×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

NAT exempt for vpn pool in ASDM

Answered Question
Aug 30th, 2013
User Badges:

I've been reading everything I can find, and I think I understand what is asked of me, but I'm not sure exactly how to do it within ASDM

I have used the "wizard" to set up the anyconnect VPN and think that's all fine.

But the wizard reminded me that I needed to add a nat exempt rule  ok so the wizard isn't such a wiz after all and can't set everything up.


My VPN pool is 10.10.35.1 through 50

My internal networks are 10.10.30.0/24 and 10.10.10.0/24

Do I need 2 nat exempt rules to allow windows remote desktop to the internal machines via AnyConnect?

and if so, how do I do that in ASDM (I'm totally clueless about using the CLI, and if that would work better, I would like a step by step)


Thanks

Dennis

Correct Answer by Jouni Forss about 3 years 11 months ago

Hi,


Which "username" are you logging in with?


username vpntest

username vpntest attributes

vpn-group-policy VPN


username DNewman

username DNewman attributes

vpn-group-policy DfltGrpPolicy


The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.


You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.


If you want to configure Split Tunnel then you can use these configurations


access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0


group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL


- Jouni

Correct Answer by Jouni Forss about 3 years 11 months ago

Hi,


You can insert the following configuration to configure the NAT0 / NAT Exempt required


access-list INSIDE-NAT0 remark NAT0 for VPN

access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0


nat (inside) 0 access-list INSIDE-NAT0


You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.


Hope this helps


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jouni Forss Fri, 08/30/2013 - 10:48
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Most of the configuration situations and problem situations here are gone through in CLI format as the ASDM side is simply tedious to go through.


Furthermore the problem in my case is the fact that I dont use ASDM for any ACL or NAT configurations. I might use it for VPN related settings but thats about it.


First thing we would need to know is your ASA software level so we know what the NAT configuration format will be.


Depending on that software level we would then need some output of the current configurations on the device to determine the correct configuration for your situation.


We would also need to know the interface names of your firewall. Are they the default "inside" and "outside" or have you configured something else?


You can actually use the CLI from the ASDM too.


You can go to Tools -> Command Line Interface and use the ASDM to insert the configurations or take different "show" command outputs.


- Jouni

Correct Answer
Jouni Forss Fri, 08/30/2013 - 11:05
User Badges:
  • Super Bronze, 10000 points or more

Hi,


You can insert the following configuration to configure the NAT0 / NAT Exempt required


access-list INSIDE-NAT0 remark NAT0 for VPN

access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0


nat (inside) 0 access-list INSIDE-NAT0


You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.


Hope this helps


- Jouni

Dennis Newman Fri, 08/30/2013 - 17:31
User Badges:

Thank You - That makes two problems that you have helped me through - Much appreciated!!


Dennis


Sorry to add to this, but after  reading other posts, if I want to allow the VPN users to connect to the  internet while vpn'ing into the network, I think I need to add -



same-security-traffic permit intra-interface


and


nat (outside) 1 10.01.35.0 255.255.255.0


would that be correct?


Dennis

Jouni Forss Fri, 08/30/2013 - 22:09
User Badges:
  • Super Bronze, 10000 points or more

Hi,


There is a small typo there and the "nat" command should use the ID 101 like your Dynamic PAT configuration at the moment


So use


nat (outside) 101 10.10.35.0 255.255.255.0


and the one you mentioned already


same-security-traffic permit intra-interface


- Jouni

Dennis Newman Fri, 08/30/2013 - 23:03
User Badges:

Well, I think I may have screwed something up by attempting to follow several different instruction threads to allow vpn users to access the internet.

I'm getting connected to the network just fine - even allows the Novell network login to access my netware servers via the VPN which is what > I < want to be able to do, but my usere will gripe if they can't use the internet while logged into the VPN.


I'm being assigned IP 10.10.35.1 with a gateway of 10.10.35.2 - but not seeing any DNS servers in my network status report - not sure if that's what the issue is.


If you could please take a look at my new config and see if something jumps out at you, I would appreciate it.


Thanks




Correct Answer
Jouni Forss Fri, 08/30/2013 - 23:12
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Which "username" are you logging in with?


username vpntest

username vpntest attributes

vpn-group-policy VPN


username DNewman

username DNewman attributes

vpn-group-policy DfltGrpPolicy


The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.


You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.


If you want to configure Split Tunnel then you can use these configurations


access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0


group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL


- Jouni

Dennis Newman Sat, 08/31/2013 - 08:22
User Badges:

Once again - Thank You

I was attempting to configure for vpntest, but logging on as myself

But it looks like using the split tunnel might be a smarter way to go


Now all I need to do is figure out how many vpn users I'm allowed (standard out of the box 50 user asa5505), and how many extra licenses I need to purchase for my users. - Amazing how when I ask which of the users "need" VPN access, they all say they do, but with our last VPN setup only about 10% actually ever logged in.


Dennis

Actions

This Discussion