Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

remote access VPN to server from outside and server reach internet on the same time

Dear,

 

I have problem in my ASA 5515-X , when i make Remote access VPN to servers in inside zone the internet connection disconnected in the servers, or when i have internet in servers, the remote access cant reach servers.

 

the configuration for server as static NAT for each server, and the connection of VPN is to another public IP but in the same subnet of NAT ip.

 

server1 : 10.10.10.2 nat to 5.6.7.8

server2: 10.10.10.3 nat to 5.6.7.9

server3: 10.10.10.4 nat to 5.6.7.10

 

VPN connection to 5.6.7.12

 

is there any solution for this senario, remote vpn to servers and the same time the servers have internet readability for download updates .. etc

 

9 REPLIES
VIP Green

Are the VPNs terminating at

Are the VPNs terminating at the servers or do you have RA VPN to the ASA (using Cisco VPN Client or AnyConnect..etc.)?

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

the vpn still connecting with

the vpn still connecting with cisco vpn client to ASA, 

 

when i remove the nat rules for those server, the vpn connection can reach every servers through private ips,

but when i add the nat rules for servers to get internet the vpn still connected but the servers cant reach internet

Super Bronze

Hi, So it seems that the

Hi,

 

So it seems that the problem is with lacking a NAT0 configuration

 

You could modify the below configuration to match your networks/IP addresses used. In the below configuration I presume that you have interfaces "inside" and "outside".

 

object network SERVER-NETWORK
 subnet <server network address> <network mask>

 

object network VPN-POOL
 subnet <vpn pool network address> <network mask>

 

nat (inside,outside) 1 source static SERVER-NETWORK SERVER-NETWORK destination static VPN-POOL VPN-POOL

 

Just insert the correct address related information and change the "object" and interface names if required.

 

This configuration will tell the ASA that no NAT will be performed for traffic between the VPN-POOL and SERVER-NETWORK. The NAT configuration is bidirectional. With this configuration the Static NAT configurations will continue to work for the servers Internet traffic and this NAT0 configuration will be applied only to the VPN Client traffic.

 

Hope this helps :)

 

- Jouni

VIP Green

I agree that this sounds like

I agree that this sounds like there is no twice nat exempting VPN traffic from being NATed to the public IP.

-- Please remember to rate and select a correct answer
New Member

okay, can the servers reach

okay,

 

can the servers reach internet with this case ?

Super Bronze

Hi, The above example

Hi,

 

The above example configuration (to which you would need to insert the information that applies to your situation/configuration) ONLY affects the traffic between the server network and the VPN Client users.

 

The Static NAT configurations for the servers will work normally even with the above NAT0 configuration. on your ASA.

 

- Jouni

New Member

Dear those servers i want to

Dear 

those servers i want to reach internet and in the same time i want to access to them by vpn 

 

kindly to find attached picture

 

Super Bronze

Hi, Need some clarifications

Hi,

 

Need some clarifications on the situation.

 

Are you talking about a VPN Client connection that the client forms to the ASA? Is the VPN configured on the ASA?

 

If the VPN connection is configured on the ASA then it would seem strange to me that the VPN Client connection itself could in anyway affect the Internet connectivity of the LAN servers when the VPN connection is active. Or could it be that you have configured a Split Tunnel ACL wrong which causes problems for the ASA when it tries to forward traffic?

 

Usually the common cause for the connectivity problem from VPN Client to the internal server is related to NAT configurations. If a NAT0 configuration is not present then the user is unable to connect to the local IP addresses of the internal servers.

 

I guess the simplest way to get some picture of the problem would be to see the ASA configurations unless we are talking about a very large configuration.

 

- Jouni

New Member

the VPN on same ASA that i

the VPN on same ASA that i configured the nat rules to the servers, also i made split tunnel, it include all subnet of internal servers.

 

no problem i want help in this senario,

 

i have three server in internal lan,  i want to reach it by vpn for support team and in the same time i want those servers reach internet for updates and other stuff

 

144
Views
0
Helpful
9
Replies