Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
2
Helpful
9
Replies

ASA VPN from inside/outside interface to one other interface ?

Go to solution
ralfw
Level 1
Level 1

‎01-30-2025 02:03 AM

Hello,

I have this 3 interfaces on the ASA and want to config two vpns. Users should be possible
to connect from inside to mgadm and from outside to mgadm, but i can't get it work both
direction at the same time. I need the NAT exemption for outside->mgadm working, but
inside->mgadm is only working without the NAT exemption. Is this not possible or what
i'm doing wrong ?


ip local pool fb4vpn_ssl_mgadm_pool 192.168.196.1-192.168.196.254 mask 255.255.255.0

interface Port-channel1.110
vlan 110
nameif inside
security-level 50
ip address 192.168.255.209 255.255.255.248
ipv6 address fd00:0:1400:110::2/64
!
interface Port-channel1.223
vlan 223
nameif mgadm
security-level 75
ip address 192.168.223.1 255.255.255.0
!
interface Port-channel1.444
vlan 444
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
ipv6 address fd00:0:1400::2/64
!

object network fb4vpn_ssl_mgadm_net
subnet 192.168.223.0 255.255.255.0

object network fb4vpn_ssl_mgadm_pool
subnet 192.168.196.0 255.255.255.0

object network subnet_mgadm
subnet 192.168.223.0 255.255.255.0

### NAT exemption ###
nat (mgadm,outside) source static fb4vpn_ssl_mgadm_net fb4vpn_ssl_mgadm_net destination static fb4vpn_ssl_mgadm_pool fb4vpn_ssl_mgadm_pool
#####################

nat (mgadm,outside) source dynamic subnet_mgadm pat-pool patpool_adm

webvpn
enable inside
enable outside

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to ralfw

‎01-30-2025 04:07 AM

No friend you can not use same pool one connect to inside and other connect to outside 

Sure you will get overlapping 

MHM

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni

‎01-30-2025 02:34 AM - edited ‎01-30-2025 02:36 AM

Based on your configuration, it appears you're trying to set up VPN access from both the inside and outside interfaces to the mgadm interface. The issue you're experiencing is due to the NAT configuration. Here's an explanation of the problem and a solution:

The NAT exemption rule you've configured is only for traffic between the mgadm interface and the outside interface. This allows VPN traffic from the outside to reach the mgadm network without being translated.

However, there's no NAT exemption for traffic between the inside interface and the mgadm interface. This is why the VPN from inside to mgadm only works without the NAT exemption.

To solve this issue and allow VPN access from both inside and outside to mgadm simultaneously, you need to add another NAT exemption rule for the inside to mgadm traffic. Here's how you can modify configurations
Keep your existing NAT exemption rule for outside to mgadm

 

nat (mgadm,outside) source static fb4vpn_ssl_mgadm_net fb4vpn_ssl_mgadm_net destination static fb4vpn_ssl_mgadm_pool fb4vpn_ssl_mgadm_pool

 

Add a new NAT exemption rule for inside to mgadm

 

nat (mgadm,inside) source static fb4vpn_ssl_mgadm_net fb4vpn_ssl_mgadm_net destination static fb4vpn_ssl_mgadm_pool fb4vpn_ssl_mgadm_pool

 

Keep your existing dynamic NAT rule for other traffic

 

nat (mgadm,outside) source dynamic subnet_mgadm pat-pool patpool_adm

 

these changes, VPN traffic should work in both directions:

From outside to mgadm,The first NAT exemption rule will allow this traffic without translation.
From inside to mgadm,The new NAT exemption rule will allow this traffic without translation.
Other traffic from mgadm to outside will still use the dynamic PAT rule.

Remember to apply these changes and save the configuration. Also, ensure that your VPN configuration (tunnel groups, group policies, etc.) is correctly set up to allow connections from both inside and outside interfaces127. If you still encounter issues, you may need to review your access control lists (ACLs) and ensure they permit the necessary VPN traffic between the interfaces35.

 
please do not forget to rate.
0 Helpful

Go to solution
ralfw
Level 1
Level 1
In response to Sheraz.Salim

‎01-30-2025 03:50 AM

Thanks for your reply, but i already tried this and this works only for inside vpn connection if i have the nat exemption nat (mgadm,inside) before the nat (mgadm,outside), but then outside vpn connection does not work.

0 Helpful

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni
In response to ralfw

‎01-30-2025 04:00 AM

The issue you're experiencing is due to the order of NAT rules and how the ASA processes them. My observation and explanation/solution:

NAT rule order is crucial on ASA devices. The first matching rule is applied, and subsequent rules are ignored.
To make both inside and outside VPN connections work simultaneously, you need to carefully order your NAT rules. Try the following configuration:

NAT exemption for VPN traffic (both directions)
nat (mgadm,outside) source static fb4vpn_ssl_mgadm_net fb4vpn_ssl_mgadm_net destination static fb4vpn_ssl_mgadm_pool fb4vpn_ssl_mgadm_pool
nat (mgadm,inside) source static fb4vpn_ssl_mgadm_net fb4vpn_ssl_mgadm_net destination static fb4vpn_ssl_mgadm_pool fb4vpn_ssl_mgadm_pool

! Dynamic NAT for other traffic
nat (mgadm,outside) source dynamic subnet_mgadm pat-pool patpool_adm

Ensure that these NAT rules are placed before any other more general NAT rules in your configuration.
If you're still experiencing issues, you may need to create separate identity NAT rules for IPv4 if you're using both.
Consider using VTI (Virtual Tunnel Interface) tunnels instead of crypto maps if your ASA version supports it. VTI tunnels appear as regular interfaces and can simplify routing and NAT configurations. (Just a thought)
Review your access control lists (ACLs) to ensure they permit the necessary VPN traffic between the interfaces.
Check your VPN configuration (tunnel groups, group policies) to confirm they're set up correctly for both inside and outside connections.

please do not forget to rate.
0 Helpful

Go to solution
ralfw
Level 1
Level 1
In response to Sheraz.Salim

‎01-30-2025 04:22 AM

I tried both nat exemption orders and always only one way works.. and I want a ssl webvpn for client access and no site to site vpn for our users. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-30-2025 03:23 AM - edited ‎01-30-2025 03:52 AM

you can not do that 
you need to use group URL under tunnel-group 
each tunnel-group have it Pool VPN 

group-url 1 point to Inside 
group-url 2 point to outside 

MHM

MHM

0 Helpful

Go to solution
ralfw
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2025 03:53 AM

You mean I need two different vpns for inside and outside with two different ip pools, so i have no conflict by nat exemption ? Its also not possible to use one vpn config for two directions ?

Go to solution
MHM Cisco World
VIP
VIP
In response to ralfw

‎01-30-2025 04:07 AM

No friend you can not use same pool one connect to inside and other connect to outside 

Sure you will get overlapping 

MHM

0 Helpful

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni
In response to MHM Cisco World

‎01-30-2025 04:22 AM

@MHM Cisco Worldthats good point you mentioned I completely forget that. good spot.

please do not forget to rate.

Go to solution
ralfw
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2025 04:28 AM

Since it's not working you are right..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card