ASA remote-access VPN - NAT exemption rules

Unanswered Question
Aug 7th, 2009
User Badges:
  • Bronze, 100 points or more

I have set up a remote-access VPN using the ASA VPN wizard. When I test the connection with the Cisco VPN Client I connect successfully and get assigned an IP address from the pool I specified. However I can't send any traffic to the network behind the firewall.


The syslog records things like this:


No translation group found for icmp src WAN:10.0.0.10 dst Internal:SERVER-1 (type 8, code 0)

No translation group found for udp sec WAN: 10.0.0.10/49245 dst Internal:SERVER-1/53


10.0.0.10 is the IP the client PC is assigned. The same thing happens whether I specify a separate subnet as the pool, or if I try and use the same subnet as is used on the internal interface.


Is this because an extra NAT exemption rule is required?


Any assistance gratefully received - thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 08/07/2009 - 10:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

James


Yes, you should add a nat exemption for the nat pool you are using for the vpn clients ie.


access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound


replace 192.168.10.0 255.255.255.0 with whatever your VPN pool is.


Jon

jamesl0112 Sat, 08/08/2009 - 04:54
User Badges:
  • Bronze, 100 points or more

Thanks - that was the problem. Turns out that the ASDM wizard was adding an exemption rule, but for some reason it was adding it as management -> inside, instead of inside -> outside.


I have noticed one other thing though - the default route on the client PC is being set as the IP being assigned via the VPN, which means that while I can access the servers behind the VPN, I lose access to normal network resources.


I have got split tunnelling enabled in the VPN config and 'allow local LAN access' ticked in the VPN client - any ideas what else I should be doing?


Thanks.

jamesl0112 Sun, 08/09/2009 - 07:46
User Badges:
  • Bronze, 100 points or more

I didn't need 'allow local LAN access' ticked in the client.


The problem was that although split tunnelling was enabled, the ACL added by the wizard was for destination 0.0.0.0. I changed this to the network behind the ASA and the client stopped receiving a default route.


Example here: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml


The main thing I've learnt is - don't trust the wizard :-)

Actions

This Discussion