×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to redirect VPN traffic on the outside interface of the ASA

Answered Question
Jan 8th, 2014
User Badges:

Hello,


This picture will explain what i do want.



ASA.png


VPN Client is: 3.1.000395 Anyconnect ASA image 8.4(2)


So VPN users should be able to reach the public "internet" adresses.

From testing purpose 1.1.1.1/32 behind R9 is representing the "internet"


Criteria: - VPN users should be able to access all Vlans inside of the ASA. This one is already implemented,

            - VPN users should be able to access the internet for instance 1.1.1.1/32 (loopback on R9) - i am stucked in here


If i make a "U turn NAT" like this: nat (OUT,OUT) dynamic VLM (20.0.0.6) the nat debug 255 output is the following:


nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/467

nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/467

nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/467

nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/467


I think it does translate the packet but doesn't forward. Wireshark capture on R1's interface towards ASA doesn't show pactets coming back with source ip 20.0.0.6.



I changed the nat rule to:

nat (OUT,OUT) source static 150 VLM destination static 1 1


The output of debug nat 255 is:


nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/512

nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/512

nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/512



The hardest thing on ASA is the NAT :S

Thanks for reading and helping Cheers



Full configs:


R1





interface FastEthernet0/0

ip address 20.0.0.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet2/0

ip address 40.0.0.1 255.255.255.252

duplex auto

speed auto

!

ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 40.0.0.2

!

!

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 192.168.0.0 0.0.0.255




R9



interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address 40.0.0.2 255.255.255.252

duplex auto

speed auto

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 40.0.0.1




ASA



interface GigabitEthernet0

nameif MAN

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet1

no nameif

no security-level

no ip address

!

interface GigabitEthernet1.10

vlan 10

nameif V10

security-level 95

ip address 10.10.0.1 255.255.0.0

!

interface GigabitEthernet1.20

vlan 20

nameif V20

security-level 90

ip address 10.20.0.1 255.255.0.0

!

interface GigabitEthernet1.30

vlan 30

nameif V30

security-level 90

ip address 10.30.0.1 255.255.0.0

!

interface GigabitEthernet2

nameif OUT

security-level 0

ip address 20.0.0.2 255.255.255.0

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

boot config disk0:/startconf

ftp mode passive

object network XP3

host 10.20.0.2

object network lo

host 30.0.0.1

object network xp2

host 10.10.0.2

object network ALLOWED_VLAN20_HOST1

host 10.20.0.100

object network ALLOWED_VLAN20_HOST2

host 10.20.0.200

object network ALLOWEDPUBH1

subnet 20.0.0.0 255.255.255.0

object network ALLOWEDPUBH2

subnet 30.0.0.0 255.255.255.0

object network NAT10

subnet 10.10.0.0 255.255.0.0

object network VL10

host 20.0.0.3

object network NAT20

subnet 10.20.0.0 255.255.0.0

object network VL20

host 20.0.0.4

object network NAT30

subnet 10.30.0.0 255.255.0.0

object network VL30

host 20.0.0.5

object network GW

host 20.0.0.1

object network 150-200

object network VPN

subnet 10.0.0.0 255.255.255.0

object network MAN_NAT

subnet 10.0.0.0 255.255.255.0

object network VLM

host 20.0.0.6

object network VPN_RANGE

object network VPN-R

object network VLANM

subnet 10.0.0.0 255.255.255.0

object network VPN_NAT_PUB

subnet 10.0.0.0 255.255.255.0

object network 1

host 1.1.1.1

object network 150

host 10.0.0.150

object-group network DM_INLINE_NETWORK_1

network-object object ALLOWEDPUBH1

network-object object ALLOWEDPUBH2

object-group network DM_INLINE_NETWORK_2

network-object 10.30.0.0 255.255.0.0

network-object object ALLOWEDPUBH1

network-object object ALLOWEDPUBH2

access-list V10_access_in extended permit ip 10.10.0.0 255.255.0.0 object ALLOWED_VLAN20_HOST1 log inactive

access-list V10_access_in extended permit ip 10.10.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_2 inactive

access-list V20_access_in extended permit ip object ALLOWED_VLAN20_HOST2 10.10.0.0 255.255.0.0 inactive

access-list V20_access_in extended permit ip 10.20.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1 inactive

pager lines 24

logging asdm informational

mtu MAN 1500

mtu V10 1500

mtu V20 1500

mtu V30 1500

mtu OUT 1500

ip local pool VPN 10.0.0.150-10.0.0.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (OUT,OUT) source static 150 VLM destination static 1 1

nat (V10,OUT) source static NAT10 NAT10 destination static VPN VPN

nat (V20,OUT) source static NAT20 NAT20 destination static VPN VPN

nat (V30,OUT) source static NAT30 NAT30 destination static VPN VPN

!

object network NAT10

nat (V10,OUT) dynamic VL10

object network NAT20

nat (V20,OUT) dynamic VL20

object network NAT30

nat (V30,OUT) dynamic VL30

object network VLANM

nat (MAN,OUT) dynamic VLM

access-group V10_access_in in interface V10

access-group V20_access_in in interface V20

route OUT 0.0.0.0 0.0.0.0 20.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 MAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

management-access MAN

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable OUT

anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_VPN internal

group-policy GroupPolicy_VPN attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ssl-client

default-domain none

username kem1 password 2d5trVo/lPOAWz5V encrypted

username kem2 password thI857WcpQPt9C.t encrypted

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPN

default-group-policy GroupPolicy_VPN

tunnel-group VPN webvpn-attributes

group-alias VPN enable

!

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

  inspect dns

  inspect ftp

  inspect http

  inspect icmp

  inspect icmp error

!

service-policy global-policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:6d2d1fb4e6c02ce6e186541e0b50a4f0

: end

Correct Answer by Jouni Forss about 3 years 7 months ago

Hi,


I can't see this command in your ASA configuration


same-security-traffic permit intra-interface


This command is required to enable traffic to enter one interface and leave through that same interface. In your case the interface "OUT"


So add that


For the Dynamic PAT for the VPN users you can configure


object network VPN-PAT

  subnet 10.0.0.0 255.255.255.0

  nat (OUT,OUT) dynamic interface


This should be enough to enable the VPN users to use the "OUT" interface to reach the external networks.


Hope this helps


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Wed, 01/08/2014 - 15:25
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I can't see this command in your ASA configuration


same-security-traffic permit intra-interface


This command is required to enable traffic to enter one interface and leave through that same interface. In your case the interface "OUT"


So add that


For the Dynamic PAT for the VPN users you can configure


object network VPN-PAT

  subnet 10.0.0.0 255.255.255.0

  nat (OUT,OUT) dynamic interface


This should be enough to enable the VPN users to use the "OUT" interface to reach the external networks.


Hope this helps


- Jouni

Istvan kelemen Wed, 01/08/2014 - 15:32
User Badges:

Omg it was pretty obvious but i couldn't get it

Thanks you made my day!

Actions

This Discussion