Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn acl and nat

Hello

I have asa 5512-x

asa version 9.1(2)

asdm version 7.2(1)

 

Im not really good with cisco syntax, so I use asdm

I created a split tunnel remote ipsec vpn with cisco vpn client

the purpose is to allow traffic from vpn to local lan

and to allow traffic from vpn to a public specific website

so I defined both objects, and added them to the split tunnel exempt (object names: "LAN" , "Rackspace")

access to lan is ok, access to a certain website is not working

I guess I have some nat/acl missing,

can someone please explain me in the most simple way how to achieve this?

 

Thank you very much

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Hi, What is this subnet

Hi,

 

What is this subnet

 

object network NETWORK_OBJ_172.18.0.0_26
 subnet 172.18.0.0 255.255.255.192

 

Also this "nat" configuration seems strange

 

nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

 

When we see that the source interface for the "nat" is "LAN" and the source networks are those configured under "VPN-Tunnel" it seems to suggest that this NAT configuration forwards traffic destined to "LAN" and "rackspace" towards the "LAN" interface. This is naturally fine for the subnet configured under "LAN" but the "rackspace" to my understanding is located behind some external interface of the ASA correct? Though I guess I would really need to know what the subnet I mentioned at the start of the post is (that is used in this NAT configuration also)

 

What is the interface to which the VPN users connect to? DSL or WAN1? Though the following command would list to which interface the Crypto Map is attached

 

show run crypto map

 

Can you also list the output of the following command

 

show run ip local pool

 

- Jouni

 

 

 

Super Bronze

Hi, I guess in this case I

Hi,

 

I guess in this case I would suggest you do the following configurations on the ASA and then test the VPN connectivity to the LAN network and to the public server.

 

object network VPN-POOL
 subnet 172.18.0.0 255.255.255.192

 

nat (LAN,WAN1) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

 

The above configurations first create a new "object" to hold the VPN Pool subnet. We when use the existing "object network LAN" and the new "object network VPN-POOL" in the "nat" configuration that will tell the ASA to exempt the traffic between this networks from NAT (usually referred to NAT0 or NAT Exempt)

 

no nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

 

In the above command we remove the existing "nat" configuration as it should not be needed anymore after adding the "nat" command I mentioned before. The above "nat" configuration handled the NAT0/NAT Exempt for the VPN <-> LAN traffic but it would also possinly cause problems for the traffic from VPN -> Public Web server

 

object network VPN-POOL-PAT
 subnet 172.18.0.0 255.255.255.192
 nat (WAN1,WAN1) dynamic interface

 

In the above we create a new "object" for the purpose of configuring the NAT for the VPN users that connect to the public Web server.

 

Then you should also check the output of the command

 

show run same-security-traffic

 

It should contain the command "same-security-traffic permit intra-interface". If not then add the command.

 

Hope this helps :)

 

- Jouni
 

14 REPLIES
Super Bronze

Hi, We can only give you

Hi,

 

We can only give you general advice on what might be missing since you have not shared any configurations.

 

So the only thing that is not currently working is the connection which is supposed to use the VPN Client connection to reach a public IP address through the ASA?

 

I would presume that either of the below (or both) 2 might be reason for your connection not working towards the public IP address.

 

You connection from VPN Client host is first coming to the ASA through the "outside" interface and I presume that the public website is found also behind the "outside" interface from ASAs perspective? By default the ASA does not allow traffic to enter and leave through the same interface which would be in this case be "outside". (or perhaps you have named it otherwise)

 

You need the following command to allow such traffic

same-security-traffic permit intra-interface

 

You can check if you have this setting already with the command

show run same-security-traffic

 

The first command listed should enable traffic to flow in/out through the same interface.

 

In addition to the above situation you might also be missing a Dynamic PAT configuration for your VPN Clients since their connections need to be translated to a public IP address just like any LAN users accessing a public website.

 

The basic configuration format to achieve this while using the ASAs external interfaces public IP address would be the following

 

object network VPN-CLIENT-PAT
 subnet <vpn pool subnet> <mask>
 nat (outside,outside) dynamic interface

 

The above presumes that your external ASA interface is named "outside".

 

Other than the above I would confirm that your VPN Client shows the public website IP address in its routing section so you can be sure that connection towards it are forwarded to the VPN Connection and to the ASA.

 

For more specific help we would need to see some configurations.

 

Hope this helps :)

 

-  Jouni

New Member

Thank you very much for the

Thank you very much for the detailed answer Jouni

Can you please explain what were you referring to at "VPN-CLIENT-PAT"

is it a new object I should create? 

or is it the "Rackspace" object?

the vpn pool subnet is the same as my local lan subnet, is it ok?

I was told that the vpn pool needs to be on a the same subnet as my lan.

Super Bronze

Hi, The "object" mentioned

Hi,

 

The "object" mentioned above for the VPN PAT is only meant to be used as an "object" that contains the "nat" configuration. The NAT configuration that translates the VPN users VPN Pool IP address to a public IP address when connecting to the Internet.

 

I would personally create a new "object" just for this Dynamic PAT translation and not really use it in any ACL or other configuration.

 

Though I presume that the "rackspace" object you mention holds the remote public IP address of the server? If so then it doesnt really have anything to do with this "object" I mentioned as this contains the VPN Pool for which we are doing a NAT configuration.

 

With regards to what the VPN Pool should be I would typically say the exact opposite. I rather have the VPN Pool and LAN networks be 2 completely different networks as every now and then you run into problem just because you are using addresses from the same subnet in the LAN and in the VPN Pool even though the hosts are not directly in the same L2 network.

 

- Jouni

New Member

Hi Jouni,Once again your

Hi Jouni,

Once again your detailed answers are highly appreciated

So If I understand you correctly I should do it like this?

object network Rackspace
 subnet <vpn pool subnet> <mask>
 nat (outside,outside) dynamic interface

?

 

Now as to the the different networks,

If I created the remote ip sec vpn with a different network,

Is there any specific acl/nat rule I need to add in order for this to communicate with my local "LAN" or would the wizard take care of this step?

 

Thank you.

 

Super Bronze

Hi, As I said before you

Hi,

 

As I said before you should create a new "object" since this is only used for the VPN users NAT/PAT towards the Internet. You mentioned in your original post that you already had an "object" named "Rackspace" so you should not use the same name.

 

If you changed the VPN Pool subnet then you would likely have to configure  a new NAT0 configuration which purpose is to exempt the traffic between LAN and VPN subnets from NAT.

 

I don't personally really use the ASDM to configure our ASAs. I am not sure if the Wizard is really appropriate for such changes to an existing connection. Its used for configuring new VPN connections rather than modifying existing ones to my understanding.

 

I can not really tell what configurations you need since I have not seen the current CLI format configuration of the ASA.

 

- Jouni

New Member

Hi Jouni,The entire running

Hi Jouni,

The entire running config or something in specific?

I apologize again for now knowing how a proper help request should be :)

Super Bronze

Hi, You can use the command

Hi,

 

You can use the command "show run" on the CLI to view the full configuration. Though usually its good to change any of your public IP address from the configuration to something else to avoid giving any sentive information publicly.

 

In your case if we were to look at the configurations related to this issue I would assume that the output of the following commands would already tell much

 

show run nat

show run access-list

show run group-policy

show run tunnel-group

 

They should list the NAT configurations, access-list configurations, Group Policies and Tunnel Groups. It might also require the output of the following commands to list the contents of the different objects you are using in the NAT configurations and/or the ACLs

 

show run object network

show run object-group

 

However if your configuration on the ASA if very simple it might be easier to modify any public IP addresses belonging to your from the configuration and share it as it is.

 

- Jouni

New Member

sh run natciscoasa(config)#

sh run nat

ciscoasa(config)# sh run nat
nat (LAN,DSL) source dynamic LAN interface
nat (LAN,WAN1) source dynamic LAN interface
nat (DSL,any) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static interface Asterisk
nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

 

sh run access-list

 

ciscoasa(config)# sh run access-list
access-list vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit host 74.220.57.80
access-list DSL_access_out extended permit ip object LAN any
access-list DSL_access_out extended permit ip object Voip object-group DM_INLINE_NETWORK_3
access-list WAN1_access_out extended permit ip object LAN any
access-list WAN1_access_out extended permit ip object Voip object-group DM_INLINE_NETWORK_1
access-list vpn_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list vpn_splitTunnelAcl_1 standard permit host 74.205.97.180
access-list WAN1_access_in extended permit ip object-group DM_INLINE_NETWORK_4 object Voip
access-list DSL_access_in extended permit ip object-group DM_INLINE_NETWORK_2 object Voip

 

sh run group-policy

ciscoasa(config)# sh run group-policy
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-clientless
group-policy vpn internal
group-policy vpn attributes
 dns-server value 192.168.1.200 192.168.1.202
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl
 default-domain value name.local

 

sh run tunnel-group

ciscoasa(config)# sh run tunnel-group
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
 address-pool vpnpool
 authentication-server-group LDAP
 default-group-policy vpn
tunnel-group vpn ipsec-attributes
 ikev1 pre-shared-key *****

 

 

 

sh run object network

ciscoasa(config)# sh run object network
object network LAN
 subnet 192.168.1.0 255.255.255.0
object network Asterisk
 host 192.168.1.190
object network rackspace
 host 74.220.57.80

object network NETWORK_OBJ_172.18.0.0_26
 subnet 172.18.0.0 255.255.255.192

 

sh run object-group

ciscoasa(config)# sh run object-group
object-group network VPN-Tunnel
 network-object object LAN
 network-object object rackspace

 

 

I Hope that's good, thanks again

 

 

Super Bronze

Hi, What is this subnet

Hi,

 

What is this subnet

 

object network NETWORK_OBJ_172.18.0.0_26
 subnet 172.18.0.0 255.255.255.192

 

Also this "nat" configuration seems strange

 

nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

 

When we see that the source interface for the "nat" is "LAN" and the source networks are those configured under "VPN-Tunnel" it seems to suggest that this NAT configuration forwards traffic destined to "LAN" and "rackspace" towards the "LAN" interface. This is naturally fine for the subnet configured under "LAN" but the "rackspace" to my understanding is located behind some external interface of the ASA correct? Though I guess I would really need to know what the subnet I mentioned at the start of the post is (that is used in this NAT configuration also)

 

What is the interface to which the VPN users connect to? DSL or WAN1? Though the following command would list to which interface the Crypto Map is attached

 

show run crypto map

 

Can you also list the output of the following command

 

show run ip local pool

 

- Jouni

 

 

 

New Member

Thanks for the reply Jouni

Thanks for the reply Jouni,

This subnet is supposed to be the VPN pool subnet,

the traffic for the VPN should be via WAN1

this nat rule was created via the vpn wizard,

and yes, "rackspace" is located behind the external interface of the asa.

sh run crypto map

ciscoasa(config)# sh run crypto map 
crypto map WAN1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN1_map interface WAN1

 

sh run ip local pool

ciscoasa(config)# sh run ip local pool 
ip local pool vpnpool 172.18.0.1-172.18.0.50 mask 255.255.255.0

 

Super Bronze

Hi, I guess in this case I

Hi,

 

I guess in this case I would suggest you do the following configurations on the ASA and then test the VPN connectivity to the LAN network and to the public server.

 

object network VPN-POOL
 subnet 172.18.0.0 255.255.255.192

 

nat (LAN,WAN1) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

 

The above configurations first create a new "object" to hold the VPN Pool subnet. We when use the existing "object network LAN" and the new "object network VPN-POOL" in the "nat" configuration that will tell the ASA to exempt the traffic between this networks from NAT (usually referred to NAT0 or NAT Exempt)

 

no nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

 

In the above command we remove the existing "nat" configuration as it should not be needed anymore after adding the "nat" command I mentioned before. The above "nat" configuration handled the NAT0/NAT Exempt for the VPN <-> LAN traffic but it would also possinly cause problems for the traffic from VPN -> Public Web server

 

object network VPN-POOL-PAT
 subnet 172.18.0.0 255.255.255.192
 nat (WAN1,WAN1) dynamic interface

 

In the above we create a new "object" for the purpose of configuring the NAT for the VPN users that connect to the public Web server.

 

Then you should also check the output of the command

 

show run same-security-traffic

 

It should contain the command "same-security-traffic permit intra-interface". If not then add the command.

 

Hope this helps :)

 

- Jouni
 

New Member

Hi Jouni,I've done as

Hi Jouni,

I've done as mentioned, 

but one thing I'm missing, how do I limit the traffic to outside via the vpn to be just for "rackspace", I don't want to carry through the vpn tunnel the entire internet traffic of the remote user.

 

 

Super Bronze

Hi, According to your

Hi,

 

According to your configurations you have already done so. Only traffic to the single public IP and your LAN network should be forwarded to the VPN connection at the moment. Rest of the traffic should be forwarded through the VPN users local Internet connection (where ever that might be located)

 

In your configurations you have these things that tell that it should be fine already.

 

tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
 default-group-policy vpn

 

The above configuration is the Tunnel Group for your VPN Client connection. It states that the Group Policy named "vpn" is used for this VPN connection.

 

group-policy vpn internal
group-policy vpn attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl

 

When we look at the Group Policy named "vpn" we can see that its configured so that only specific networks/hosts should be tunneled since it has the "split-tunnel-policy tunnelspecified". It further requires the command "split-tunnel-network-list value <acl name>" which tells the Group Policy which ACLs tells the VPN which networks/hosts should be included in the VPN.

 

The term "tunnel" in this case simply refers to which networks/hosts are found behind the VPN connection or in other words destination networks/host for which traffic should be forwarded to the VPN connection when its active.

 

access-list vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit host 74.220.57.80


Finally we have a look at the above ACL that lists the networks/hosts to which traffic from the VPN Client should be forwarded through the VPN Connection. So as you can see you have configured the LAN network and a single public IP address there. So only traffic destined to the mentioned addresses are forwarded through the VPN connection.

 

You did not mention yet if the connections work? Did the changed configurations correct the situation?

 

Please do remember to mark any correct answers and rate helpfull answers.

 

Feel free to ask more

 

- Jouni

 

 


 

New Member

Jouni,Your patience and help

Jouni,

Your patience and help is simply outstanding,

Thank you very much for all of you assistance and well explained details even in a way that I can understand! 

 

I really can't thank you enough

 

:)

 

217
Views
10
Helpful
14
Replies
CreatePlease login to create content