Kindly assist me with this Remote Access VPN issue.
I have configured IPSec Remote Access VPN, using the wizard. The remote client connects to the Headquarters quite fine, obtains defined IP Address, sends packets and Bytes, BUT does not receive any Bytes nor decrypt any packet. Rather, the counter for discarded keeps rising.
What could be possibly responsible, or what other configuration needs to be done on the ASA for the connection to be completely functional?
It may help to state that Anyconnect VPN is configured on the same Outside Interface on the ASA, and it is still functional. Could that be the reason?
Anyconnect VPN is being used by Staff for Remote Access.
So if I understand correctly you for example have an interface for LAN and WAN and naturally the destination networks which you want to reach through the VPN Client connection are all located behind the LAN interface.
In that case the NAT0 configuration with your newer software would look something like this
object-group network LAN-NETWORKS-VPN
object network VPN-POOL
nat (LAN,WAN) 1 source static LAN-NETWORKS-VPN LAN-NETWORKS-VPN destination static VPN-POOL VPN-POOL
Naturally the naming of interfaces and objects could be different. In this case its simply meant to illustrate the purpose of the object or the interface.
I am naturally not sure if the NAT0 configuration is the problem though I can't really say anything for certain as I can't see the configuration.
As to the other question,
I have not set up an ASA to use 2 WAN interfaces in such a way in production environments as in those cases customer usually has separate platforms for both or we might be hosting/providing the service for them.
I would imagine that there is ways to do this but the main problem is the routing. Essentially we know that VPN Client connections can come from pretty much any public source IP address and in that case we would need default route pointing towards the VPN interface since its not really practical to configure separate routes for the IP address where the VPN Client connections would come from.
Then when we consider that we would also need default route on the INTERNET link on the ASA we run to the problem as we can not have 2 default routes on the same device active at the same time.
Naturally with your software level you would be able to use the NAT to get the result you wanted.
In short the requirements would be the following
- VPN interface has default route, INTERNET interface has a lower value default route
- NAT0 configuration between LAN and VPN interface to make sure this traffic is forwarded between these interface without NAT
- A special NAT configuration between LAN and INTERNET interfaces which would essentially forward all traffic out of the INTERNET interface (except for the VPN traffic which we manipulated in the earlier step)
The above things would essentially let the VPN interface have the default route which would mean that no matter what the source IP address of the VPN Client it should be able to communicate with the ASA.
The NAT0 configuration purposes would be to force the ASA to pass this traffic between the LAN and VPN (pools) for the VPN traffic.
The special NAT configuration would then match traffic coming from LAN towards ANY destination address and forward it to INTERNET interface. After that decision is made the traffic would follow the lower value default route out through that interface.
I would say this is not really the ideal situation and configuration to use in a productin environment. It creates potentially a complex NAT configuration as you are using it to manipulate traffic instead of letting the routing table make the choice in the first place.
Naturally there might be other options but I would have to test such setup before I can say anything more for certain.