Solved: Ok, it seems to work with

Gregor Blaj · ‎07-07-2016

Hi,

Using an ASA 5512-x running 9.3(3). I have Anyconnect VPN configured to PAT the remote access subnet to one of the inside interfaces (due to internal routing restrictions).

For example...

Remote subnet: 192.168.10.0/24

Internal subnet: 192.168.1.0/24

Inside Interface: 192.168.1.254

All remote access clients hide behind 192.168.1.254 and this is working correctly until I add a dynamic NAT rule for outbound traffic, then I start to see 'reverse NAT path failure' errors when VPN clients try to access internal resources.

object network LAN1
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

Is there a way to get around this since all remote access clients are hiding behind the interface address?

Thanks for any help.

Francesco Molino · ‎07-07-2016

Hi

Instead of doing nat under group, did you tried to do in global mode like:

nat (inside_101_infrastructure,outside) source dynamic LAN-GROUP interface destination static ANYCONNECT_VPN_SUBNET ANYCONNECT_VPN_SUBNET

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎07-07-2016

Hi

Could you drop the asa config (nat + access-list)

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Gregor Blaj · ‎07-07-2016

Sure, below are the relevant bits. Let me know if you need anything else.

access-list ANYCONNECT_VPN_ACL_ST standard permit 192.168.1.0 255.255.255.0

object network ANYCONNECT_VPN_SUBNET
subnet 192.168.10.0 255.255.255.0
nat (outside,inside_101_infrastructure) dynamic interface

object network LAN1
subnet 192.168.1.0 255.255.255.0
nat (inside_101_infrastructure,outside) dynamic interface

Francesco Molino · ‎07-07-2016

Hi

Instead of doing nat under group, did you tried to do in global mode like:

nat (inside_101_infrastructure,outside) source dynamic LAN-GROUP interface destination static ANYCONNECT_VPN_SUBNET ANYCONNECT_VPN_SUBNET

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Gregor Blaj · ‎07-07-2016

Don't I need two NAT statements, one to translate VPN clients to the inside interface and the other NAT for normal outbound Internet access?

Francesco Molino · ‎07-07-2016

as it is dynamic, the thing is that it will be one way communication, I mean, communications will be started from LAN to anyconnect client.

I'm sorry I will be very quick as I'm on meeting right now. Why do you want to map every LAN to the LAN interface itself?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Gregor Blaj · ‎07-07-2016

The connection needs to be the other way, so AnyConnect client needs to be able to reach devices on the LAN. And the Anyconnect client needs to 'hide' behind the inside interface as the AnyConnect subnet is not internally routeable.

Also, LAN clients needs to be able to access the Internet.

Francesco Molino · ‎07-07-2016

Ok then do the nat in tbe other way. It has to be the 1st nat rule.

Did you tried?

Did you do packet-capture?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Gregor Blaj · ‎07-07-2016

Ok, it seems to work with manual NAT statements below. Although the order looked right to me before too.

1. nat (outside, inside) source dynamic ANYCONNECT_VPN_SUBNET interface
2. nat (inside, outside) source dynamic LAN1 interface

Thanks for your help.

Francesco Molino · ‎07-07-2016

Nice to hear that.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Reverse NAT Path Failure Question