Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
2
Replies

NAT rule for vpn access..?

Go to solution
j.eunson
Level 1
Level 1

‎07-05-2013 07:51 AM

Hi, trying to set up ssl vpn via Anyconnect client on a new ASA 5510, ASA 8.4.2, ASDM 6.4.5.

I am able to successfully 'connect' via the anyconnect client, & I am assigned an ip from the vpn pool I created, however I can't ping or connect to any of the internal servers.

I think I've set up split tunnelling ok following the guide below, as I can browse the web nice & fast while logged in to vpn but just can't find anything on the internal network.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

I suspect its down to a nat rule but I'm a bit stuck whether it should be a network object nat rule or if it shoud be dynamic/static & whether its between the outside interface or external ip & the inside network or the vpn network (I created the pool on a separate subnet), or a 'range' (but then I get overlapping ip errors when I try to create a rule for a range of IPs.

Any advice much appreciated,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kssinha
Level 1
Level 1

‎07-06-2013 12:30 PM

Hi Eunson,

After you have connected to the ASA the clients get an IP address of let's say 192.168.10.0/24 pool, the network behind the ASA is 192.168.20.0/24.

On the ASA you would need a NAT exemption for 192.168.20.0 to 192.168.10.0

Create two object groups, for VPN pool and for your itnernal LAN.

object-group network object-192.168.20.0

network-object 192.168.20.0 255.255.255.0

object-group network object-192.168.10.0

network-object 192.168.10.0 255.255.255.0

nat (inside,outside) 1 source static object-192.168.20.0 object-192.168.20.0 destination static object-192.168.10.0 object-192.168.10.0 no-proxy-arp route-lookup

Inside = The interface behind which your LOCAL lan is

Outside = The interface on which the Clients connect.

If you cannot still access then you can take captures on the Inside interface,

create and acl

access-list test123 permit ip host x.x.x.x host y.y.y.y

access-list test123 permit ip host y.y.y.y host x.x.x.x

capture test123 interface inside access-list test123

show cap test123

It will show if packets are going out through the inside interface and if we see any replies or not. If we don't see any replies it means that there might be a routing issue on the internal LAN as the devices might not know to route traffic for 192.168.10.0 back to the ASA inside interface.

Or it might be that there would be a firewall dropping packets in your internal lan.

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kssinha
Level 1
Level 1

‎07-06-2013 12:30 PM

Hi Eunson,

After you have connected to the ASA the clients get an IP address of let's say 192.168.10.0/24 pool, the network behind the ASA is 192.168.20.0/24.

On the ASA you would need a NAT exemption for 192.168.20.0 to 192.168.10.0

Create two object groups, for VPN pool and for your itnernal LAN.

object-group network object-192.168.20.0

network-object 192.168.20.0 255.255.255.0

object-group network object-192.168.10.0

network-object 192.168.10.0 255.255.255.0

nat (inside,outside) 1 source static object-192.168.20.0 object-192.168.20.0 destination static object-192.168.10.0 object-192.168.10.0 no-proxy-arp route-lookup

Inside = The interface behind which your LOCAL lan is

Outside = The interface on which the Clients connect.

If you cannot still access then you can take captures on the Inside interface,

create and acl

access-list test123 permit ip host x.x.x.x host y.y.y.y

access-list test123 permit ip host y.y.y.y host x.x.x.x

capture test123 interface inside access-list test123

show cap test123

It will show if packets are going out through the inside interface and if we see any replies or not. If we don't see any replies it means that there might be a routing issue on the internal LAN as the devices might not know to route traffic for 192.168.10.0 back to the ASA inside interface.

Or it might be that there would be a firewall dropping packets in your internal lan.

HTH

0 Helpful

Go to solution
j.eunson
Level 1
Level 1
In response to kssinha

‎07-09-2013 08:24 AM

Thanks Kshitij, that worked perfectly! That was bugging me for weeks, I'm grateful you took the time to explain so clearly & precisely.

0 Helpful
Customers Also Viewed These Support Documents