01-10-2019 08:32 PM
Dear Community,
I'm currently building a network infrastructure for my company and do the configurations mainly remotely via VPN (AnyConnect Client To Site). In this regards we also enabled the access to management interface of a ASA 5508-X (ASDM, etc.). Unfortunately I obviously did a mistake by configuring DHCP for my VPN-account. I received the same IP-address for months and finally forgot that I used DHCP instead of static IP for my VPN account. Yesterday the ASDM crashed during configuration and after renewing the network connection I couldn't access the ASDM anymore. Further investigation showed, that my clients IP address changed from 192.168.1.X to 192.168.1.Z. Unfortunately no NAT rule is matching anymore in this case and I couldn't access the ASDM remotely.
My question is, if there is a possibility to configure a static IP on client site (back to my 192.168.1.X address) without connecting to the ASA itself. Maybe over the Profile files?
Otherwise I'm afraid I have to connect to ASDM on site via cable and afterwards have to set up static IP. In this case, could you please share a doc how to do?
Best greetings,
niLuxx
Solved! Go to Solution.
01-11-2019 06:24 AM
01-10-2019 08:49 PM
01-10-2019 08:58 PM
Dear Francesco,
no, I do not even have SSH access. The ASA is not reachable (not via ping, SSH, http,...). But I can access a client (no ssh functionality), connected to ASA directly (that means ASA should be functional), but all other clients are connected over a layer-3-switch and this switch is also not reachable (probably because of missing NAT rules).
By the way. I do also not understand why we have to use NAT rules for getting the VPN running. Normally I would expect after the VPN is established the client should be routed via default routes.
Best greetings,
niLuxx
01-10-2019 11:34 PM
You are correct, you do not required NAT if you looking to have site to site VPN only office to office communication.
if this ASA is only for VPN Tunnel, But in your network This ASA also handling Internet, then to go to internet you required NAT rules, since 1918 address can not be routable to internet space.
make sense ? you need more asistance please post the full configuration of both the side for better recomended configuration to work.
01-11-2019 06:24 AM
01-11-2019 09:40 AM - edited 01-11-2019 10:20 AM
Hi all,
my colleagues told me that there have been a system failure. After restarting the hardware I could even access the ASDM with an alternative IP again, but couldn't reach the internal network due to the incorrect ip address issue (see above).
That was the reason why I wanted to give my username a static ip address. Therefore I went to
1. AAA/Local Users
2. Local Users
3. Selected my username and clicked edit
4. Selected "VPN Policy"
5. Inserted a static ip
6. Applied the setting
Everything went fine, but now I cannot connect on VPN anymore. I can reach the endpoint and also insert the credentials, but there is always a "login failed". I didn't change anything else, just the ip.
Is it possible that my user got blocked due to this change? Couldn't understand that.
Is there a logfile I can check on client site what is wrong?
By the way. It's a level 15 user
Best greetings,
niLuxx
01-12-2019 06:19 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide