I've created 3 different tunnel-groups for remote access VPN, each being assigned addresses out of a different pool that doesn't coincide with an existing internal network. The problem I'm running into is that while the VPN client for members of each pool are being assigned IP addresses, DNS, domain, etc and I can see the split tunnel rules being applied at the client...no traffic is going anywhere. Clients get connected successfully, get issued an IP address, but cannot access any of the internal network that they are supposed to. Also I'm running 8.3 code...which has bee *fun* to configure.
I've done the following:
defined the tunnel-groups with all associated parameters.
defined the proper group-policies
defined my split tunnel ACLs
I've also gone so far in my troubleshooting to create sub-interfaces for each new LAN with associated vlan (and added the proper vlan tags to the group-policies). Also have played with defining NAT statements from that sub-interface to an internal int.
I'm clearly missing something...it seems like traffic isn't being NAT'd properly or isn't routing.
Sorry for taking so long to come back to this. It was definitely a NAT issue. There were 2 problems...first was I hadn't created a NAT for each interface I wanted that traffic to traverse. The second problem (and this was a KILLER) was the order of my NAT statements. if the relevant NATs are not at the TOP of the list, then they don't get properly applied. So NAT precedence is definitely order of entry.
Have to say the new 8.3 code is very non-intuitive (especially with NAT). These are not the first ASAs or VPN groups I've ever configured, but the new code makes me feel like it!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...