03-21-2012 04:49 AM - edited 03-11-2019 03:44 PM
Hello,
Having some major headaches with the configuration of an ASA5510.
Scenario
We have an inside interface, 192.168.10.0/23
We have an outside interface, public ip...
We have the ASA connected to 5 site to sites, this is working fine and through the internal interface can access all remote sites and vice vera. These are 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24, 192.168.50.0/24 and 192.168.60.0/24
Problem
When a user connects via Cisco VPN Client they can see the inside network but can't talk to the remote networks connected, for instance 192.168.40.0/24... whereas an internal user can. I understand that the VPN client connection is seen as an outside connection, not an inside connection... but then I read http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1042114 and I am confused even more!
Simply, I need the client VPN to be able to connect to all sites.
Please advise and if possible in the context of v8.4 . Please find attached santized cfg.
03-21-2012 07:12 AM
You need a before NAT statement to translate the client VPN IP's to the remote networks IP static to themselves. In ASDM setup outside clientVPN pool and outside remote network, leave the rest the same and be sure it is at or near the top of the list.
CLI Example
nat (outside,outside) source static EZVPN EZVPN destination static ClientVPN ClientVPN
03-21-2012 07:48 AM
Hi Tahequivoice,
I've tried this:
nat (outside,outside) source static objVPN objVPN destination static obj20 obj20
To put it in context
Where objVPN is the local vpn client pool/ips = 192.168.70.0/24
&
where obj20 is the remote network 192.168.20.0/24.
Still no joy, not sure what else I should be doing!
03-21-2012 07:56 AM
Dang, hit the wrong button, now forgot what I had typed.
3 places the ClientVPN pool needs to be in,
NAT exempt. All networks that the VPN pool needs to reach need to be setup as above for 8.4.
Split Tunnel, if used, all networks to be reached need to be in that list.
Encrypted traffic, all VPN ACL's will need the Client VPN pool in it.
The remote locations also have to have the client VPN network in its encryption list.
If you meet the above, then it should work.
03-21-2012 08:11 AM
03-21-2012 11:18 AM
Hello,
here are the parts of the configuration you have worked on:
Site to Site tunnel configuration:
access-list Outside_cryptomap extended permit ip 192.168.10.0 255.255.254.0 192.168.20.0 255.255.255.0
access-list Outside_cryptomap extended permit ip object objVPN 192.168.20.0 255.255.255.0
nat (Outside,Outside) source static objVPN objVPN destination static obj20 obj20
access-list TunnelList standard permit 192.168.20.0 255.255.255.0
access-list TunnelList standard permit 192.168.30.0 255.255.255.0
access-list TunnelList standard permit 192.168.40.0 255.255.255.0
access-list TunnelList standard permit 192.168.50.0 255.255.255.0
access-list TunnelList standard permit 192.168.60.0 255.255.255.0
access-list TunnelList standard permit 192.168.10.0 255.255.254.0
access-list TunnelList standard permit 192.168.70.0 255.255.255.0
Everything looks as it should, now if you want the Obj20 to start the communication you would also need this nat:
nat (Outside,Outside) source static destination static obj20 obj20 objVPN objVPN
Regards,
Julio
03-21-2012 12:55 PM
Hi Julio,
This is not working, worked out the command was in the wrong order, woops - helps if I read the command...
These are my nat statements:
nat (Outside,Outside) source static objVPN objVPN destination static obj20 obj20
nat (inside,Outside) source static any any destination static obj10 obj10
nat (inside,Outside) source static any any destination static obj40 obj40
nat (inside,Outside) source static any any destination static obj50 obj50
nat (inside,Outside) source static any any destination static obj30 obj30
nat (inside,Outside) source static any any destination static obj20 obj20
nat (inside,Outside) source static any any destination static obj100 obj100
nat (inside,Outside) source static any any destination static obj60 obj60
nat (inside,Outside) source static any any destination static objVPN objVPN
nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN
nat (Outside,Outside) source static obj20 obj20 destination static objVPN objVPN
Is there anything that sticks out... this still does not work.
Cheers,
03-21-2012 01:47 PM
Hello,
What is this doing here?
nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN
Please do the following:
no nat (Outside,Outside) source static obj20 objVPN destination static obj20 objVPN
no nat (Outside,Outside) source static obj20 obj20 destination static objVPN objVPN
nat (Outside,Outside) 1 source static obj20 obj20 destination static objVPN objVPN
Regards,
03-21-2012 01:58 PM
Hello,
Have done as asked, 192.168.20.0/24 still not reachable, any other suggestions?
Many thanks for everyones help so far
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: