Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN on ASA 9.1

Hi,

I have an ASA 5515-X with 9.1 version.

Where I have created 5 sub-interfaces in my 0/1, with individual subnets whereas Firewall is Gateway to my user.

0/0 - outside - WAN

0/1.1 - inside16 - 172.16.16.1/23

0/1.2 - inside30 - 172.16.30.1/24

0/1.3 - inside33 - 172.16.33.1/24

0/1.4 - inside40 - 172.16.40.1/24

0/1.5 - inside128 - 172.16.128.1/24

All sub-interfaces are kept with security level 100.

To permit traffic, I have used below command line :

access-list inside33_access_in extended permit ip any any 
access-list inside40_access_in extended permit ip any any 
access-list inside30_access_in extended permit ip any any 
access-list inside128_access_in extended permit ip any4 any4 
access-list inside16_access_in extended permit ip any4 any4 

access-group inside16_access_in in interface inside16
access-group inside30_access_in in interface inside30
access-group inside33_access_in in interface inside33
access-group inside40_access_in in interface inside40
access-group inside128_access_in in interface inside128

I have Created a IPSEC VPN from my outside. I'am able to connect the VPN through VPN tunnel but its only communicating to 16-VLAN not the others. Even though if 128-VLAN machine's Firewall is disabled.

All the setting are diffault from the IPSec-VPN configuration wizard. And ACL's are inherited from Firewall ACL.

Attached is 'sh run' of ASA.

Please help.

 

Regards,

Ninad Thakare

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

I'm not 100% sure with

I'm not 100% sure with AnyConnect VPNs but try this?
nat (inside128,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup
!
Then see if you can connect to the VPN and access anything from the 16 and 128 subnet?
10 REPLIES
New Member

I'm not 100% sure with

I'm not 100% sure with AnyConnect VPNs but try this?
nat (inside128,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup
!
Then see if you can connect to the VPN and access anything from the 16 and 128 subnet?
Hall of Fame Super Silver

Daniel is on the right track

Daniel is on the right track.

Your posted config has only exempted the one working subnet from NAT on the VPN. You need to add lines for each of the other subinterface VLANs.

New Member

Hi Marvin, Yes, it worked.. I

Hi Marvin,

 

Yes, it worked.. I missed those statements, but still I have an issue that my VPN users are not able to access Internet even if its showing Internet access on NIC adaptor. 

And my Firewall loses all (LAN & WAN) connectivity after 3-4 hrs. I need to PlugOut-PlugIN then again starts and again fails after some time.

 

Brgds,

Ninad 

Hall of Fame Super Silver

For your non-split-tunnel

For your non-split-tunnel remote access VPN users to get internet via the ASA as VPN gateway, you need to make sure the VPN address pool is included in a nat(outside,outside) statement. 

Your loss of connectivity would need some further testing and log message analysis to ascertain the root cause. For instance, can you ping your default gateway from the ASA itself when this happens?

New Member

 Sorry.. which nat(outside

 

Sorry.. which nat(outside,outside) statement...?

Hall of Fame Super Silver

You need a new nat(outside

You need a new nat(outside,outside) statement to make the remote access VPN user traffic properly NATted.

New Member

 So it will work as :! object

 

So it will work as :

!

 object network NETWORK_OBT_10.10.10.0_24

 nat (outside,outside) dynamic interface.

!

Hall of Fame Super Silver

Yes, that's correct.Jouni

Yes, that's correct.

Jouni explained it in a bit more detail in this post.

New Member

 Do I need to use VPN pool

 

Do I need to use VPN pool from inside subnet so that it will be considered in :

nat (inside,outside) statement

New Member

 Hi,My IPSec Tunnel is UP and

 

Hi,

My IPSec Tunnel is UP and able to connect all network. But the VPN client is not able to get Internet. They are not able to access Internet.

Note : I have not configured split tunneling.

Please help.

Brgrds,

Ninad Thakare

109
Views
0
Helpful
10
Replies
CreatePlease login to create content