Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
12116
Views
0
Helpful
8
Replies

NAT exempt for vpn pool in ASDM

Go to solution
Dennis Newman
Level 1
Level 1

ā€Ž08-30-2013 09:40 AM

I've been reading everything I can find, and I think I understand what is asked of me, but I'm not sure exactly how to do it within ASDM

I have used the "wizard" to set up the anyconnect VPN and think that's all fine.

But the wizard reminded me that I needed to add a nat exempt rule  ok so the wizard isn't such a wiz after all and can't set everything up.

My VPN pool is 10.10.35.1 through 50

My internal networks are 10.10.30.0/24 and 10.10.10.0/24

Do I need 2 nat exempt rules to allow windows remote desktop to the internal machines via AnyConnect?

and if so, how do I do that in ASDM (I'm totally clueless about using the CLI, and if that would work better, I would like a step by step)

Thanks

Dennis

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Newman

ā€Ž08-30-2013 11:05 AM

Hi,

You can insert the following configuration to configure the NAT0 / NAT Exempt required

access-list INSIDE-NAT0 remark NAT0 for VPN

access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0


nat (inside) 0 access-list INSIDE-NAT0

You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Newman

ā€Ž08-30-2013 11:12 PM

Hi,

Which "username" are you logging in with?

username vpntest

username vpntest attributes

vpn-group-policy VPN

username DNewman

username DNewman attributes

vpn-group-policy DfltGrpPolicy

The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.

You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.

If you want to configure Split Tunnel then you can use these configurations

access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

- Jouni

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

ā€Ž08-30-2013 10:48 AM

Hi,

Most of the configuration situations and problem situations here are gone through in CLI format as the ASDM side is simply tedious to go through.

Furthermore the problem in my case is the fact that I dont use ASDM for any ACL or NAT configurations. I might use it for VPN related settings but thats about it.

First thing we would need to know is your ASA software level so we know what the NAT configuration format will be.

Depending on that software level we would then need some output of the current configurations on the device to determine the correct configuration for your situation.

We would also need to know the interface names of your firewall. Are they the default "inside" and "outside" or have you configured something else?

You can actually use the CLI from the ASDM too.

You can go to Tools -> Command Line Interface and use the ASDM to insert the configurations or take different "show" command outputs.

- Jouni

0 Helpful

Go to solution
Dennis Newman
Level 1
Level 1
In response to Jouni Forss

ā€Ž08-30-2013 11:00 AM

ASA version 8.2(5)

running on a 5505

Configuration attached - Yes I kept the default interface names

15366612-asa config.txt.zip
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Newman

ā€Ž08-30-2013 11:05 AM

Hi,

You can insert the following configuration to configure the NAT0 / NAT Exempt required

access-list INSIDE-NAT0 remark NAT0 for VPN

access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0


nat (inside) 0 access-list INSIDE-NAT0

You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.

Hope this helps

- Jouni

0 Helpful

Go to solution
Dennis Newman
Level 1
Level 1
In response to Jouni Forss

ā€Ž08-30-2013 05:31 PM

Thank You - That makes two problems that you have helped me through - Much appreciated!!

Dennis

Sorry to add to this, but after  reading other posts, if I want to allow the VPN users to connect to the  internet while vpn'ing into the network, I think I need to add -

same-security-traffic permit intra-interface

and

nat (outside) 1 10.01.35.0 255.255.255.0

would that be correct?

Dennis

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Newman

ā€Ž08-30-2013 10:09 PM

Hi,

There is a small typo there and the "nat" command should use the ID 101 like your Dynamic PAT configuration at the moment

So use

nat (outside) 101 10.10.35.0 255.255.255.0

and the one you mentioned already

same-security-traffic permit intra-interface

- Jouni

0 Helpful

Go to solution
Dennis Newman
Level 1
Level 1
In response to Jouni Forss

ā€Ž08-30-2013 11:03 PM

Well, I think I may have screwed something up by attempting to follow several different instruction threads to allow vpn users to access the internet.

I'm getting connected to the network just fine - even allows the Novell network login to access my netware servers via the VPN which is what > I < want to be able to do, but my usere will gripe if they can't use the internet while logged into the VPN.

I'm being assigned IP 10.10.35.1 with a gateway of 10.10.35.2 - but not seeing any DNS servers in my network status report - not sure if that's what the issue is.

If you could please take a look at my new config and see if something jumps out at you, I would appreciate it.

Thanks

15366627-cisco config aug 30 - 2013.txt.zip
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Dennis Newman

ā€Ž08-30-2013 11:12 PM

Hi,

Which "username" are you logging in with?

username vpntest

username vpntest attributes

vpn-group-policy VPN

username DNewman

username DNewman attributes

vpn-group-policy DfltGrpPolicy

The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.

You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.

If you want to configure Split Tunnel then you can use these configurations

access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

- Jouni

0 Helpful

Go to solution
Dennis Newman
Level 1
Level 1
In response to Jouni Forss

ā€Ž08-31-2013 08:22 AM

Once again - Thank You

I was attempting to configure for vpntest, but logging on as myself

But it looks like using the split tunnel might be a smarter way to go

Now all I need to do is figure out how many vpn users I'm allowed (standard out of the box 50 user asa5505), and how many extra licenses I need to purchase for my users. - Amazing how when I ask which of the users "need" VPN access, they all say they do, but with our last VPN setup only about 10% actually ever logged in.

Dennis

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents