Solved: Re: AnyConnect VPN Setup Assistance - Page 2

bryankrausen · ‎08-01-2010

Hi everybody. I installed a brand new ASA to replace my current one, and need a bit of help with the setup of AnyConnect. I believe I have everything setup correctly, except for my NAT exceptions. I can successfully connect to the ASA via the clientless page and the AnyConnect client, but can't get past the ASA, so I'm assuming its NAT exceptions. I've been looking at both the ASA_cli.pdf but can't seem to nail it down. Even using the ASDM, which I normally don't do for VPN, its not spelled out as easy as asdm 6.1.

On my current ASA, I know that I have an ACL called NoNat. For reference, my internal networks are 10.0.x.x, and my ip pool for VPN users is 192.168.2.x.

Any help would be greatly appreciated. Thanks in advance

.

bryankrausen · ‎08-02-2010

Yeah, it looks like I am seeing the echos request coming across, but not a response:

ifnASA5520(config)# sh capture captest

4 packets captured

   1: 10:20:09.130654 192.168.2.100 > 10.0.7.5: icmp: echo request
   2: 10:20:14.582840 192.168.2.100 > 10.0.7.5: icmp: echo request
   3: 10:20:19.591461 192.168.2.100 > 10.0.7.5: icmp: echo request
   4: 10:20:24.596603 192.168.2.100 > 10.0.7.5: icmp: echo request
4 packets shown

I think I just figured it out. Thats the same subnet that I'm using on the old ASA, and the route on the core is pointing it back to the old ASA, and not the new one. I'll change the subnet that I'm using for the IP pool for the VPN clients to something different and let you know.

rahgovin · ‎08-02-2010

yup i think that has to be the prob

bryankrausen · ‎08-02-2010

Looks like that worked. I added the new subnet, 192.168.5.0 to the core with a route to the new ASA. Then I did the following:

no object network obj-192.168.2.0

no access-list testcap extended permit ip host 192.168.2.100 host 10.0.7.5

no access-list testcap extended permit ip host 10.0.7.5 host 192.168.2.100

no nat (INSIDE,OUTSIDE) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

no nat (INSIDE,OUTSIDE) source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.2.0 obj-192.168.2.0

no nat (INSIDE,OUTSIDE) source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.2.0 obj-192.168.2.0

no nat (INSIDE,OUTSIDE) source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.2.0 obj-192.168.2.0

no nat (INSIDE,OUTSIDE) source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.2.0 obj-192.168.2.0

no ip local pool VPNPool 192.168.2.100-192.168.2.150 mask 255.255.255.0

ip local pool VPNPool 192.168.5.100-192.168.5.150 mask 255.255.255.0

object network obj-192.168.5.0

subnet 192.168.5.0 255.255.255.0

nat (INSIDE,OUTSIDE) 1 source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.5.0 obj-192.168.5.0

nat (INSIDE,OUTSIDE) 1 source static obj-10.0.40.0 obj-10.0.40.0 destination static obj-192.168.5.0 obj-192.168.5.0

nat (INSIDE,OUTSIDE) 1 source static obj-10.0.18.0 obj-10.0.18.0 destination static obj-192.168.5.0 obj-192.168.5.0

nat (INSIDE,OUTSIDE) 1 source static obj-10.0.7.0 obj-10.0.7.0 destination static obj-192.168.5.0 obj-192.168.5.0

nat (INSIDE,OUTSIDE) 1 source static obj-10.0.33.0 obj-10.0.33.0 destination static obj-192.168.5.0 obj-192.168.5.0

Looks like its working, as I can now VPN into devices using the IP, but still having trouble with using DNS names. Any thoughts on that?

rahgovin · ‎08-02-2010

add DNS and WINS servers to the corresponding Anyconnect group-policy so that it is pushed to the clients when they connect. Also make sure the servers are reachable when connected via Anyconnect.

bryankrausen · ‎08-02-2010

rahgovin, thank you VERY much for your help in this. Now I just have to work on the clientless portion, but using the AnyConnect client is working perfectly now. Thanks a bunch

rahgovin · ‎08-02-2010

glad to hear its working