01-08-2014 03:12 PM - edited 03-11-2019 08:26 PM
Hello,
This picture will explain what i do want.
VPN Client is: 3.1.000395 Anyconnect ASA image 8.4(2)
So VPN users should be able to reach the public "internet" adresses.
From testing purpose 1.1.1.1/32 behind R9 is representing the "internet"
Criteria: - VPN users should be able to access all Vlans inside of the ASA. This one is already implemented,
- VPN users should be able to access the internet for instance 1.1.1.1/32 (loopback on R9) - i am stucked in here
If i make a "U turn NAT" like this: nat (OUT,OUT) dynamic VLM (20.0.0.6) the nat debug 255 output is the following:
nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/467
nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/467
nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/467
nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/467
I think it does translate the packet but doesn't forward. Wireshark capture on R1's interface towards ASA doesn't show pactets coming back with source ip 20.0.0.6.
I changed the nat rule to:
nat (OUT,OUT) source static 150 VLM destination static 1 1
The output of debug nat 255 is:
nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/512
nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/512
nat: translation - OUT:10.0.0.150/512 to OUT:20.0.0.6/512
The hardest thing on ASA is the NAT :S
Thanks for reading and helping Cheers
Full configs:
R1
interface FastEthernet0/0
ip address 20.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 40.0.0.1 255.255.255.252
duplex auto
speed auto
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 40.0.0.2
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
R9
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 40.0.0.2 255.255.255.252
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 40.0.0.1
ASA
interface GigabitEthernet0
nameif MAN
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1.10
vlan 10
nameif V10
security-level 95
ip address 10.10.0.1 255.255.0.0
!
interface GigabitEthernet1.20
vlan 20
nameif V20
security-level 90
ip address 10.20.0.1 255.255.0.0
!
interface GigabitEthernet1.30
vlan 30
nameif V30
security-level 90
ip address 10.30.0.1 255.255.0.0
!
interface GigabitEthernet2
nameif OUT
security-level 0
ip address 20.0.0.2 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
boot config disk0:/startconf
ftp mode passive
object network XP3
host 10.20.0.2
object network lo
host 30.0.0.1
object network xp2
host 10.10.0.2
object network ALLOWED_VLAN20_HOST1
host 10.20.0.100
object network ALLOWED_VLAN20_HOST2
host 10.20.0.200
object network ALLOWEDPUBH1
subnet 20.0.0.0 255.255.255.0
object network ALLOWEDPUBH2
subnet 30.0.0.0 255.255.255.0
object network NAT10
subnet 10.10.0.0 255.255.0.0
object network VL10
host 20.0.0.3
object network NAT20
subnet 10.20.0.0 255.255.0.0
object network VL20
host 20.0.0.4
object network NAT30
subnet 10.30.0.0 255.255.0.0
object network VL30
host 20.0.0.5
object network GW
host 20.0.0.1
object network 150-200
object network VPN
subnet 10.0.0.0 255.255.255.0
object network MAN_NAT
subnet 10.0.0.0 255.255.255.0
object network VLM
host 20.0.0.6
object network VPN_RANGE
object network VPN-R
object network VLANM
subnet 10.0.0.0 255.255.255.0
object network VPN_NAT_PUB
subnet 10.0.0.0 255.255.255.0
object network 1
host 1.1.1.1
object network 150
host 10.0.0.150
object-group network DM_INLINE_NETWORK_1
network-object object ALLOWEDPUBH1
network-object object ALLOWEDPUBH2
object-group network DM_INLINE_NETWORK_2
network-object 10.30.0.0 255.255.0.0
network-object object ALLOWEDPUBH1
network-object object ALLOWEDPUBH2
access-list V10_access_in extended permit ip 10.10.0.0 255.255.0.0 object ALLOWED_VLAN20_HOST1 log inactive
access-list V10_access_in extended permit ip 10.10.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_2 inactive
access-list V20_access_in extended permit ip object ALLOWED_VLAN20_HOST2 10.10.0.0 255.255.0.0 inactive
access-list V20_access_in extended permit ip 10.20.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1 inactive
pager lines 24
logging asdm informational
mtu MAN 1500
mtu V10 1500
mtu V20 1500
mtu V30 1500
mtu OUT 1500
ip local pool VPN 10.0.0.150-10.0.0.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (OUT,OUT) source static 150 VLM destination static 1 1
nat (V10,OUT) source static NAT10 NAT10 destination static VPN VPN
nat (V20,OUT) source static NAT20 NAT20 destination static VPN VPN
nat (V30,OUT) source static NAT30 NAT30 destination static VPN VPN
!
object network NAT10
nat (V10,OUT) dynamic VL10
object network NAT20
nat (V20,OUT) dynamic VL20
object network NAT30
nat (V30,OUT) dynamic VL30
object network VLANM
nat (MAN,OUT) dynamic VLM
access-group V10_access_in in interface V10
access-group V20_access_in in interface V20
route OUT 0.0.0.0 0.0.0.0 20.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 MAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access MAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable OUT
anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain none
username kem1 password 2d5trVo/lPOAWz5V encrypted
username kem2 password thI857WcpQPt9C.t encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:6d2d1fb4e6c02ce6e186541e0b50a4f0
: end
Solved! Go to Solution.
01-08-2014 03:25 PM
Hi,
I can't see this command in your ASA configuration
same-security-traffic permit intra-interface
This command is required to enable traffic to enter one interface and leave through that same interface. In your case the interface "OUT"
So add that
For the Dynamic PAT for the VPN users you can configure
object network VPN-PAT
subnet 10.0.0.0 255.255.255.0
nat (OUT,OUT) dynamic interface
This should be enough to enable the VPN users to use the "OUT" interface to reach the external networks.
Hope this helps
- Jouni
01-08-2014 03:25 PM
Hi,
I can't see this command in your ASA configuration
same-security-traffic permit intra-interface
This command is required to enable traffic to enter one interface and leave through that same interface. In your case the interface "OUT"
So add that
For the Dynamic PAT for the VPN users you can configure
object network VPN-PAT
subnet 10.0.0.0 255.255.255.0
nat (OUT,OUT) dynamic interface
This should be enough to enable the VPN users to use the "OUT" interface to reach the external networks.
Hope this helps
- Jouni
01-08-2014 03:32 PM
Omg it was pretty obvious but i couldn't get it
Thanks you made my day!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: