ASA Remote access VPN & NAT

Answered Question
Jul 1st, 2010
User Badges:

Hello,


I'm trying to get a remote access VPN working using an ASA and Cisco VPN client with no split tunneling. The VPN works kinda, I can access devices on the inside when I connect, but I cannot access the Internet. I don't see any errors in the ASA logfile except these:


Jul 1 04:59:15 gatekeeper %ASA-3-305006: portmap translation creation failed for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
Jul 1 04:59:15 gatekeeper %ASA-3-305006: portmap translation creation failed for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53


There's only one public IP address which is DHCP assigned to the outside interface. The inside network is 192.168.1.0/24 which is PAT'ed to the outside interface and the VPN network is 192.168.47.X.


I think my problem is that the .47 net is not being NAT'ed to the outside properly and I'm not sure how to set it up exactly. I can't fathom how this is supposed to work since the the VPN net technically originates from the outside already.


Here's all the relevant config:


access-list vpn extended permit ip any 192.168.47.0 255.255.255.0
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.47.200-192.168.47.220 mask 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm drop
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 2 192.168.47.0 255.255.255.0 outside
static (inside,outside) tcp interface 3074 XBOX360 3074 netmask 255.255.255.255
static (inside,outside) udp interface 3074 XBOX360 3074 netmask 255.255.255.255
static (inside,outside) udp interface 88 XBOX360 88 netmask 255.255.255.255
static (inside,outside) tcp interface https someids https netmask 255.255.255.255


I can post more of the config if needed.


Changing 'nat (outside) 2 192.168.47.0 255.255.255.0 outside' to 'nat (outside) 2 access-list vpn outside' yields these:


Jul 1 06:18:35 gatekeeper %ASA-3-305005: No translation group found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53


So how do I properly NAT VPN traffic so it can reach the Internet?

Correct Answer by Jennifer Halim about 6 years 8 months ago

A few things that needs to be changed:

1) NAT exemption ACL needs to be changed to be more specific so only traffic between the internal subnets and vpn pool subnet is not NATed. NAT exemption takes precedence over all other NAT statements, hence your internet traffic from the vpn does not work.


This ACL:

access-list vpn extended permit ip any 192.168.47.0 255.255.255.0


Needs to be changed to:

access-list vpn extended permit ip 192.168.47.0 255.255.255.0


2) You do not need "global (inside) 2" statement. The following is what needs to be configured:

no nat (outside) 2 192.168.47.0 255.255.255.0 outside

no global (inside) 2 interface

nat (outside) 1 192.168.47.0 255.255.255.0


3) And lastly, you would need to enable the following to enable u-turn traffic on the outside interface:

same-security-traffic permit intra-interface


And please remember to clear xlate after the above changes, and reconnect to your VPN.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Thu, 07/01/2010 - 20:43
User Badges:
  • Cisco Employee,

A few things that needs to be changed:

1) NAT exemption ACL needs to be changed to be more specific so only traffic between the internal subnets and vpn pool subnet is not NATed. NAT exemption takes precedence over all other NAT statements, hence your internet traffic from the vpn does not work.


This ACL:

access-list vpn extended permit ip any 192.168.47.0 255.255.255.0


Needs to be changed to:

access-list vpn extended permit ip 192.168.47.0 255.255.255.0


2) You do not need "global (inside) 2" statement. The following is what needs to be configured:

no nat (outside) 2 192.168.47.0 255.255.255.0 outside

no global (inside) 2 interface

nat (outside) 1 192.168.47.0 255.255.255.0


3) And lastly, you would need to enable the following to enable u-turn traffic on the outside interface:

same-security-traffic permit intra-interface


And please remember to clear xlate after the above changes, and reconnect to your VPN.


Hope that helps.

wsladekjr Thu, 07/01/2010 - 22:06
User Badges:

Your suggestions worked!  You are a god.  Thank you so much for your help.

Jennifer Halim Thu, 07/01/2010 - 23:50
User Badges:
  • Cisco Employee,

Thanks, pls kindly mark the question answered. Glad to hear it's working now.

Actions

This Discussion