Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASDM/Internal LAN via Client VPN

Hi All,

I've seen a number of posts on a similar topic but cannot find my problem exactly. I've setup client VPN with address pools etc.... The VPN client connects perfectly and I can launch ASDM ok. Then I discover that I don't have access to internal servers. I have a Eureka moment and remember that I need a NAT exemption. Being the ASA 8.6 I put in a double NAT entry eg

NAT(INSIDE, OUTSIDE) source static LOCAL_SUBNETS LOCAL_SUBNETS destination static VPN_SUBNET VPN_SUBNET

Now I have access to internal servers but do not have access to manage ASDM. I get unable to launch device manager from xxx.xxx.xxx.xxx

Management-access is set to INSIDE and the address pool is different from internal LAN. I've sure it is only something small but I can't seem to figure it out.

I've set this up previousily with older ASAs and never had a problem but this is my first time with newer 8.6 and NAT rules so I could be doing something incorrectly

Thanks in advance for you help

Eoghan

  • VPN
Everyone's tags (4)
4 REPLIES
New Member

ASDM/Internal LAN via Client VPN

In case anyone is interested and comes acress this. I found the answer to my own question here

https://supportforums.cisco.com/thread/2120561.

This is the detail

CSCtr16184 Bug Details

To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2.
Symptom:
After upgrading the ASA to 8.4.2, all management traffic to-the-box(including
icmp/telnet/ssh/ASDM) from hosts over the VPN (L2L or Remote ACcess VPN) may
fail when destined to the management-access interface IP address.

Conditions:
1. Issue is observed if ASA is on 8.4.2. Not observed on 8.4.1.
2. Users directly connected to the internal interfaces face no issues with
icmp/telnet/ssh/asdm to their respective interfaces.

Workaround:
The problem can be traced to a Manual NAT statement that overlaps with the
management-access interface IP address. The NAT statement must have both the
source and destination fields. Adding the "route-lookup" keyword at the end of
the NAT statement resolves the issue.

Ex:
ASA's Management-Access Interface IP address is 192.168.1.1.

! Overlapping NAT statement:
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination
static obj-vpn obj-vpn

! New Statement:
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination
static obj-vpn obj-vpn route-lookup

So I entered the following commands

no NAT(INSIDE, OUTSIDE) source static LOCAL_SUBNETS LOCAL_SUBNETS destination static VPN_SUBNET VPN_SUBNET

NAT(INSIDE, OUTSIDE) source static LOCAL_SUBNETS LOCAL_SUBNETS destination static VPN_SUBNET VPN_SUBNET route-lookup

and now have access to both internal servers and ASA via ASDM from the same client VPN profile

Thanks,

Eoghan

Hall of Fame Super Silver

ASDM/Internal LAN via Client VPN

Thanks for posting the resolution. +5 for that!

New Member

ASDM/Internal LAN via Client VPN

I'm running into this exact same problem on a ASA 5525-x running software version 8.6(1)2

The solution doesn't work becuase the route-lookup keyword doesn't exist.  Example:

nat (inside,any) source static INTERNAL-SUBNETS INTERNAL-SUBNETS destination static VPN-Subnet VPN-Subnet no-proxy-arp route-lookup

               ^

ERROR: % Invalid input detected at '^' marker.

How do I access my ASA over ssh with an overlapping NAT statement when I can't enter the route-lookup keyword?



New Member

ASDM/Internal LAN via Client VPN

I found the issue. You can't use the route-lookup keyword if one of the interfaces is set to "any". This nat statement fixed the issue:

nat (inside,outside) source static INTERNAL-SUBNETS INTERNAL-SUBNETS destination static VPN-Subnet VPN-Subnet no-proxy-arp route-lookup

1468
Views
5
Helpful
4
Replies
This widget could not be displayed.