06-21-2008 03:25 PM
I have a ASA 5505 up and running, all the static NAT statements I need to forward ports to internal services such as smtp, remote desktop and it works fine, however I set up a IPSEC vpn connection that authenticates to our domain controller and that part works. However, after I get connected and can't ping anything on the local network or access any of the services. I'm sure it's a NAT statement that I don't have correct. Here's the config. I really need to get this up and going tomorrow. Thanks for any help.
Tyler
Solved! Go to Solution.
06-21-2008 11:12 PM
Just remove nat(outside) line and outside_nat0_outbound ACL.
And mention these statments:
1 sysopt connection permit-ipsec.. (If it is disabled,u can check with sh run sysopt).
2, crypto isakmp nat traversal 10 or 20
3 In no nat ACL, mention your local subnets as source and vpn client pool as destination.
4, create other ACL(ST) with different name and same source and destination like no nat ACL.
5, Then type nat (inside) 0 access-list nonat
6, In group-policy dwgavpn, mention splittunnel tunnelspecified and mention the split tunnel ACL (ST).
Regards
06-21-2008 11:12 PM
Just remove nat(outside) line and outside_nat0_outbound ACL.
And mention these statments:
1 sysopt connection permit-ipsec.. (If it is disabled,u can check with sh run sysopt).
2, crypto isakmp nat traversal 10 or 20
3 In no nat ACL, mention your local subnets as source and vpn client pool as destination.
4, create other ACL(ST) with different name and same source and destination like no nat ACL.
5, Then type nat (inside) 0 access-list nonat
6, In group-policy dwgavpn, mention splittunnel tunnelspecified and mention the split tunnel ACL (ST).
Regards
06-22-2008 08:41 AM
Thanks for the reply.
I removed the nat(outside) and the outside_nat0_outbound ACL.
I did number 1.) sysopt connection permit-ipsec
I did number 2.) crypto isakmp nat traversal 20
on number 3, 4, 5 and 6, I'm not sure I understand. I can't seem to get these one right...or at least the ASA doesn't understand me..
oh, and I'd rather not enable split-tunneling if I could help from it.
here's what I have now. I can still connect via the cisco client, I just can't do anything after it authenticates and connects.
Thanks for the help so far.
06-22-2008 10:25 PM
Create nat0 acl
example - allow vpn pool access to inside subnet 10.10.10.0/24
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.96.0 255.255.255.0
you may add others subnets behind inside that are being routed through 10.10.10.1/24 to be access by vpn pool net.
exmaple
access-list inside_nat0_outbound extended permit ip 192.168.76.0 255.255.255.0 192.168.96.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.86.0 255.255.255.0 192.168.96.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.96.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
"oh, and I'd rather not enable split-tunneling if I could help from it."
then you need full tunnel and allow vpn pool access to internet through asa firewall, to accomplish this you need these two statements.
same-security-traffic permit intra-interface <- allows for traffic go out in same interface it came in
nat (outside) 1 192.168.96.0 255.255.255.0 <- PAT for vpn pool outbound internet access in RA full tunnel - no split
Rgds
-Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide