This is actually a simple fix and enter the command:

same-security-traffic permit intra-interface

This will allow the traffic to transverse the tunnel.

http://itdualism.wordpress.com/2011/02/04/asa-8-4-first-look/

I am planning on testing it myself shortly and then doing a better review. Hopefully they changed NATing back from the god awful way they do it in 8.3 to the more awesome way it is done in 8.2.

One can dream …

This article was a god send for me. I was trouble shooting this issue for a while. In my case I had an internal device on a private vlan that needed to resolve the public address of another internal server on a different vlan but it would only resolve the private address.

I really hate when devices “try” to be helpful rather than just working they way they are supposed to.

For my first issue I want to talk about is with Cisco ASA’s and concerns how to set up a static route on an interface to point to another router for certain routes.

Let me give an example. You have your inside interface, lets say 192.168.1.0/24, and on this interface your have a router with an IP address of 192.168.1.10 which connects to a network of 10.0.0.0/24. Now you need your devices on the 192.168.1.0/24 network to get to the 10.0.0.0/24 network via 192.168.1.10 but that is not their default gateway. How do you do it?

Well obviously you could use static routes on the machines but that is bad practice. So you do it on the ASA.

You would set up your static route and NAT exempt as normal but it will not work. The ASA will be able to ping the 10.0.0.0 network but not the devices. Packet tracer will tell you that you have a Access List issue but you don’t.

You need to other commands to make this work:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

This will allow your traffic to function as you intended

When trying to create a static NAT rule with port 443 you get the error:

unable to reserve port 443 for static PAT

The issue was that under Management access, ASDM access was granted on the Outside interface. Since ASDM runs over HTTPS that was the issue. As soon as I removed that rule I was able to create my NAT without issues.

First you have to add the network as an allowed access via the inside network. (I will use the 192.168.1.0/24 network in my example)

From CLI it’s:
http 192.168.1.0 255.255.255.0 inside

If this was a directly connected network then that is all you would have to do, however since it is connected from VPN you also need to specify the inside interface as a management interface with this command.

management-access inside

You can do all this from the ASDM as well:

Under Configuration, Device Management, Management Access:

Add the network on the inside interface  in the ASDM/HTTPS/Telnet/SSH section

Then enable management access on the inside network under the  Management Interface section

1. First find out the mac address of the ethernet interface you will be using:
sh interface Ethernet0/1
This should show you the MAC address of the network interface.

2. Force this arp address onto whichever Vlan you are using:
interface Vlan1
mac-address 0019.0726.xxxx
nameif inside

3. Now define a static arp entry for the IP you want to use as a secondary address. Use the same mac address as the one from above, and enable proxy ARP on it:
arp inside 192.168.1.1 0019.0726.xxx alias
You can verify this is working properly using the show arp command that should return you the ip and    mac address, like this:
sh arp
inside 192.168.1.1 0019.0726.xxx alias
4. At this point any system on the local interface can use the ip as its default gateway and it will work just fine. You need to ensure that return packets are coming back to the source, and this means you have to add a static route for this network on the inside interface (pointing to the primary ip of the interface, let’s say 192.168.1.1 for the sake of argument):
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1

5. Also we need to ensure that traffic is allowed between the same interface hosts, and same level of security interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and you probably want to be sure that access lists will allow the traffic from/to the newly added network.

Enjoy

failover
failover lan unit primary
failover lan interface failover Ethernet X
failover key cisco
failover interface ip failover x.x.x.1 y.y.y.y standby x.x.x.2

Secondary:
failover
failover lan unit secondary
failover lan interface failover Ethernet X
failover key cisco
failover interface ip failover x.x.x.1 y.y.y.y standby x.x.x.2
It should begin the failover replication process immediately upon completing both units.

Use “show failover” to see the status

Hope this helps

Cisco kind of has you over the barrel when it comes to RA vpn. You could go with SSL vpn but the licences are hideously expensive. You could do IPSec vpn but they don’t have a 64 bit client nor are they planning on making one from what I heard. You could do L2TP but if you want LDAP integration you have to send passwords in clear text unless you set up LDAP over SSL. Not to mention that the ASA’s no longer even support PPTP.

It is more then a little annoying I have to say.