Solved: Re: Static IP for VPN

niLuxx · ‎01-10-2019

Dear Community,

I'm currently building a network infrastructure for my company and do the configurations mainly remotely via VPN (AnyConnect Client To Site). In this regards we also enabled the access to management interface of a ASA 5508-X (ASDM, etc.). Unfortunately I obviously did a mistake by configuring DHCP for my VPN-account. I received the same IP-address for months and finally forgot that I used DHCP instead of static IP for my VPN account. Yesterday the ASDM crashed during configuration and after renewing the network connection I couldn't access the ASDM anymore. Further investigation showed, that my clients IP address changed from 192.168.1.X to 192.168.1.Z. Unfortunately no NAT rule is matching anymore in this case and I couldn't access the ASDM remotely.

My question is, if there is a possibility to configure a static IP on client site (back to my 192.168.1.X address) without connecting to the ASA itself. Maybe over the Profile files?

Otherwise I'm afraid I have to connect to ASDM on site via cable and afterwards have to set up static IP. In this case, could you please share a doc how to do?

Best greetings,

niLuxx

Francesco Molino · ‎01-11-2019

You need NAT exemption because your anyconnect client arrives on Outside interface and usually you have a nat statement for all inside hosts to be natted over outside interface to get access to public services. Which means, if you don't do nat exemption, your return traffic will be natted and never come back to your anyconnect client. With nat exemption, you deny this nat between inside hosts and anyconnect client and then the flows will passthrough.

Now, if you have no possibility to get ssh and/or http access on ASA even by jumping on another host locally connected, you have no choice to go on site and do the configuration yourself. I'm sorry about that.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-10-2019

Hi

When connected on vpn, do you have ssh access directly? Or don't you have a switch in which you connect to using ssh and from there access your asa using ssh?

For static ip assignment, before giving you a procedure, how users are authenticated? Using a radius server or asa local database?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

niLuxx · ‎01-10-2019

Dear Francesco,

no, I do not even have SSH access. The ASA is not reachable (not via ping, SSH, http,...). But I can access a client (no ssh functionality), connected to ASA directly (that means ASA should be functional), but all other clients are connected over a layer-3-switch and this switch is also not reachable (probably because of missing NAT rules).

By the way. I do also not understand why we have to use NAT rules for getting the VPN running. Normally I would expect after the VPN is established the client should be routed via default routes.

Best greetings,

niLuxx

balaji.bandi · ‎01-10-2019

You are correct, you do not required NAT if you looking to have site to site VPN only office to office communication.

if this ASA is only for VPN Tunnel, But in your network This ASA also handling Internet, then to go to internet you required NAT rules, since 1918 address can not be routable to internet space.

make sense ? you need more asistance please post the full configuration of both the side for better recomended configuration to work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Francesco Molino · ‎01-11-2019

You need NAT exemption because your anyconnect client arrives on Outside interface and usually you have a nat statement for all inside hosts to be natted over outside interface to get access to public services. Which means, if you don't do nat exemption, your return traffic will be natted and never come back to your anyconnect client. With nat exemption, you deny this nat between inside hosts and anyconnect client and then the flows will passthrough.

Now, if you have no possibility to get ssh and/or http access on ASA even by jumping on another host locally connected, you have no choice to go on site and do the configuration yourself. I'm sorry about that.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

niLuxx · ‎01-11-2019

Hi all,

my colleagues told me that there have been a system failure. After restarting the hardware I could even access the ASDM with an alternative IP again, but couldn't reach the internal network due to the incorrect ip address issue (see above).

That was the reason why I wanted to give my username a static ip address. Therefore I went to

1. AAA/Local Users

2. Local Users

3. Selected my username and clicked edit

4. Selected "VPN Policy"

5. Inserted a static ip

6. Applied the setting

Everything went fine, but now I cannot connect on VPN anymore. I can reach the endpoint and also insert the credentials, but there is always a "login failed". I didn't change anything else, just the ip.

Is it possible that my user got blocked due to this change? Couldn't understand that.

Is there a logfile I can check on client site what is wrong?

By the way. It's a level 15 user

Best greetings,

niLuxx

Francesco Molino · ‎01-12-2019

Can you share your config to take a look on what could be the cause of not being able to connect VPN?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question