going WCCP.  I got the license upgrade to enable to the WCCP feature set.  Now Im confused on the WCCP setup.  There is only 1 VLAN at the branch.  I have the WAAS setup to do WCCP GRE.
Question is:  Would I do the redirect 61,62 on the VLAN1 internface?  I think I would, but Im used to dropping the 62 on the serial interface of my MPLS.  I.E.:
int vlan1
ip wccp 62 redirect in
ip wccp 61 redirect in
HERE IS THE CURRENT CONFIG
ip wccp 61 redirect-list branch-waas
ip wccp 62 redirect-list branch-waas
interface Vlan1
description Branch Data VLAN
ip address 10.22.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
crypto ipsec client ezvpn Corporate-client inside
ip access-list extended branch-waas
remark WCCP Redirect ACL
deny   tcp any any eq telnet
deny   tcp any any eq 22
  permit ip any any

wccp 62 is to intercept the WAN traffic, but if you put it on the LAN side, you have to catch the traffic on its way out:
ip wccp 62 redirect out
There is no need to deny telnet and ssh, those both have policies in WAAS for passthrough.  Also, I prefer to put my WAAS device on its own VLAN.  However, if it is going to be on VLAN 1, your access list will need:
ip access-list extended branch-waas
remark WCCP Redirect ACL
deny   ip any host (WAAS IP)
deny   ip host (WAAS IP) any
  permit ip any any
To make sure you do not loop WCCP traffic.
Just edited to change from TCP to IP in access list.

Similar Messages

  • Ipsec VPN site to site, best settings for optimal data transfer

    I have a ISA570 at work and have set up an ipsec VPN site to site connection with my router at home which is a RV180. I'm trying to do large backups from my office to my home storage. Can you tell me what are the most efficient settings as far as the VPN connection is concerned to optimize the transfer rate? Also any settings that I may make on my Windows 7 workstation at work. I'm transferring from a worstation to the terrastation that I have at my home.

    Hi Daniel,
    I noticed that your post was located in the VPN Site to Site instead of the Small Business Security area. I have moved your post to the correct area so that you will get some help.  As a Cisco customer with a service contract, you can call the small business support center to speak with an engineer.  The phone numbers are located here:
    https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
    Regards,
    Cindy Toy
    Cisco Small Business Community Manager
    for Cisco Small Business Products
    www.cisco.com/go/smallbizsupport
    twitter: CiscoSBsupport

  • Having trouble loading ATT and CenturyLink sites with safari now, anyone else having this problem?

    having trouble loading ATT and CenturyLink sites with safari now, anyone else having this problem?

    Howdy MacRocker,
    Thanks for using Apple Support Communities.
    To start with troubleshooting an issue like this where you're unable to load certain websites in Safari, I suggest that you clear out your browser history and website data.
    Safari 8 (Yosemite): Clear your browsing history
    Happy Holidays!
    Alex H.

  • Best practice with WCCP flows for WAAS

    Hi,
    I have a WAAS SRE 910 module in a 2911 router that intercepts packets from this router with WCCP.
    All packets are received by external interface (gi 2/0, connected to a switch with port configured in WCCP vlan), and are sent back to the router via internal interface (gi 1/0 directly connected to the router) :
    WAAS# sh interface gi 1/0
    Internet Address                    : 10.0.1.1
    Netmask                             : 255.255.255.0
    Admin State                         : Up
    Operation State                     : Running
    Maximum Transfer Unit Size          : 1500
    Input Errors                        : 0
    Input Packets Dropped               : 0
    Packets Received                    : 20631
    Output Errors                       : 0
    Output Packets Dropped              : 0
    Load Interval                       : 30
    Input Throughput                    : 239 bits/sec, 0 packets/sec
    Output Throughput                   : 3270892 bits/sec, 592 packets/sec
    Packets Sent                        : 110062
    Auto-negotiation                    : On
    Full Duplex                         : Yes
    Speed                               : 1000 Mbps
    WAAS# sh interface gi 2/0
    Internet Address                    : 10.0.2.1
    Netmask                             : 255.255.255.0
    Admin State                         : Up
    Operation State                     : Running
    Maximum Transfer Unit Size          : 1500
    Input Errors                        : 0
    Input Packets Dropped               : 0
    Packets Received                    : 86558
    Output Errors                       : 0
    Output Packets Dropped              : 0
    Load Interval                       : 30
    Input Throughput                    : 2519130 bits/sec, 579 packets/sec
    Output Throughput                   : 3431 bits/sec, 2 packets/sec
    Packets Sent                        : 1580
    Auto-negotiation                    : On
    Full Duplex                         : Yes
    Speed                               : 100 Mbps
    The default route configured in WAAS module is 0.0.0.0/0 to 10.0.1.254 (router interface).
    Would it be better that packets leave WAAS module by the external interface (in place of the internal interface) ?
    Is there a best practice recommended by Cisco on this ?
    Thanks.
    Stéphane

    Hi Stephane,
    We usually advise the following in such scenario with an internal module:
    "ip wccp 61 redirect in" the LAN interface.
    "ip wccp 61 redirect in" on the WAN one.
    "ip wccp redirect exclude in" on the internal interface between the WAAS and the router.
    That way, we are sure that no loops are created because of the WCCP redirection.
    Regards,
    Nicolas

  • Web site with java benchmarks for various cpus?

    Is there a web site that shows java benchmarks run on various P4 and AMD cpus, so that it is possible to see the relatively speed at which java runs on these cpus?

    You'll find a few if you search around, but none will be meaningful. The problem with Java, or any other Virtual Machine type runtime language is you can not design a benchmark that really has meaning, in any context but the benchmark itself. First off, you're not benchmarking "Java" you're benchmarking the "JVM". I try to convince people to not waste so much time on these speed issues. Your time would be better learning how to write better code, which would give a much bigger speed increase then switching from a P4 to an Athlon. Developers often make mistakes and oversites in their work that slows a program down by an order of magnitude. You're never going to see that kind of performance difference in CPUs. So get a good deal on machine, the most "bang-for-your-buck" if you will, and go to town, and stop worrying, hotspot is fast.
    Sparc Chips are different story because a little thing called register coloring... but you didn't mention sparc chips, so I won't tell the story.
    Spinoza

  • Help with DNS setup for LAN only

    I have a Mac Mini SNS 10.6.8 as our company's local standalone fileserver.
    Everything has ran great for the past year (still is), but now I want to try and setup DNS for more control and services.
    The server host name is servername (no FQDN), which shows up in Server Admin as servername.local.
    I read and followed Hoffman Labs great step-by-step, but must have missed something, since I still cannot get DNS resolution.
    Here is a brief summary of the Server Admin settings:
              Host Name                    servername
              Host (Server) IP          192.168.4.2
              Router IP (also default public DNS IP) 192.168.4.1
              Bonjour                    Wide Area  =  Not enabled
              Settings                    Accept recursive queries  =  localnets
              Settings                    Forwarder IPs  =  8.8.8.8  &  8.8.4.4  (Google Public DNS)
    now...          Zones                              1 Primary Zone  =  companyname.net (we own the domain)
                                            Primary Zone Name  =  companyname.net
                                            Nameserver Zone  =  companyname.net
                                            Nameserver Host Name  =  servername.companyname.net
                                            2 A Records:
                                            servername          192.168.4.2
                                            user1                    192.168.4.3
                                            Reverse mapping - automatic - OK
    Testing          Ran sudo changeip -checkhostname
                        Results:
                                  Primary address          =          192.168.4.2
                                  Current hostname          =          servername
                                  The DNS hostname is not available. Please repair DNS and re-run this tool.
    I must be doing something wrong, but I don't know what it is.  Please help.

    Did you intend to have both "example.com" and "example.net" listed there?  Are those domains really different?  I'm going to assume that was an obfuscation error.  (This is part of the "fun" of obfuscation, unfortunately.  Of having to differentiate errors in the actual configuration from errors that were introduced during the obfuscation.)
    >Oddly, even though I had manually assigned our Comcast gateway's DNS to Google DNS IPs, the gateway summary still shows up as Comcast's DNS server IPs.  So I removed the manually assigned Google DNS IPs from the gateway.
    The gateway (or whatever you're using as your DHCP server) should be configured with the DNS server address of 192.168.4.2.  All other hosts on your network (if you're planning to use your local DNS everywhere on your LAN) should also reference 192.168.4.2, either through an explicit static configuration, or as the address that was received from the DHCP server.
    And as for IP routing, are all your hosts, network printers, network gateways, DHCP servers, etc., all in the range of 192.168.4.1 to 192.168.4.254?  (They should be, if you're using a /24-class 255.255.255.0 subnet mask.)
    But then I don't know where this configuration has gone off the rails...  (Over the years, I've seen and have made my own configuration errors, I've been "bagged" by DNS caches, and I've hit various bugs in DNS implementations.)  What you have stated here should work.
    I'd start at the top of the DNS configuration article, and not stray from what is written there.   That there has been Google DNS and have had ISP DNS configured at the gateway does mean there were some areas that have strayed from the article.   I'd suggest following the DNS server configuration directions exactly.
    Setting up DNS services with OS X Server isn't difficult, but it can be a little fussy. 
    If you don't understand something that's written in that article -- or if you believe you need to enter something different than what's listed there -- then please stop and ask about it.  Either ask here, or ask over there.  (This feedback also helps improve that article.)
    Straying from what's written in that article is certainly and entirely feasible, but that's something best left until after the adminstrator is more familiar with running a DNS server.  Once you know how and why and where you can stray, there are all sorts of things you can do within a DNS configuration.

  • Unable to open only particular website from office which is site to site VPN site with juniper firewall

    All,
    when I tried to open a website I am getting request timed out after few minutes ,I have done a wireshark capture but unable to identify the problem particularly the url /timetracking/home.asp is not working ,can you help out here. please find attached capture from source to destination and vice versa.
    Thanks in advance.

    Yes, I tried that.  It did not work for me.
    I have 4 site collections.  The main site collection is the only one that I receive the error.  
    When the user clicks on the email link  and opens the document for approval, they receive the following error when they click on "Open This Task". 
    Element '{http://www.w3.org/1999/xhtml}a is unexpected according to content model of
    parent element '{http://schemas.microsoft.com/office/infopath/2009/WSSList/dataFields}Body'.
    There is nothing wrong with the task list itself, just the link from the Office 2010 client. 
    I am wondering if there is a web config or other file on the server that is specific to the site collection??
    Tracey

  • Help with ODBC setup for MySQL

    I am having issues understanding what is needed for ODBC setup on OSX. I need to setup a MySQL connection. Are the drivers included on Snow Leopard or if not were can I get them. Are they free or do you have to purchase them. I keep find documentation that assumes to much. Would appreciate any help.
    Will have to repeat this for my Lion server after I get this to work.

    Thank you for your very quick reply!
    I have read through the Disk Setup page, and it has cleared up a couple of points.
    Now, from what I understand - running the Media on a RAID 0 arrangement, doesn't seem to be a great idea due to no redundancy - however, I'm confused as to whether storing the media on 1 HDD would make for stable streaming of multiple streams of HD footage in Premiere sequence...
    I found the comparison between the SSD & HDD interesting too, in the sense that running two large HDDs in RAID 0 for the Media Cache & Previews is actually 'quicker' than running them off a single SSD - and that no redundancy isn't so much of an issue here, as they're just the previews, not the actual media.
    So, am I right in saying the setup below would offer a much more efficient solution than my current disk setup, whilst still keeping costs low by using software RAID, rather than buying large SSDs?
    Disk 1: OS & Programs (SSD)
    Disk 2: Media & Projects (HDD)
    Disk 3/4: Media Cache & Previews (2x HDD in RAID 0)
    Many thanks, once again!

  • Awesome Site with Example Code For All Classes

    Very cool site that has example code for all the Java classes and APIs. You can submit example code yourself too!
    http://www.kickjava.com/

    kevjava wrote: Some things that I think would be useful:
    Suggestions reordered to suit my reply..
    kevjava wrote: 2. Line numbering, and/or a line counter so you can see how much scrolling you're going to be imposing on the forum readers.
    Good idea, and since the line count is only a handful of lines of code to implement, I took that option. See the [line count|http://pscode.org/stbc/help.html#linecount] section of the (new) [STBC Help|http://pscode.org/stbc/help.html] page for more details. (Insert plaintiff whining about the arbitrary limits set - here).
    I considered adding line length checking, but the [Text Width Checker|http://pscode.org/twc/] ('sold separately') already has that covered, and I would prefer to keep this tool more specific to compilation, which leads me to..
    kevjava wrote: 1. A button to run the code, to see that it demonstrates the problem that you wish for the forum to solve...
    Interesting idea, but I think that is better suited to a more full blown (but still relatively simple) GUId compiler. I am not fully decided that running a class is unsuited to STBC, but I am more likely to implement a clickable list of compilation errors, than a 'run' button.
    On the other hand I am thinking the clickable error list is also better suited to an altogether more abled compiler, so don't hold your breath to see either in the STBC.
    You might note I have not bothered to update the screenshots to show the line count label. That is because I am still considering error lists and running code, and open to further suggestion (not because I am just slack!). If the screenshots update to include the line count but nothing else, take that as a sign. ;-)
    Thanks for your ideas. The line count alone is worth a few Dukes.

  • Need help with correct setup for SuiteLink - Get ACE error message 7078

    When I enable SuiteLink via:
    ace_set_mode( g_ah, ACE_MODE_ENABLE_SUITELINK, TRUE );
    ace_set_file( g_ah, ACE_DIR_SUITELINK, "D:
    PW
    201108
    SuiteLink" );
    ace_set_file( g_ah, ACE_DIR_NAME_PARSING_FILES, (char*)"D:
    PW
    201108
    ncoalink");
    Right after
    ace_open( g_ah );
    I get the following ACE error: 7078
    where the description is: an incompatible version of the name parsing library required to run was found.
    1) I'm not entirely sure where ACE_DIR_NAME_PARSING_FILES should be pointing to. We don't use NCOA but the documention says both SuiteLink and NCOALink use the same parsing files. 
    Inside NCOALink\ there is parsing.dct with a datestamp of 1/13/2009 which seems old.
    I am running ACE800cRev5, just downloaded the July 2011 directories.  ace32.dll version 8.4.5.0
    Thanks!

    Michael,
    A regular ACE job with Suitlink enabled would also use the same parsing files located in ncoalink\.  The parsing.dct included with my ACE 8.00c.05 is also dated 1/13/2009.
    I have little expertise with ACE RAPID, but I would guess that ACE_DIR_NAME_PARSING_FILES should also be set ncoalink\
    Regards,
    Brandon

  • Help with initial setup for AirPort Express

    Now, before we decided to go wireless, our internet was configured like this: cable cord to router, ethernet cable connecting the router to CPU. This worked fine and our internet has never really had any sort of problems. However, we have had problems with our new AirPort Express. I've tried taking the ethernet cable that's connecting our router to our CPU, and using it to connect the router to the AirPort Express.
    However, I keep getting the flashing amber light. When I go into the diagnostics, it says that it cannot pick up an internet connection, even though I'm able to get internet when I plug in directly. If I try to ignore this and set up the account anyway, I can get my computer to connect to the AirPort Express, but I can't get the AirPort Express to connect to the internet.
    Please help!

    pen22, Welcome to the discussion area!
    Did you configure the AirPort Express (AX) to use the same settings as your CPU to connect to the internet?

  • Inter-VPN routing with export map for host routes

    Hi,
    I am trying to export host routes from a connected network from one VRF to multiple other VRFs. This is to allow the leaking specific host routes for management purposes. However, I suspect that the /32 host route(s) actually need to be present in the management VRF so the RTs are added accordingly, rather than just specified in the match clause of the MGMT VRF export map.
    Ideally here, I only want to export 10.111.111.254/32 from the connected network 10.111.111.0/24 in the MGMT VRF. The only way around this I can see it to move 10.111.111.0/24 behind another device, and add specific host route(s) within the MGMT VRF for the 10.111.111.X/32 host routes (which are redistributed into the MGMT VRF), using the additional device as the next-hop.
    ip vrf MGMT
    rd 1:1
    export map MGMT-EXPORT-MAP
    route-target export 1:1
    route-target import 1:1
    route-target import 1:1001
    ip vrf CUST-B
    rd 1:2
    export map CUSTOMERS-EXPORT-MAP
    route-target export 1:2
    route-target import 1:2
    route-target import 1:1000
    interface FastEthernet0/0.100
    encapsulation dot1Q 100
    ip vrf forwarding MGMT
    ip address 10.111.111.1 255.255.255.0
    interface FastEthernet0/0.200
    encapsulation dot1Q 101
    ip vrf forwarding CUST-B
    ip address 10.96.2.1 255.255.254.0
    router bgp 65000
    bgp router-id 1.1.1.1
    no bgp default ipv4-unicast
    bgp log-neighbor-changes
    address-family ipv4 vrf CUST-B
      redistribute connected
      no synchronization
    exit-address-family
    address-family ipv4 vrf MGMT
      redistribute connected
      no synchronization
    exit-address-family
    ip prefix-list CUSTOMERS seq 5 permit 10.96.2.0/23
    ip prefix-list ONPREMISE seq 5 permit 10.111.111.0/24
    ip prefix-list ONPREMISE seq 10 permit 10.111.111.254/32
    route-map CUSTOMERS-EXPORT-MAP permit 10
    match ip address prefix-list CUSTOMERS
    set extcommunity rt  1:1001 additive
    route-map MGMT-EXPORT-MAP permit 10
    match ip address prefix-list ONPREMISE
    set extcommunity rt  1:1000 additive
    Cheers,
    Matt

    Hi Matt
    Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
    Regards
    Varma

  • YouTube says there is an "Authorization Error" when I try to get on the site with Firefox. Can I fix this?

    When I try to get onto YouTube, the site is completely white with the words "Authorization Error" in the top left corner. For a while, all I had to do was reload YouTube and it was fine. Now it just won't work at all. I have Internet Explorer on my computer as well and YouTube works fine on there. When this error occurs, the icon in the address bar changes back to YouTube's old icon.
    I have tried:
    -Updating Firefox
    -Restarting the computer
    -Closing and re-opening Firefox
    -Typing https instead of http before the address
    -Googling and clicking Google's link to the site (yes, a feeble attempt, I know)
    Does anyone know what I can do to get YouTube back on my favorite browser? I'd like to stop having to run to Internet Explorer to use this site.
    Thanks!

    Clear the cache and the cookies from sites that cause problems.
    "Clear the Cache":
    *Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
    "Remove Cookies" from sites causing problems:
    *Tools > Options > Privacy > Cookies: "Show Cookies"

  • How do I stop the Key from popping up everytime I log on to a site with login name and password. This pop up is big and annoying and I'm ready to go back to IE than have that thing pop up huge and annoying.

    The pop up that asks if I want to save this login name and password everytime I login to a site. It is huge and annoying as hell. I just want to have an option to stop it. I know it's there, I don't need to be reminded everytime and if I wanted it to remember I would use it. Give me a break.

    For anyone coming in to find this, I located my answer here:
    [Special Applet Attributes|http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/special_attributes.html#codebase]
    Thanks for reading.
    Sorry for the interruption.

  • Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

    Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
    The following is the Layout:
    There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
    I have been able to configure  Client to Site IPSec VPN
    1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
    2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
    But I have not been able to make tradiotional Hairpinng model work in this scenario.
    I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
    Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
    LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
    running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
    ASA Version 8.2(1)
    hostname ciscoasa
    domain-name cisco.campus.com
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxx encrypted
    names
    interface GigabitEthernet0/0
    nameif internet1-outside
    security-level 0
    ip address 1.1.1.1 255.255.255.240
    interface GigabitEthernet0/1
    nameif internet2-outside
    security-level 0
    ip address 2.2.2.2 255.255.255.224
    interface GigabitEthernet0/2
    nameif dmz-interface
    security-level 0
    ip address 10.0.1.1 255.255.255.0
    interface GigabitEthernet0/3
    nameif campus-lan
    security-level 0
    ip address 172.16.0.1 255.255.0.0
    interface Management0/0
    nameif CSC-MGMT
    security-level 100
    ip address 10.0.0.4 255.255.255.0
    boot system disk0:/asa821-k8.bin
    boot system disk0:/asa843-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name cisco.campus.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network cmps-lan
    object-group network csc-ip
    object-group network www-inside
    object-group network www-outside
    object-group service tcp-80
    object-group service udp-53
    object-group service https
    object-group service pop3
    object-group service smtp
    object-group service tcp80
    object-group service http-s
    object-group service pop3-110
    object-group service smtp25
    object-group service udp53
    object-group service ssh
    object-group service tcp-port
    object-group service udp-port
    object-group service ftp
    object-group service ftp-data
    object-group network csc1-ip
    object-group service all-tcp-udp
    access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
    access-list CSC-OUT extended permit ip host 10.0.0.5 any
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
    access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
    access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
    access-list CAMPUS-LAN extended permit ip any any
    access-list csc-acl remark scan web and mail traffic
    access-list csc-acl extended permit tcp any any eq smtp
    access-list csc-acl extended permit tcp any any eq pop3
    access-list csc-acl remark scan web and mail traffic
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
    access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
    access-list INTERNET2-IN extended permit ip any host 1.1.1.2
    access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
    access-list DNS-inspect extended permit tcp any any eq domain
    access-list DNS-inspect extended permit udp any any eq domain
    access-list capin extended permit ip host 172.16.1.234 any
    access-list capin extended permit ip host 172.16.1.52 any
    access-list capin extended permit ip any host 172.16.1.52
    access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
    access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
    access-list capout extended permit ip host 2.2.2.2 any
    access-list capout extended permit ip any host 2.2.2.2
    access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu internet1-outside 1500
    mtu internet2-outside 1500
    mtu dmz-interface 1500
    mtu campus-lan 1500
    mtu CSC-MGMT 1500
    ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
    ip verify reverse-path interface internet2-outside
    ip verify reverse-path interface dmz-interface
    ip verify reverse-path interface campus-lan
    ip verify reverse-path interface CSC-MGMT
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (internet1-outside) 1 interface
    global (internet2-outside) 1 interface
    nat (campus-lan) 0 access-list campus-lan_nat0_outbound
    nat (campus-lan) 1 0.0.0.0 0.0.0.0
    nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
    static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
    access-group INTERNET2-IN in interface internet1-outside
    access-group INTERNET1-IN in interface internet2-outside
    access-group CAMPUS-LAN in interface campus-lan
    access-group CSC-OUT in interface CSC-MGMT
    route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
    route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.0.0.2 255.255.255.255 CSC-MGMT
    http 10.0.0.8 255.255.255.255 CSC-MGMT
    http 1.2.2.2 255.255.255.255 internet2-outside
    http 1.2.2.2 255.255.255.255 internet1-outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map internet2-outside_map interface internet2-outside
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
            a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
        a67a897as a67a897as a67a897as a67a897as a67a897as
      quit
    crypto isakmp enable internet2-outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash md5
    group 2
    lifetime 86400
    telnet 10.0.0.2 255.255.255.255 CSC-MGMT
    telnet 10.0.0.8 255.255.255.255 CSC-MGMT
    telnet timeout 5
    ssh 1.2.3.3 255.255.255.240 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet1-outside
    ssh 1.2.2.2 255.255.255.255 internet2-outside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy VPN_TG_1 internal
    group-policy VPN_TG_1 attributes
    vpn-tunnel-protocol IPSec
    username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
    username administrator password xxxxxxxxxxxxxx encrypted privilege 15
    username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
    username vpnuser1 attributes
    vpn-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 type remote-access
    tunnel-group VPN_TG_1 general-attributes
    address-pool vpnpool1
    default-group-policy VPN_TG_1
    tunnel-group VPN_TG_1 ipsec-attributes
    pre-shared-key *
    class-map cmap-DNS
    match access-list DNS-inspect
    class-map csc-class
    match access-list csc-acl
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class csc-class
      csc fail-open
    class cmap-DNS
      inspect dns preset_dns_map
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
    : end
    Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
    Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
    That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
    I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
    Thanks & Regards
    maxs

    Hi Jouni,
    Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
    But my problem is not solved fully here.
    Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
    Here the packet tracer output for the traffic:
    packet-tracer output
    asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   172.16.0.0      255.255.0.0     campus-lan
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.150.1   255.255.255.255 internet2-outside
    Phase: 5
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group internnet1-in in interface internet2-outside
    access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
    Additional Information:
    Phase: 6
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: CP-PUNT
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: VPN
    Subtype: ipsec-tunnel-flow
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype:     
    Result: DROP
    Config:
    nat (internet2-outside) 1 192.168.150.0 255.255.255.0
      match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
        dynamic translation to pool 1 (No matching global)
        translate_hits = 14, untranslate_hits = 0
    Additional Information:
    Result:
    input-interface: internet2-outside
    input-status: up
    input-line-status: up
    output-interface: internet2-outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule
    The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
    dynamic nat
    asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    Is it possible to access both
    1)LAN behind ASA
    2)INTERNET via HAIRPINNING  
    simultaneously via a single tunnel-group?
    If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
    Thanks & Regards
    Abhijit

Maybe you are looking for

  • EFS, password change denies access to encrypted data

    Hi, Has anyone had the issue with admin changing users password in Console One resulting in users not being able to access their encrypted data. Laptop users are using EFS to encrypt their data. These users have WinXPPro SP2 and we are running ZfD 6.

  • Anonymizer Bean is not working XML file -- ABAP Proxy scenario.

    Hi Experts, Can anybody please help, How can add   this line <ns0:ROOT xmlns:ns0="urn:XXX:snc:productactivedata"> to my input xml file? </ns0:ROOT> to the end of the input xml file. One more thing please, how to remove "standalone="yes" " from this l

  • SOAP Sender to RFC Scenario WSDL File

    Hi, I am working on SOAP -> PI -> RFC Scenario. I generated WSDL from sender agreement and gave to the client that can consumed by the third party system. But client is not ready to consume the WSDL. He provided WSDL and asking me to use that. Could

  • Using Find Command

    Help If anybody can try this and tell me how it works I would be forever grateful. I can not seem to get the FIND command to find timecodes of clips in a sequence. I have copied all my clips from my bin and pasted them into a new sequence I'll name s

  • OCZ Vertex 3 not showing up on Disk Utility (2011 17" Macbook Pro)

    I have a problem with my 120GB Vertex 3 installed on my 2011 Macbook Pro. It wouldn't boot after the apple logo after using it for a while...I tried starting up my mac with safe mode, commad+c,command+v,and command+option+p+r but it didn't help. So I