Hi Rahul/Marius,

Thanks for taking the time to respond. I think i am either doing this wrong or missing something.

i have the same-security permit intra-interface command on the asa.

What I have is the following:

Outside Interface:

nameif Outside

IP address 193.X.X.X 255.255.255.0

object network VPN-General

137.X.X.X 255.255.255.192

ip local pool VPN-General 137.X.X.X-137.X.X.X mask 255.255.255.192 (same as above object network)

Static Route

0.0.0.0 0.0.0.0 <193.X.X.X (outside interface Gateway)>

nat (Outside,Outside) source static VPN-General VPN-General no-proxy-arp route-lookup.

So when you connect with the anyconnect client to the outside interface., you get a REAL IP address. I then want to be able to get this REAL VPN Pool address to be visable when being used for internet and internal resources. As I was saying, I have this working with dynamic PAT but would like to use Identity nat.

Is this possible? Thanks for your time

Net-ops

remove the no-proxy-arp command from the NAT statement and then test.

--

Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks for the suggestion. No luck though i am afraid. Do you have any other recommendations that i could try.

Thanks

Net

Can you apply a capture on the outside interface to see if packets are going out and coming back in using the real ip address pool range? Also attach your sanitized config here is possible.

Hi Rahul,

I had actually done a capture and cant see any of the real IPs at all, I guess this suggests the nat isnt working. I will take a look at this.

Attached is the running config. Sorry, It may contain some stale config.Thanks for your time.

Could you identify the last octet in your VPN pool?

ip local pool VPN-General 137.X.X.X-137.X.X.X mask 255.255.255.192

--

Please remember to select a correct answer and rate helpful posts

Hi,

137.X.X.4 - 137.X.X.62

Thanks

is the 137.x.x.0/26 network routed towards the outside IP of your ASA?

--

Please remember to select a correct answer and rate helpful posts

Yeh,

I have a static route 0.0.0.0 0.0.0.0 <gateway of Outside interface>

I could not route directly to the IP itself, is this normal?

You misunderstand.  your ISP needs to ensure that the 137.x.x.0/26 network is routed toward your outside interface.

--

Please remember to select a correct answer and rate helpful posts

Hi Marius,

As we use only REAL Ip addresses on our network, all are routable to the internet, we can use them on any location on our network. Our ASA is connected into our core on the same VLAN as our ISP connection, so any IP going out the outside interface has direct access to the internet. We have this existing configuration working on an older ASA (running asa723-k8.bin), so i am just trying to replicated this. Its the exact same thing. The older ASA is also in the same /24 VLAN and when connected you get a REAL IP, this is then hairpined back out the outside interface using these NAT commands. They are no longer available in 9.2 it seems.

nat-control
nat (outside) 0 137.X.X.X 255.255.255.0.

I have attached a diagram of the network layout (sorry, its pretty simple looking) to help try explain. I have changed the IP addresses slightly to help but they are all internet routable.

Thanks

I also notice in older code you can statically route all traffic or VPN Pool traffic directly to the IP address of the outside interface on the ASA. Trying to do this in 9.2 code gives an error

Invalid next hop address <ASA Outside IP Address>, it matches our IP address

The older ASA does it also use 137.x.x.x for VPN pool?

--

Please remember to select a correct answer and rate helpful posts