02-14-2020 06:00 AM - edited 02-21-2020 09:55 AM
Hello -
I have ASA5506 configured as BVI -
I have tried to setup the anyconnect through the ASDM but I’m getting nat error
please see the attached snapshot from ASA,,
i have tried to add nat (inside,outside) 1 source static but still getting the same error.
Solved! Go to Solution.
02-16-2020 03:28 AM
depends its really up to you. if you setup a port 8443 in that case you have to tell you asa to listen 8443.
crypto ikev2 enable outside client-services port 8443
!
webvpn
port 8443
enable outside
anyconnect-custom-attr DeferredUpdateAllowed description Indicates if the deferred update feature is enabled or not
anyconnect-custom-attr DeferredUpdateDismissTimeout
dtls port 8443
!
once port-forwarding is done on ISP device/router than when you test/connect anyconnect your url in anyconnect is like this. https://alpha.acime.com:8443
02-14-2020 11:11 AM - edited 02-14-2020 11:12 AM
You can try through CLI, copy all commands with OK status and execute it through Command Line, secondly your NAT seems to be incorrect, you need to nat your source nat pool with required network that need to be allow for vpn users. Plus tyr nat(inside, any) rather (inside, outside)
Something like:
nat (inside,any) source Remote_VPN_Pool Remote_VPN_Pool destination static Allowed_Network4RemoteVPN Allowed_Network4RemoteVPN
02-14-2020 08:21 PM
Thank you for the reply,
I have done nat (inside, any) and it doesn’t like it, because the main interface or the inside network is set as BVI.
I have tried to follow different tutorials to change the BVI but I lose the connection.
02-14-2020 08:24 PM
Here is my configuration —
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 10.209.111.1 255.255.255.0
!
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
domain-name omsaid.org
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network INSIDE-NET
subnet 10.209.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.209.111.0 255.255.255.0 inside_1
http 10.209.111.0 255.255.255.0 inside_2
http 10.209.111.0 255.255.255.0 inside_3
http 10.209.111.0 255.255.255.0 inside_4
http 10.209.111.0 255.255.255.0 inside_5
http 10.209.111.0 255.255.255.0 inside_6
http 10.209.111.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
telnet timeout 5
ssh stricthostkeycheck
ssh 10.209.111.0 255.255.255.0 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd option 3 ip 10.209.111.1
!
dhcpd address 10.209.111.5-10.209.111.254 inside
dhcpd enable inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username alsalms3 password $sha512$5000$JAmH3nmkA06ht3p0TtN7sw==$xS2KI5HJ92hyBb9ja7iM8A== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
02-15-2020 02:04 AM
HI,
You would need to define the NAT rules for ecah interface, e.g:-
nat (inside_1,outside) source static any any destination NETWORK_OBJ_10.209.167.0 NETWORK_OBJ_10.209.167.0 no-proxy-arp route-lookup
nat (inside_2,outside) source static any any destination NETWORK_OBJ_10.209.167.0 NETWORK_OBJ_10.209.167.0 no-proxy-arp route-lookup
Alternatively instead of defining a NAT rule for each, you could replace the source with "any", this would cover all source inside interfaces.....thus having only 1 nat rule.
nat (any,outside) source static any any destination NETWORK_OBJ_10.209.167.0 NETWORK_OBJ_10.209.167.0 no-proxy-arp route-lookup
HTH
02-15-2020 11:23 AM
02-15-2020 11:32 AM
02-15-2020 11:36 AM
02-16-2020 02:56 AM - edited 02-16-2020 02:58 AM
in your configuration you mentioned you outside next hop is
!
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
!
now this 192.168.100.1.1this is a RFC 1918 address range (I am guessing this is the ISP provider ADSL modem/boradband router etc). you need to log into this device and setup a port-forwarding.
that is the reason you are not able to connect to your anyconnect.
02-16-2020 03:06 AM
Thank you for the reply,,,
which port I should forward
TCP/UDP 8443?
02-16-2020 03:28 AM
depends its really up to you. if you setup a port 8443 in that case you have to tell you asa to listen 8443.
crypto ikev2 enable outside client-services port 8443
!
webvpn
port 8443
enable outside
anyconnect-custom-attr DeferredUpdateAllowed description Indicates if the deferred update feature is enabled or not
anyconnect-custom-attr DeferredUpdateDismissTimeout
dtls port 8443
!
once port-forwarding is done on ISP device/router than when you test/connect anyconnect your url in anyconnect is like this. https://alpha.acime.com:8443
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: