ASA remote access VPN config problems (NAT issue?)

Scott Quinn · ‎08-17-2010

We have a ASA 5505 that we are currently trying to set up for remote access VPN so staff and some volunteers (especially computer volunteers ) don't have to drive in to the office to do network things.

We ran the 'wizard' (not extremely helpful), then I found the spots in ASDM to set up the authentication and other settings to get the system to work with our setup. Now we can connect via VPN and access the ASA, but not any of the internal machines.

My guess based on the evidence is that our problem is related to the ASA blocking the relevant ports/protocols/services (RDP, CIFS, etc.) Since there's no separate entry for VPN in the firewall rulesets the VPN must be on the full internal network, which leads me to suspect the problem is with the page setting in the "remote access VPN wizard" titled "Specifying Address Translation Exception and Split Tunneling, where you set NAT settings for the VPN section of the network.

I have been over all of the settings on the ADSM menu (I think), and can't find where you modify this setting after running the wizard. I don't want to run the wizard again and mess up all the other settings I've had to modify.

Is this likely the problem? How do I change this setting without re-running the wizard?

We're running ASA software version 8.2-2 and ASDM 6.3-1. I can connect the console if necessary (haven't straightend out why the SSL access isn't working yet, probably something with TeraTerm). I've already used the console to straighten out things that haven't been handled right by ASDM once...

Thank you.

Nagaraja Thanthry · ‎08-17-2010

Hello,

Have you configured nonat rule for traffic from internal network to vpn

client IP range?

access-list nonat permit ip

nat (inside) 0 access-list nonat

You should have configuration like above that will enable communication

between the vpn clients and the inside hosts.

Hope this helps.

Regards,

NT

praprama · ‎08-17-2010

Hi,

you are correct that NAT indeed could be the problem. As mentioned, you will need a NAT exemption configured for traffic from your local neytwork to the POOL of IPs for the VPN clients. Below is a doc for configuration using ASDM:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html#wp1057805

Though this is for ASDM 6.2 i am thinking that configuring NAT exempeion should be relatively the same. you will need to specify the original interface as your local network interface, the real address as the local network and the destination address as the pool of IPs. Hoipe this helps.

All the best!!

Thanks and Regards,

Prapanch

Scott Quinn · ‎08-20-2010

Thanks for the replied - it turned out that NAT was indeed the issue. After the initial wizard setup the DHCP server was changed so VPN clients would request their IPs from the network DHCP/DNS server, and the change in the VPN address block was confusing the ASA. After trying to modify the routes and the DHCP server (which was impractical - figuring out how to issue a limited block of IPs to VPN clients over a tunnel interface (i.e. no fixed MAC) we wound up dropping the single DHCP server (which means VPN clients won't be registered with the DNS, a little less useful, but not a big deal) it started working fine.