07-10-2014 05:50 AM
So I have a server and a computer on the inside I can access through a ASA 5505 with ASA 9.2(1) and ASDM 7.2(1)
The computer on 192.168.1.110 through port 8080 can show me a demo website.
The server on 192.168.1.222 got my DNS, FTP, HTTP, mail and more on it.
On the outside I got a computer (by outside I mean from the firewall and cable directly into the computer) on 192.168.20.2 and the firewall's outside being 192.168.20.1
From the outside I can access the 8080 without problems (and I assume aswell with the server, but it's on another default gateway and cannot be accessed right now). However - when I connect through my VPN I'm assigned 192.168.30.5 but cannot connect to the inside computer through 192.168.1.110:8080.
This will throw the error: Asymmetric NAT rules matched for forward and reverse flow; Connection for udp src outside: 192.168.30.5/49608(...) dst inside: 192.168.1.222/53 denied due to NAT reverse path failure.
Somewhere I got a conflict or a non-created access rule. Anyone willing to take a shot?
I marked some with bold for what I thought could be the cause.
ciscoasa(config)# sh running-config
: Saved
:
ASA Version 9.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool IP-Pool 192.168.30.5-192.168.30.200 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.20.1 255.255.255.0
!
boot system disk0:/asa921-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network testServer-8080
host 192.168.1.110
description The test server
object network Server-21
host 192.168.1.222
description The test server
object network Server-25
host 192.168.1.222
description The test server
object network Server-53
host 192.168.1.222
description The test server
object network Server-80
host 192.168.1.222
description The test server
object network Server-443
host 192.168.1.222
description The test server
object network Server-2525
host 192.168.1.222
description The test server
object network Server-993
host 192.168.1.222
description The test server
object network Server-6001
host 192.168.1.222
description The test server
object network Server-6002
host 192.168.1.222
description The test server
object network Server-6003
host 192.168.1.222
description The test server
object network Server-6004
host 192.168.1.222
description The test server
object network VPN-HOSTS
subnet 192.168.30.0 255.255.255.0
object network inside
host 192.168.1.0
object network Server-vpn
host 192.168.1.222
access-list outside_access_in extended permit tcp any object testServer-8080 eq 8080
access-list outside_access_in extended permit tcp any object Server-21 eq ftp
access-list outside_access_in extended permit tcp any object Server-25 eq smtp
access-list outside_access_in extended permit tcp any object Server-2525 eq 2525
access-list outside_access_in extended permit udp any object Server-53 eq domain inactive
access-list outside_access_in extended permit tcp any object Server-80 eq www
access-list outside_access_in extended permit tcp any object Server-443 eq https
access-list outside_access_in extended permit tcp any object Server-993 eq 993
access-list outside_access_in extended permit tcp any object Server-6001 eq 6001
access-list outside_access_in extended permit tcp any object Server-6002 eq 6002
access-list outside_access_in extended permit tcp any object Server-6003 eq 6003
access-list outside_access_in extended permit tcp any object Server-6004 eq 6004
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic VPN-HOSTS inside destination static Server-vpn Server-vpn
!
object network obj_any
nat (inside,outside) dynamic interface
object network testServer-8080
nat (inside,outside) static interface service tcp 8080 8080
object network Server-21
nat (inside,inside) static interface service tcp ftp ftp
object network Server-25
nat (inside,outside) static interface service tcp smtp smtp
object network Server-53
nat (inside,inside) static interface service tcp domain domain
object network Server-80
nat (inside,outside) static interface service tcp www www
object network Server-443
nat (inside,outside) static interface service tcp https https
object network Server-2525
nat (inside,outside) static interface service tcp 2525 2525
object network Server-993
nat (inside,outside) static interface service tcp 993 993
object network Server-6001
nat (inside,outside) static interface service tcp 6001 6001
object network Server-6002
nat (inside,outside) static interface service tcp 6002 6002
object network Server-6003
nat (inside,outside) static interface service tcp 6003 6003
object network Server-6004
nat (inside,outside) static interface service tcp 6004 6004
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HSS-auth-server protocol radius
authorize-only
aaa-server HSS-auth-server (inside) host 192.168.1.222
timeout 5
key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy HSSvpn internal
group-policy HSSvpn attributes
dns-server value 192.168.1.222
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_access_in ! this value had it's own name earlier
default-domain value hss.dk
tunnel-group HSSvpn type remote-access
tunnel-group HSSvpn general-attributes
address-pool IP-Pool
authentication-server-group HSS-auth-server
default-group-policy HSSvpn
password-management
tunnel-group HSSvpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HSSvpn ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9859258e11364180cf9b3e21173b3f2f
: end
Solved! Go to Solution.
07-10-2014 06:06 AM
Hi,
The bolded "nat" configuration is incorrect as you suspected.
Replace it with something like this
object network LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN destination static VPN-HOSTS VPN-HOSTS
I would also suggest using a separate "standard" access-list for the Split Tunnel ACL.
For example
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
You would naturally have to switch the above ACL to the "group-policy" used.
Additionally, if you want to control the connections incoming from VPN users in the "outside_access_in" ACL then you could change one of the default settings on the ASA by issuing the command
no sysopt connection permit-vpn
If you need to revert it back then just issue it without the "no" in front. Then its back to its default setting. This doesnt show in the running configuration by the way.
With this setting any connections coming from VPN connections have to be allowed on the interface ACL of the interface that terminates the VPN connection. So in your case that would be the ACL attached to the "outside" interface.
Hope this helps :)
- Jouni
07-10-2014 06:06 AM
Hi,
The bolded "nat" configuration is incorrect as you suspected.
Replace it with something like this
object network LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN destination static VPN-HOSTS VPN-HOSTS
I would also suggest using a separate "standard" access-list for the Split Tunnel ACL.
For example
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
You would naturally have to switch the above ACL to the "group-policy" used.
Additionally, if you want to control the connections incoming from VPN users in the "outside_access_in" ACL then you could change one of the default settings on the ASA by issuing the command
no sysopt connection permit-vpn
If you need to revert it back then just issue it without the "no" in front. Then its back to its default setting. This doesnt show in the running configuration by the way.
With this setting any connections coming from VPN connections have to be allowed on the interface ACL of the interface that terminates the VPN connection. So in your case that would be the ACL attached to the "outside" interface.
Hope this helps :)
- Jouni
07-10-2014 02:46 PM
That took care of it - very nice. Thank you
What exactly should I write for the standard lists?
I try with just access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0 but then get the message:
ERROR: Cannot mix different types of access lists
ERROR: <Split-Tunnel-ACL> cannot be created
07-10-2014 02:55 PM
Hi ,
Firstly configure "clear configure access-list Split-Tunnel-ACL" , and then run the command again "access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0".
Seems like there is already some extended entry created for this access-list.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-11-2014 03:49 AM
It didn't work quite as good. The asymmetric message is gone (thank you) but I can't access my server, 192.168.1.222 through the VPN-tunnel.
I changed the access-list name and the Group-policy for Split-tunnel, but still no luck.
Also - When I connect through the vpn and tries to access the internet, it's not through the firewall (but this is what's called split-tunneling, right?).
My latest setup, marked with "suspicious" lines:
: Saved
ASA Version 9.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool IP-Pool 192.168.30.5-192.168.30.200 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa921-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server-25
host 192.168.1.222
description The test server
object network Server-80
host 192.168.1.222
description The test server
object network Server-443
host 192.168.1.222
description The test server
object network Server-2525
host 192.168.1.222
description The test server
object network Server-993
host 192.168.1.222
description The test server
object network Server-6001
host 192.168.1.222
description The test server
object network Server-6002
host 192.168.1.222
description The test server
object network Server-6003
host 192.168.1.222
description The test server
object network Server-6004
host 192.168.1.222
description The test server
object network VPN-HOSTS
subnet 192.168.30.0 255.255.255.0
object network inside-net
host 192.168.1.0
object network VPN-Server
host 192.168.1.222
access-list outside_access_in extended permit tcp any object Server-25 eq smtp
access-list outside_access_in extended permit tcp any object Server-2525 eq 2525
access-list outside_access_in extended permit tcp any object Server-80 eq www
access-list outside_access_in extended permit tcp any object Server-443 eq https
access-list outside_access_in extended permit tcp any object Server-993 eq 993
access-list outside_access_in extended permit tcp any object Server-6001 eq 6001
access-list outside_access_in extended permit tcp any object Server-6002 eq 6002
access-list outside_access_in extended permit tcp any object Server-6003 eq 6003
access-list outside_access_in extended permit tcp any object Server-6004 eq 6004
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-net inside-net destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source static VPN-Server VPN-Server destination static VPN-HOSTS VPN-HOSTS
!
object network obj_any
nat (inside,outside) dynamic interface
object network Server-25
nat (inside,outside) static interface service tcp smtp smtp
object network Server-80
nat (inside,outside) static interface service tcp www www
object network Server-443
nat (inside,outside) static interface service tcp https https
object network Server-2525
nat (inside,outside) static interface service tcp 2525 2525
object network Server-993
nat (inside,outside) static interface service tcp 993 993
object network Server-6001
nat (inside,outside) static interface service tcp 6001 6001
object network Server-6002
nat (inside,outside) static interface service tcp 6002 6002
object network Server-6003
nat (inside,outside) static interface service tcp 6003 6003
object network Server-6004
nat (inside,outside) static interface service tcp 6004 6004
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HSS-auth-server protocol radius
authorize-only
aaa-server HSS-auth-server (inside) host 192.168.1.222
timeout 5
key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy HSSvpn internal
group-policy HSSvpn attributes
wins-server value 192.168.1.222
dns-server value 192.168.1.222
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL
default-domain value hss.dk
tunnel-group HSSvpn type remote-access
tunnel-group HSSvpn general-attributes
address-pool IP-Pool
authentication-server-group HSS-auth-server
default-group-policy HSSvpn
password-management
tunnel-group HSSvpn ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group HSSvpn ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:74e93a19385822503dbd9f3a72c202c2
: end
ciscoasa(config)#
07-11-2014 04:07 AM
Add "access-list Split-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0 " to the configuration and this should help.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-11-2014 05:57 AM
I can connect to the server :D You are the master of ASA!
Then it turned out that I have misunderstood what I needed. I fell over this nice post with nice diagrams: http://blog.soundtraining.net/2013/03/how-to-configure-split-tunneling-on.html
So I take I need to do a "no split-tunnel-policy". Do I need more?
07-11-2014 05:59 AM
Hi ,
Here are the commands:-
group-policy test internal
group-policy test attributes
split-tunnel-policy tunnelall-------------(allows all the traffic to go through VPN tunnel)
nat (outside,outside) 1 source dynamic VPN-HOSTS VPN-HOSTS interface
------(Allows VPN users to get Patted to external ASA IP for internet access)
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-11-2014 06:11 AM
nat throws me an error:
"Subnet can not be used as mapped source in dynamic NAT policy"
Perhaps it not good with the object... should it be modified?
object network VPN-HOSTS
subnet 192.168.30.0 255.255.255 0
07-11-2014 06:19 AM
Can you please try removing previous static nat for inside to outside interface.
Also, try these commands:-
object-group network VPC-HOSTS
network 192.168.30.0 255.255.255.0
exit
nat (outside,outside) 1 source dynamic VPC-HOSTS interface
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-11-2014 06:30 AM
slightly confused here:
there's no 'network' under object-group network. You have the following:
group-object
network-object.
I'm gonna go with the last and nat it and see what happens.
07-11-2014 06:33 AM
I meant "network-object" :)
Regards,
Dinesh Moudgil
07-11-2014 06:56 AM
object-group network VPC-HOSTS
network-object 192.168.30.0 2255.255.255.0
exit
nat (outside,outside) 1 source dynamic VPC-HOSTS interface
Now I have no internet and not server connection
07-11-2014 07:34 AM
I see that you have got
"object network obj_any
nat (inside,outside) dynamic interface"
in place and this should allow you to access internet.
Can you please share the output of this command
"packet-tracer input inside icmp <internal host ip> 8 0 4.2.2.2 detailed"
Regards,
Dinesh Moudgil
07-11-2014 07:39 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: