Tunnel Remote VPN Internet and Remote VPN to Site-to-Site VPN Traffic?
We are trying to tunnel our Remote VPN User's traffic through our ASA 5510 as well as allow the Remote VPN Users's traffic access to the other end of all our site-to-site VPN's connected to the same ASA. Basically we want whoever VPN's into the network to be able to access all of our company networks. We are trying to get away with this without using Split-Tunneling.
I can currently get the remote VPN User's internal traffic to reach all the other site-to-site vpn tunnels, without the internet being tunneled. The problem is when I add the following NAT statement:
nat (outside) 1 10.10.19.0 255.255.255.0 *10.10.19.0 is the Remote VPN Client addresses
The internet traffic for the Remote VPN starts to get tunneled, but I loose the ability to reach any of the other site-to-site tunnels through the Remote VPN tunnel.
I also start receiving the following errors in the ASA log
3 Jul 01 2009 12:34:18 305005 10.10.19.255 137 No translation group found for udp src outside:10.10.19.3/137 dst outside:10.10.19.255/137
Any help with how the NAT statements should be set to get this to work would be appreciated.
Re: Tunnel Remote VPN Internet and Remote VPN to Site-to-Site VP
I really appreciate the help! This information assisted me in resolving the issue. I created an object-group(InsideVPN) containing all the internal networks I need the RA tunnels to access. I then created a separate access-list (outside_nat0_outbound) and NAT Exempt the access-list on the outside interface to get everything to work.
-InsideVPN is the object-group I used.
-10.10.19.0/24 our VPN pool.
access-list outside_nat0_outbound extended permit ip 10.10.19.0 255.255.255.0 object-group InsideVPN
access-list outside_nat0_outbound extended permit ip 10.10.19.0 255.255.255.0 10.10.19.0 255.255.255.0
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...