I have problem in my ASA 5515-X , when i make Remote access VPN to servers in inside zone the internet connection disconnected in the servers, or when i have internet in servers, the remote access cant reach servers.
the configuration for server as static NAT for each server, and the connection of VPN is to another public IP but in the same subnet of NAT ip.
server1 : 10.10.10.2 nat to 188.8.131.52
server2: 10.10.10.3 nat to 184.108.40.206
server3: 10.10.10.4 nat to 220.127.116.11
VPN connection to 18.104.22.168
is there any solution for this senario, remote vpn to servers and the same time the servers have internet readability for download updates .. etc
Are the VPNs terminating at the servers or do you have RA VPN to the ASA (using Cisco VPN Client or AnyConnect..etc.)?
Please remember to select a correct answer and rate helpful posts
the vpn still connecting with cisco vpn client to ASA,
when i remove the nat rules for those server, the vpn connection can reach every servers through private ips,
but when i add the nat rules for servers to get internet the vpn still connected but the servers cant reach internet
So it seems that the problem is with lacking a NAT0 configuration
You could modify the below configuration to match your networks/IP addresses used. In the below configuration I presume that you have interfaces "inside" and "outside".
object network SERVER-NETWORK
subnet <server network address> <network mask>
object network VPN-POOL
subnet <vpn pool network address> <network mask>
nat (inside,outside) 1 source static SERVER-NETWORK SERVER-NETWORK destination static VPN-POOL VPN-POOL
Just insert the correct address related information and change the "object" and interface names if required.
This configuration will tell the ASA that no NAT will be performed for traffic between the VPN-POOL and SERVER-NETWORK. The NAT configuration is bidirectional. With this configuration the Static NAT configurations will continue to work for the servers Internet traffic and this NAT0 configuration will be applied only to the VPN Client traffic.
Hope this helps :)
I agree that this sounds like there is no twice nat exempting VPN traffic from being NATed to the public IP.
The above example configuration (to which you would need to insert the information that applies to your situation/configuration) ONLY affects the traffic between the server network and the VPN Client users.
The Static NAT configurations for the servers will work normally even with the above NAT0 configuration. on your ASA.
Need some clarifications on the situation.
Are you talking about a VPN Client connection that the client forms to the ASA? Is the VPN configured on the ASA?
If the VPN connection is configured on the ASA then it would seem strange to me that the VPN Client connection itself could in anyway affect the Internet connectivity of the LAN servers when the VPN connection is active. Or could it be that you have configured a Split Tunnel ACL wrong which causes problems for the ASA when it tries to forward traffic?
Usually the common cause for the connectivity problem from VPN Client to the internal server is related to NAT configurations. If a NAT0 configuration is not present then the user is unable to connect to the local IP addresses of the internal servers.
I guess the simplest way to get some picture of the problem would be to see the ASA configurations unless we are talking about a very large configuration.
the VPN on same ASA that i configured the nat rules to the servers, also i made split tunnel, it include all subnet of internal servers.
no problem i want help in this senario,
i have three server in internal lan, i want to reach it by vpn for support team and in the same time i want those servers reach internet for updates and other stuff