I've seen a number of posts on a similar topic but cannot find my problem exactly. I've setup client VPN with address pools etc.... The VPN client connects perfectly and I can launch ASDM ok. Then I discover that I don't have access to internal servers. I have a Eureka moment and remember that I need a NAT exemption. Being the ASA 8.6 I put in a double NAT entry eg
To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2.
Symptom: After upgrading the ASA to 8.4.2, all management traffic to-the-box(including icmp/telnet/ssh/ASDM) from hosts over the VPN (L2L or Remote ACcess VPN) may fail when destined to the management-access interface IP address.Conditions: 1. Issue is observed if ASA is on 8.4.2. Not observed on 8.4.1. 2. Users directly connected to the internal interfaces face no issues with icmp/telnet/ssh/asdm to their respective interfaces.Workaround: The problem can be traced to a Manual NAT statement that overlaps with the management-access interface IP address. The NAT statement must have both the source and destination fields. Adding the "route-lookup" keyword at the end of the NAT statement resolves the issue.Ex: ASA's Management-Access Interface IP address is 192.168.1.1.! Overlapping NAT statement: nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-vpn obj-vpn! New Statement: nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-vpn obj-vpn route-lookup
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...