Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3025
Views
0
Helpful
10
Replies

Urgent !!!!!! Remote Access VPN users connects but can not access remote LAN (ping, shared folder ... )

Go to solution
yakdhane.khaled1
Level 1
Level 1

‎05-31-2016 01:11 PM - edited ‎02-21-2020 08:50 PM

Hi,

I'm setting up a remote access VPN on a Cisco ASA 5510 version 8.4 (4) 1.

When I attempt to connect through the software Cisco VPN client , I'm able to connect however I'm unable to access any of the LAN resources.

On the other hand I can ping servers in the other site which is connected via site-to-site VPN to the main site !!

VPN client --> main site ( ping times out ) --> Site connected with the main site with S2S VPN ( ping successful)

Please Help me I need to find a solution ASAP !

Thank you in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Castro F.
Spotlight
Spotlight
In response to yakdhane.khaled1

‎06-02-2016 11:47 AM

Hello,

Please remove the NAT exempt and re-issue the command but adding #1 to it, so it will place the NAT as very first line:

no nat (SERVERS,outside) source static SERVERS_LAN SERVERS_LAN destination static NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 no-proxy-arp route-lookup

nat (SERVERS,outside) 1 source static SERVERS_LAN SERVERS_LAN destination static NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 no-proxy-arp route-lookup

After re-configuring this way, make sure this command is also enabled:

sysopt connection permit-vpn

This sysopt will allow the traffic regardles any ACL dropping it, just in case. Please proceed to run a packet tracer, and post it in here,

packet-tracer input Server icmp XXXXXX 8 0 YYYYY detailed

XXXX --> Server IP

YYYY --> VPN user IP

Make sure to do both steps, and a capture just in case, please proceed to rate and mark as correct the helpful post!

Thanks,

David Castro,

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Karsten Iwen
VIP
VIP

‎05-31-2016 02:01 PM

There are two config areas that are typically involved with this problem:

  1. NAT exemption: Make sure the traffic from the internal LAN to the VPN-pool is not translated (that is a rule in NAT-section 1).
  2. Split tunneling. Make sure your internal network is part of it.

And BTW: This is community support. For "ASAP" you should open a TAC case.

0 Helpful

Go to solution
yakdhane.khaled1
Level 1
Level 1
In response to Karsten Iwen

‎06-01-2016 01:40 AM

Hi Karsten,

I checked the NAT config, there is no rule which translate traffic from internal network ( all VLANs) to the VPN-Pool .

Also for the Slip tunnelling I need to access Servers VLAN, so I configured an ACL only for this VLAN, and the problem persiste.

If you don't mind can you send me step by step config for remote VPN.

Thanks a lot !

regards,

Khaled 

0 Helpful

Go to solution
Avinash Govindarajula
Level 1
Level 1
In response to yakdhane.khaled1

‎06-01-2016 09:21 AM

Can you post your configuration here ?

0 Helpful

Go to solution
yakdhane.khaled1
Level 1
Level 1
In response to Avinash Govindarajula

‎06-02-2016 01:32 AM

Hi Avinash, 

Please find below my config.

- VPN pool different from local Subnet.

- Sllit tunnelling configured.

- Access list and NAT.

I didn't found the problem with my config, thank you in advance for help I really need it :)


ASA Version 8.4(4)1
!
hostname ciscoasa

names
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.50
vlan 50
nameif SERVERS
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/0.60
vlan 60
nameif BIOS
security-level 80
ip address 192.168.6.1 255.255.255.0
!
interface Ethernet0/0.70
vlan 70
nameif ITDEVELOPPER
security-level 60
ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/0.80
vlan 80
nameif ADMINISTRATION
security-level 90
ip address 192.168.8.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/2
nameif backup
security-level 0
ip address 192.168.9.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
no ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network LAN
subnet 192.168.8.0 255.255.255.0
object network generic_all_network
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.10.40.8_29
subnet 10.10.40.8 255.255.255.248
object network NETWORK_OBJ_192.168.5.0_24
subnet 192.168.5.0 255.255.255.0
object network REMOTE_ADMINISTRATION
subnet 192.168.4.0 255.255.255.0
object network REMOTE_BIOSTAT
subnet 192.168.2.0 255.255.255.0
object network REMOTE_ITDEVELOPPER
subnet 192.168.3.0 255.255.255.0
object network REMOTE_SERVERS
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
object network NETWORK_OBJ_192.168.100.0_27
subnet 192.168.100.0 255.255.255.224
object network NETWORK_OBJ_10.10.50.0_28
subnet 10.10.50.0 255.255.255.240
object network NETWORK_OBJ_10.10.50.0_24
range 10.10.50.1 10.10.50.10
object-group network LOCAL_NETWORKS
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
object-group network SERVERS_LAN
network-object 192.168.5.0 255.255.255.0
object-group network ADMINISTRATION
object-group network ADMINISTRATION_LAN
network-object 192.168.8.0 255.255.255.0
object-group network BIOSTAT_LAN
network-object 192.168.6.0 255.255.255.0
object-group network ITDEVELOPPER_LAN
network-object 192.168.7.0 255.255.255.0
object-group network REMOTE_NETWORKS
network-object object REMOTE_ADMINISTRATION
network-object object REMOTE_BIOSTAT
network-object object REMOTE_ITDEVELOPPER
network-object object REMOTE_SERVERS
access-list FROM-ADMIN extended permit ip any any
access-list FROM-ITDEVELOPPER extended permit ip any any
access-list FROM-BIOSTAT extended permit ip any any
access-list ADMINISTRATION_nat0_outbound_1 extended permit ip object-group ADMINISTRATION_LAN object-group LOCAL_NETWORKS
access-list ADMINISTRATION_nat0_outbound_1 extended permit ip object-group ADMINISTRATION_LAN 10.10.30.8 255.255.255.248
access-list ADMINISTRATION_nat0_outbound_1 extended permit ip object-group ADMINISTRATION_LAN object NETWORK_OBJ_10.10.40.8_29
access-list ADMINISTRATION_nat0_outbound extended permit ip object-group ADMINISTRATION_LAN object-group LOCAL_NETWORKS
access-list SERVERS_nat0_outbound extended permit ip object-group SERVERS_LAN object-group LOCAL_NETWORKS
access-list SERVERS_nat0_outbound extended permit ip any 10.10.40.8 255.255.255.248
access-list SERVERS_nat0_outbound extended permit ip object-group SERVERS_LAN 10.10.40.8 255.255.255.248
access-list SERVERS_nat0_outbound extended permit ip object-group LOCAL_NETWORKS 10.10.40.8 255.255.255.248
access-list SERVERS_nat0_outbound extended permit ip 10.10.40.8 255.255.255.248 192.168.5.0 255.255.255.0
access-list SERVERS_nat0_outbound extended permit ip object NETWORK_OBJ_10.10.40.8_29 object NETWORK_OBJ_192.168.5.0_24
access-list SERVERS_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 object-group REMOTE_NETWORKS
access-list SERVERS_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.10.40.8 255.255.255.248
access-list ITDEVELOPPER_nat0_outbound extended permit ip object-group ITDEVELOPPER_LAN object-group LOCAL_NETWORKS
access-list BIOSTAT_nat0_outbound extended permit ip object-group BIOSTAT_LAN object-group LOCAL_NETWORKS
access-list BIOSTAT_nat0_outbound_1 extended permit ip object-group BIOSTAT_LAN object-group LOCAL_NETWORKS
access-list Administration_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0
access-list test_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list Dmx_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list Dmx_splitTunnelAcl standard permit 192.168.6.0 255.255.255.0
access-list Dmx_splitTunnelAcl standard permit 192.168.7.0 255.255.255.0
access-list Dmx_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip 10.10.40.8 255.255.255.248 192.168.5.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list vpn_allowed_access extended permit ip object-group LOCAL_NETWORKS object-group REMOTE_NETWORKS
access-list backup_access_in extended permit ip any any
access-list backup_cryptomap_1 extended permit ip object-group LOCAL_NETWORKS object-group REMOTE_NETWORKS
access-list inside_nat0_outbound3 extended permit ip 192.168.5.0 255.255.255.0 10.10.40.8 255.255.255.248
access-list Servers_split_tunnel standard permit 192.168.5.0 255.255.255.0
access-list test_splitTunnelAcl_1 standard permit 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu SERVERS 1500
mtu BIOSTAT 1500
mtu ITDEVELOPPER 1500
mtu ADMINISTRATION 1500
mtu outside 1500
mtu backup 1500
mtu management 1500
ip local pool admin_vpn_pool 10.10.30.10-10.10.30.15 mask 255.255.255.0
ip local pool Servers_vpn_pool 10.10.40.10-10.10.40.15 mask 255.255.0.0
ip local pool new_vpn_pool 192.168.20.5-192.168.20.20 mask 255.255.255.0
ip local pool test_pool 192.168.100.0-192.168.100.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (BIOSTAT,any) source static BIOSTAT_LAN BIOSTAT_LAN destination static REMOTE_NETWORKS REMOTE_NETWORKS
nat (ADMINISTRATION,any) source static ADMINISTRATION_LAN ADMINISTRATION_LAN destination static REMOTE_NETWORKS REMOTE_NETWORKS
nat (ITDEVELOPPER,any) source static ITDEVELOPPER_LAN ITDEVELOPPER_LAN destination static REMOTE_NETWORKS REMOTE_NETWORKS
nat (SERVERS,any) source static SERVERS_LAN SERVERS_LAN destination static REMOTE_NETWORKS REMOTE_NETWORKS
nat (SERVERS,outside) source dynamic generic_all_network interface
nat (ADMINISTRATION,outside) source dynamic generic_all_network interface
nat (BIOSTAT,outside) source dynamic generic_all_network interface
nat (ITDEVELOPPER,outside) source dynamic generic_all_network interface
nat (SERVERS,backup) source dynamic generic_all_network interface
nat (ADMINISTRATION,backup) source dynamic generic_all_network interface
nat (BIOSTAT,backup) source dynamic generic_all_network interface
nat (ITDEVELOPPER,backup) source dynamic generic_all_network interface
!
nat (SERVERS,any) after-auto source static SERVERS_LAN SERVERS_LAN destination static NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29
nat (SERVERS,outside) after-auto source static SERVERS_LAN SERVERS_LAN destination static NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 no-proxy-arp route-lookup
access-group FROM-BIOSTAT in interface BIOSTAT
access-group FROM-ITDEVELOPPER in interface ITDEVELOPPER
access-group FROM-ADMIN in interface ADMINISTRATION
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 128 track 1
route backup 0.0.0.0 0.0.0.0 192.168.9.1 250
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.8.15 255.255.255.255 ADMINISTRATION
http 172.16.2.3 255.255.255.255 outside
http 192.168.0.3 255.255.255.255 outside
http 192.168.5.100 255.255.255.255 SERVERS
http 192.168.5.110 255.255.255.255 SERVERS
http 192.168.5.150 255.255.255.255 SERVERS
http 192.168.7.40 255.255.255.255 ITDEVELOPPER
http 192.168.1.150 255.255.255.255 SERVERS
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set novendi_set esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address vpn_allowed_access
crypto map outside_map 10 set peer x.x.x.x  x.x.x.x 
crypto map outside_map 10 set ikev1 transform-set novendi_set
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 10 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map novendi_map 1 match address vpn_allowed_access
crypto map novendi_map 1 set peer X.X.X.X 
crypto map novendi_map 1 set ikev1 transform-set novendi_set
crypto map novendi_map 1 set security-association lifetime seconds 3600
crypto map backup_map 1 match address backup_cryptomap_1
crypto map backup_map 1 set peer X.X.X.X  X.X.X.X 
crypto map backup_map 1 set ikev1 transform-set novendi_set
crypto map backup_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map backup_map interface backup
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable backup
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy novendi_teleworker internal
group-policy novendi_teleworker attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Dmx_splitTunnelAcl
group-policy dmx_group internal
group-policy dmx_group attributes
vpn-tunnel-protocol ikev1
group-policy New_test internal
group-policy New_test attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client
username khaled password PZ.3ieGb1U70PMqY encrypted privilege 0
vpn-group-policy novendi_teleworker
username houda password kge13i3g0MHFXWG1 encrypted privilege 0
username houda attributes
er general-attributes
address-pool Servers_vpn_pool
default-group-policy novendi_teleworker
tunnel-group novendi_teleworker ipsec-attributes
ikev1 pre-shared-key ex0129y3
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy dmx_group
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key ex0129y3
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy dmx_group
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key ex0129y3
tunnel-group New_test type remote-access
tunnel-group New_test general-attributes
address-pool test_pool
default-group-policy New_test
tunnel-group New_test ipsec-attributes
ikev1 pre-shared-key khaled
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:223272d13dad57899ae6535b776e5f1d
: end

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to yakdhane.khaled1

‎06-02-2016 03:19 AM

You have a NAT-rule that translates all traffic going out:

nat (SERVERS,outside) source dynamic generic_all_network interface

But there is no exemption for the VPN-pool. You need something like this:

nat (SERVERS,outside) source static SERVERS_LAN SERVERS_LAN destination static OBJECT-FOR-VPN-POOL OBJECT-FOR-VPN-POOL no-proxy-arp route-lookup

And you should really update the ASA, you are still vulnerable to the IKE Buffer overflow:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

0 Helpful

Go to solution
yakdhane.khaled1
Level 1
Level 1
In response to Karsten Iwen

‎06-02-2016 07:29 AM

HI Karsten,

I did the changes that you mentioned but still can't access  the servers under VLAN servers.

I'm really confused where the problem is !!! 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to yakdhane.khaled1

‎06-02-2016 07:36 AM

How does the NAT-config look now?

0 Helpful

Go to solution
yakdhane.khaled1
Level 1
Level 1
In response to Karsten Iwen

‎06-02-2016 07:47 AM

nat (BIOSTAT,any) source static BIOSTAT_LAN BIOSTAT_LAN destination static REMOTE_NETWORKS REMOTE_NETWORKS


nat (ADMINISTRATION,any) source static ADMINISTRATION_LAN ADMINISTRATION_LAN destination static REMOTE_NETWORKS REMOTE_NETWORKS


nat (ITDEVELOPPER,any) source static ITDEVELOPPER_LAN ITDEVELOPPER_LAN destination static REMOTE_NETWORKS REMOTE_NETWORKS


nat (SERVERS,any) source static SERVERS_LAN SERVERS_LAN destination static REMOTE_NETWORKS REMOTE_NETWORKS


nat (ADMINISTRATION,outside) source dynamic generic_all_network interface


nat (BIOSTAT,outside) source dynamic generic_all_network interface


nat (ITDEVELOPPER,outside) source dynamic generic_all_network interface


nat (SERVERS,backup) source dynamic generic_all_network interface


nat (ADMINISTRATION,backup) source dynamic generic_all_network interface


nat (BIOSTAT,backup) source dynamic generic_all_network interface


nat (ITDEVELOPPER,backup) source dynamic generic_all_network interface


nat (SERVERS,outside) source static SERVERS_LAN SERVERS_LAN destination static NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 no-proxy-arp route-lookup



0 Helpful

Go to solution
David Castro F.
Spotlight
Spotlight
In response to yakdhane.khaled1

‎06-02-2016 11:47 AM

Hello,

Please remove the NAT exempt and re-issue the command but adding #1 to it, so it will place the NAT as very first line:

no nat (SERVERS,outside) source static SERVERS_LAN SERVERS_LAN destination static NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 no-proxy-arp route-lookup

nat (SERVERS,outside) 1 source static SERVERS_LAN SERVERS_LAN destination static NETWORK_OBJ_10.10.40.8_29 NETWORK_OBJ_10.10.40.8_29 no-proxy-arp route-lookup

After re-configuring this way, make sure this command is also enabled:

sysopt connection permit-vpn

This sysopt will allow the traffic regardles any ACL dropping it, just in case. Please proceed to run a packet tracer, and post it in here,

packet-tracer input Server icmp XXXXXX 8 0 YYYYY detailed

XXXX --> Server IP

YYYY --> VPN user IP

Make sure to do both steps, and a capture just in case, please proceed to rate and mark as correct the helpful post!

Thanks,

David Castro,

0 Helpful

Go to solution
Avinash Govindarajula
Level 1
Level 1
In response to yakdhane.khaled1

‎06-02-2016 07:41 AM

I see that you have a exemption for VPN pool, can you confirm the order of that NAT (Manual NAT?)

you can verify which NAT is being used by command for SERVERS interface -- show nat interface SERVERS

Make sure that exemption for VPN pool is preferred before 

nat (SERVERS,outside) source dynamic generic_all_network interface
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents