I setup port 0 as an Inside interface and port 1 as an Outside interface. I would like to switch them (port 0 = outside, port 1 = inside). Do I connect to the ASA through the Console Port or Management Port to make this change? I was connecting through SSH and ASA did not allow me to save this change. Thanks.
The only reason that you would possibly need the command:
nat (Outside) 1 192.168.101.0 255.255.255.0
is in case you want to do NAT for the VPN pool when going out another interface.
The most clear example, is when you want the ASA to provide Internet access to the VPN clients.
So, the VPN clients connect to the ASA (sending all traffic = without split-tunneling) and the ASA translates the connections to the outside interface to re-route the traffic backout the outside interface.
If this is not the case (since you're using split-tunneling and therefore not sending the Internet traffic from the VPN clients to the ASA), there's no reason to have that command in your configuration.
Hope it helps.
If the Internet traffic from the VPN clients does not go through the ASA (split-tunneling enabled), then you don't need
the nat (outside) statement.
You can make sure by looking at your VPN client and checking the route details tab under statistics (while connected) and see the protected routes.
If you see 0.0.0.0 0.0.0.0 it means there's no split-tunneling. If you get a network or networks, it means you do have split-tunneling and therefore you can remove the nat (outside) statement.
Let me know how does it goes.
The VPN traffic is not even getting to the ASA.
I think the problem is that the crypto map is applied to the inside interface.
Remove these commands, and reapply them to the outside interface:
no crypto map Outside_map interface Inside
no crypto isakmp enable Inside
crypto map Outside_map interface Outside
crypto isakmp enable Outside
Please try again.
Check if you have internet access from the ASA itself.
From the ASA itself:
ASA# ping 220.127.116.11
Check if you receive results.
If Internet is fine from the ASA, try the same thing from a computer behind the ASA.
If it does not work, do a traceroute and check the path of the packet.
If you're modyfing parameters on an interface (which you're connected to), you need to be careful not to lose connectivity to the
Firewall (in case you have a remote session).
It has happened to me before to get locked-out of the ASA because of this, so if you are physically in the same location of the ASA, better to use the console connection.
If you have more than one interface that you can SSH into, then you can modify the other interface without any problem.
Normally, the rule is to use port 0 for outside and port 1 for inside as you mentioned.
Console port would be the best option as you are changing the interfaces around, and console connection will not affect your communication to the ASA itself.