Anyconnect SSL VPN not working after nat at ios router.

vincentsee2000 · ‎05-04-2014

Hi All,

I have the below setup as per below:

Scenario Question 1)

Internal network(10.x.3.209 /26) - (10.x.3.192 /26)FW(10.x.3.33 /27) - (Inside: 10.x.3.36 /27) ASA (Outside: 10.x.3.148 /28)- (10.x.3.145)FW - INTERNET RTR (Static NAT)(60.x.x.61) - ISP - Windows Anyconnect Client

Static NAT at RTR : 60.x.x.61 ==> 10.x.3.148; FW has allow TCP and UDP 443.

My AnyConnect could not connect to my 60.x.x.61

Scenario Question 2)

But if my Anyconnect Client is at the ASA Outside segment, it is able to get connected and get a VPN pool addr in the Inside network (eg: 10.x.3.37 /27)

Internal network - FW - (Inside) ASA (Outside)- Windows Anyconnect Client

However, 10.x.3.37 could not ping to 10.x.3.209/26. I could ping to 10.x.3.209/26 from the ASA Inside IP 10.x.3.36/27

Can anyone please advise whether my VPN design above is workable? and what are the possible configuration that I should implement to make both scenario questions work? Thanks.

Jan Rolny · ‎05-05-2014

Hi,

basically you can have two scenarios.

1] ASA behind router and router connected to ISP

2] ASA connected directly to ISP

Regarding your NAT problems you didn't mention what type of router you have connected to ISP. Is it Cisco or another vendor? Can you provide configuraion of your router?

Next, because you are able to connect to ASA from its outside network so problem will be probably on router side. As you mentioned in subject probably you have NAT problem. Whe you do NAT on touter so NATed PUBLIC IP address is ASA outside interface? Or do you perform PAT?

If possible please post configuration of your ASA box.

Regards,

Jan