https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271822#M819980 <HTML><HEAD></HEAD><BODY><P>Thanks - that was the problem. Turns out that the ASDM wizard was adding an exemption rule, but for some reason it was adding it as management -&gt; inside, instead of inside -&gt; outside.</P><P></P><P>I have noticed one other thing though - the default route on the client PC is being set as the IP being assigned via the VPN, which means that while I can access the servers behind the VPN, I lose access to normal network resources. </P><P></P><P>I have got split tunnelling enabled in the VPN config and 'allow local LAN access' ticked in the VPN client - any ideas what else I should be doing?</P><P></P><P>Thanks.</P></BODY></HTML> Sat, 08 Aug 2009 11:54:29 GMT jamesl0112 2009-08-08T11:54:29Z https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271820#M819978 <P>I have set up a remote-access VPN using the ASA VPN wizard. When I test the connection with the Cisco VPN Client I connect successfully and get assigned an IP address from the pool I specified. However I can't send any traffic to the network behind the firewall.</P><P></P><P>The syslog records things like this:</P><P></P><P>No translation group found for icmp src WAN:10.0.0.10 dst Internal:SERVER-1 (type 8, code 0)</P><P>No translation group found for udp sec WAN: 10.0.0.10/49245 dst Internal:SERVER-1/53</P><P></P><P>10.0.0.10 is the IP the client PC is assigned. The same thing happens whether I specify a separate subnet as the pool, or if I try and use the same subnet as is used on the internal interface.</P><P></P><P>Is this because an extra NAT exemption rule is required? </P><P></P><P>Any assistance gratefully received - thanks.</P> Mon, 11 Mar 2019 16:04:03 GMT https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271820#M819978 jamesl0112 2019-03-11T16:04:03Z https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271821#M819979 <HTML><HEAD></HEAD><BODY><P>James</P><P></P><P>Yes, you should add a nat exemption for the nat pool you are using for the vpn clients ie. </P><P></P><P>access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0</P><P>nat (inside) 0 access-list inside_nat0_outbound </P><P></P><P>replace 192.168.10.0 255.255.255.0 with whatever your VPN pool is.</P><P></P><P>Jon</P></BODY></HTML> Fri, 07 Aug 2009 17:59:53 GMT https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271821#M819979 Jon Marshall 2009-08-07T17:59:53Z https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271822#M819980 <HTML><HEAD></HEAD><BODY><P>Thanks - that was the problem. Turns out that the ASDM wizard was adding an exemption rule, but for some reason it was adding it as management -&gt; inside, instead of inside -&gt; outside.</P><P></P><P>I have noticed one other thing though - the default route on the client PC is being set as the IP being assigned via the VPN, which means that while I can access the servers behind the VPN, I lose access to normal network resources. </P><P></P><P>I have got split tunnelling enabled in the VPN config and 'allow local LAN access' ticked in the VPN client - any ideas what else I should be doing?</P><P></P><P>Thanks.</P></BODY></HTML> Sat, 08 Aug 2009 11:54:29 GMT https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271822#M819980 jamesl0112 2009-08-08T11:54:29Z https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271823#M819981 <HTML><HEAD></HEAD><BODY><P>I didn't need 'allow local LAN access' ticked in the client.</P><P></P><P>The problem was that although split tunnelling was enabled, the ACL added by the wizard was for destination 0.0.0.0. I changed this to the network behind the ASA and the client stopped receiving a default route.</P><P></P><P>Example here: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml</A></P><P></P><P>The main thing I've learnt is - don't trust the wizard <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sun, 09 Aug 2009 14:46:54 GMT https://community.cisco.com/t5/network-security/asa-remote-access-vpn-nat-exemption-rules/m-p/1271823#M819981 jamesl0112 2009-08-09T14:46:54Z