Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1479
Views
0
Helpful
11
Replies

Still having issues understanding traffic flow and ACLs in ASA

Steven Williams
Level 4
Level 4

‎03-22-2013 10:49 AM - edited ‎03-11-2019 06:18 PM

                   I so not know why I can't get my head wrapped around the traffic flow and ACLs in the ASA. I have created a vpn endpoint for my remote users. I am testing this by myself for now, but when I VPN in and try to access my desktop via RDP I am blocked. I have a route to it so I know that works and packet tracer says its drop and has an X on ACL. When a user comes in on the VPN they are part of what interface? Inside?

The only thing I am doing right now is just a PAT and hairpinning so VPN users can go back out to the internet. How does an ACL and ACE work together? I created a ACL called VPN_access_in and said allow my VPN subnet to access my host IP address of my desktop via tcp port 3389. then I did an access-group for that ACL and tied to the inside interface. I cant understand if it is in or out bound traffic?

I read these books, articles, and watch videos and just cant seem to get it. Anyone have a cool trick to remembering this stuff or how to learn it?

Thanks.

Labels:
0 Helpful
11 Replies 11

Jouni Forss
VIP Alumni
VIP Alumni

‎03-22-2013 10:59 AM

Hi,

I think this could be solvable just seeing the configurations.

Would it be possible to see the configurations in CLI format?

To go over some of your questions and give additional information

  • The VPN Client users will be visible to the ASA and its other networks from the interface the VPN Client connects to. This is usually "outside" 
    • The ASA dynamically adds a route for the IP address towards the "outside" interface when the host is connected
  • If you havent changed the default setting for "sysopt connection permit-vpn" then all traffic coming from a VPN connection bypass the "outside" interface ACL 
    • When you issue the command "show run sysopt" if you dont see the above command then you have default setting with which VPN traffic will bypass interface ACL
    • If you see "no sysopt connection permit-vpn" then you will have to allow all traffic in the ACL attached to "outside"
  • What traffic gets forwarded to the network behind ASA from the VPN client depends if you are using Split Tunnel or Full Tunnel 
    • Full Tunnel forwards all user traffic through the VPN connection to the ASA
    • Split Tunnel only forward the traffic that you specify in the Split Tunnel ACL
  • You will need to configure NAT0 / NAT Exempt between the LAN network and VPN Pool network for the traffic to flow correctly
  • The software level of the ASA might also play a role in the configurations. You can check this with "show version" command.
  • The command "packet-tracer" doesnt really work well in situation where you try to simulate traffic coming from the VPN Client user through "outside" to "inside".

As a last note. Dont configure any ACL rules for VPN to the "inside" interface ACL. It should only control traffic leaving from the network(s) behind the "inside" interface. Provided that the ACL is attached to the interface in the direction "in"

- Jouni

0 Helpful

Steven Williams
Level 4
Level 4
In response to Jouni Forss

‎03-22-2013 11:12 AM

Type help or '?' for a list of available commands.
ATIASA5525-01> en
Password: ************
ATIASA5525-01# show run
: Saved
:
ASA Version 9.1(1)
!
hostname ATIASA5525-01
domain-name domain.corp.com
enable password
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd
names
ip local pool Public_VPN_Pool 192.168.65.1-192.168.65.254 mask 255.255.255.0
ip local pool GIS_VPN_Pool 192.168.90.1-192.168.90.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
speed 1000
duplex full
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
speed 1000
duplex full
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.170.50.254 255.255.255.0
!
interface Port-channel1
description Port-Channel to N5Ks
speed 1000
duplex full
lacp max-bundle 2
no nameif
security-level 100
no ip address
!
interface Port-channel1.105
vlan 105
nameif inside
security-level 100
ip address 10.170.105.20 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup management
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.70.1.202
domain-name domain.corp.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 10.170.2.0_23
subnet 10.170.2.0 255.255.254.0
description Data VLAN
object network 10.170.50.0_24
subnet 10.170.50.0 255.255.255.0
description Management VLAN
object network ATIASA5525-01_MGMT
host 10.170.50.254
description ASA 5525-x
object network 10.170.100.0_24
subnet 10.170.100.0 255.255.255.0
description Secure Wireless VLAN
object network 10.170.5.0_24
subnet 10.170.5.0 255.255.255.0
description Server VLAN
object network 10.170.99.0_24
subnet 10.170.99.0 255.255.255.0
description GIS Secure Wireless VLAN
object network 10.70.0.0_20
subnet 10.70.0.0 255.255.240.0
description Old Data VLAN
object network 10.170.101.0_24
subnet 10.170.101.0 255.255.255.0
description Guest Wireless VLAN
object network VLAN_105_Gateway
host 10.170.105.1
description VLAN 105 HSRP Address
object network lav-v-dc-p-04
host 10.70.1.202
description DNS Server
object network ManagementGateway
host 10.170.50.1
description Management VLAN Gateway Address
object network srvlavradius01
host 10.70.1.51
description Radius Server For Authentication
object network GloviaSubnet
subnet 140.140.0.0 255.255.0.0
object network CorporateEmail
subnet 10.40.0.0 255.255.0.0
object network WahChang
subnet 10.60.0.0 255.255.0.0
object network CorporateSharePoint
subnet 10.25.2.0 255.255.255.0
object network AllvacSHM
subnet 159.59.0.0 255.255.0.0
object network ATI_Public_VPN
subnet 192.168.65.0 255.255.255.0
object network 192.168.90.0_24
subnet 192.168.90.0 255.255.255.0
description ATI_GIS_VPN
object network GIS_Network_Admin_Server
host 10.70.1.129
object service obj-tcp-source-eq-4055
service tcp source eq 4055
object service obj-tcp-source-eq-4056
service tcp source eq 4056
object service obj-tcp-source-eq-9676
service tcp source eq 9676
object network Stahli-Swiss
host 2.2.2.2
description Created during name migration       
object network Stahli-PCL
host 10.70.9.60
description Created during name migration       
object network MWP_Germany
subnet 10.70.110.0 255.255.255.0
description Germany Internal Network    
object network MWP_Gland
subnet 10.70.150.0 255.255.254.0
description Gland Internal Network    
object network MWP_Huntsville
subnet 10.70.20.0 255.255.254.0
description Huntsville Internal Network    
object network MWP_Ibstock
subnet 10.70.100.0 255.255.254.0
description Ibstock Internal Network    
object network MWP_Italy
subnet 10.70.140.0 255.255.255.0
description Italy Internal Network    
object network 10.70.120.0_23
subnet 10.70.120.0 255.255.254.0
description Melksham Internal Network    
object network 10.70.90.0_24
subnet 10.70.90.0 255.255.255.0
description Bolingbrook Internal Network    
object network MWP_Grant
subnet 10.70.40.0 255.255.254.0
description Grant Internal Network    
object network MWP_Gurley
subnet 10.70.70.0 255.255.254.0
description Gurley Internal Network    
object network MWP_Houston
subnet 10.70.80.0 255.255.254.0
description Houston Internal Network    
object network MWP_Laporte
subnet 10.83.1.0 255.255.255.0
description Laporte Internal Network    
object network MWP_Lebanon
subnet 10.81.1.0 255.255.255.0
description Lebanon Internal Network    
object network 10.70.60.0_23
subnet 10.70.60.0 255.255.254.0
description Madison Internal Network    
object network MWP_Monaca
subnet 10.31.1.0 255.255.255.0
description Monaca Internal Network    
object network MWP_PortlandForge
subnet 10.80.1.0 255.255.255.0
description Portland Forge Internal Network    
object network MWP_Rochester
subnet 10.33.1.0 255.255.255.0
description Rochester Internal Network    
object network 10.70.30.0_23
subnet 10.70.30.0 255.255.254.0
description Waynesboro Internal Network    
object network MWP_Zelienople
subnet 10.32.1.0 255.255.255.0
description Zelienople Internal Network    
object network IDS1744_hybr03_LaVergne
host 10.70.2.23
description Solutionary IDS Lavergne
object network IDS1744_hybr04_Houston
host 10.70.80.23
description Solutionary IDS Houston
object network Siemens_Furnace_PCL
host 10.70.20.72
description Siemens_Furnace_PCL
object network Siemens
host 3.3.3.3
description Siemens Furnace Techs
object network srvlavship01
host 10.70.1.180
description Digital Shipper Server
object network ATI_CRM
host 10.92.2.188
description ATI CRM in Boulder
object network IDS1744_hybr01_Huntsville
host 10.70.20.23
description Solutionary IDS Huntsville
object network IDS1744_hybr02_Madison
host 10.70.60.20
description Solutionary IDS Madison
object network Solarwinds
host 10.70.1.80
description Solarwinds NPM
object-group service HTTPWebTraffic
description HTTP and HTTPS Traffic
service-object tcp destination eq www
service-object tcp destination eq https
object-group network default_pat_source
network-object object 10.170.2.0_23
network-object object srvlavship01
network-object object ATI_Public_VPN
network-object object 192.168.90.0_24
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network AppsCRM
object-group network MWP_All_Sites
network-object object 10.70.90.0_24
network-object object MWP_Germany
network-object object MWP_Gland
network-object object MWP_Grant
network-object object MWP_Gurley
network-object object MWP_Houston
network-object object MWP_Huntsville
network-object object MWP_Ibstock
network-object object MWP_Italy
network-object object MWP_Laporte
network-object object MWP_Lebanon
network-object object 10.70.60.0_23
network-object object 10.70.120.0_23
network-object object MWP_Monaca
network-object object MWP_PortlandForge
network-object object MWP_Rochester
network-object object 10.70.30.0_23
network-object object MWP_Zelienople
object-group network DM_INLINE_NETWORK_4
network-object object AllvacSHM
group-object AppsCRM
group-object MWP_All_Sites
network-object object WahChang
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_5
network-object object AllvacSHM
group-object AppsCRM
group-object MWP_All_Sites
network-object object WahChang
network-object object GloviaSubnet
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
group-object AppsCRM
group-object MWP_All_Sites
network-object object AllvacSHM
network-object object WahChang
object-group service RoveAdmin tcp
port-object eq 4055
port-object eq 4054
object-group network SolutionaryNOC
object-group network SolutionaryDevices
network-object object IDS1744_hybr03_LaVergne
network-object object IDS1744_hybr04_Houston
network-object object MWP_Huntsville
object-group service RDP tcp
description Remote Desktop Protocol
port-object eq 3389
object-group network OVHSAS
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp destination eq domain
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
group-object AppsCRM
network-object object AllvacSHM
group-object MWP_All_Sites
network-object object WahChang
network-object object GloviaSubnet
object-group service Spiceworks tcp
port-object eq 9676
object-group network Stahli_Machines
object-group service Stahli_Port_102 tcp
port-object eq 102
object-group network Stahli
object-group network DM_INLINE_NETWORK_3
network-object object AllvacSHM
group-object AppsCRM
network-object object WahChang
network-object object GloviaSubnet
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network Huntsville_Furnaces
description Huntsville_Furnaces
network-object object Siemens_Furnace_PCL
object-group network CorporateResources
network-object object CorporateEmail
network-object object CorporateSharePoint
access-list Management_Access extended permit ip object 10.170.2.0_23 interface management
snmp cpu threshold rising 75% 5
pager lines 24
logging enable
logging timestamp
logging buffer-size 8048
logging buffered informational
logging trap informational
logging history informational
logging asdm informational
logging from-address
logging recipient-address
logging host management 10.70.1.80
flow-export destination management 10.70.1.80 2055
flow-export delay flow-create 10
mtu outside 1500
mtu management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (any,outside) after-auto source dynamic default_pat_source interface dns
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 10.40.0.0 255.255.0.0 10.170.105.1 1
route management 10.70.1.51 255.255.255.255 10.170.50.1 1
route management 10.70.1.80 255.255.255.255 10.170.50.1 1
route inside 10.70.1.180 255.255.255.255 10.170.105.1 1
route inside 10.70.1.202 255.255.255.255 10.170.105.1 1
route inside 10.92.2.188 255.255.255.255 10.170.105.1 1
route inside 10.170.0.0 255.255.0.0 10.170.105.1 1
route management 10.170.2.0 255.255.254.0 10.170.50.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ATI_AD protocol nt
aaa-server ATI_AD (inside) host 10.70.1.202
nt-auth-domain-controller lav-v-dc-p-04
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server session-timeout 60
http 10.170.2.0 255.255.254.0 management
snmp-server host management 10.70.1.80 community ***** version 2c
snmp-server location
snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps entity fan-failure cpu-temperature
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 10.170.2.0 255.255.254.0 management
ssh timeout 15
ssh version 2
console timeout 0
vpn-sessiondb max-other-vpn-limit 750
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.70.1.200 source management
ssl encryption aes128-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 regex "Linux"
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy ATI_Public_VPN internal
group-policy ATI_Public_VPN attributes
wins-server none
dns-server value 10.70.1.202
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value domain.corp.com
address-pools value Public_VPN_Pool
group-policy ATI_GIS_VPN internal
group-policy ATI_GIS_VPN attributes
wins-server none
dns-server value 10.70.1.202
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value domain.corp.com
address-pools value GIS_VPN_Pool
username * password * encrypted privilege 15
tunnel-group ATI_GIS_VPN type remote-access
tunnel-group ATI_GIS_VPN general-attributes
address-pool GIS_VPN_Pool
authentication-server-group ATI_AD
default-group-policy ATI_GIS_VPN
tunnel-group ATI_GIS_VPN webvpn-attributes
group-alias GIS enable
tunnel-group ATI_Public_VPN type remote-access
tunnel-group ATI_Public_VPN general-attributes
address-pool Public_VPN_Pool
authentication-server-group ATI_AD
default-group-policy ATI_Public_VPN
tunnel-group ATI_Public_VPN webvpn-attributes
group-alias Public_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:db4d877538fec2be3412b3fa6e739a7e
: end
ATIASA5525-01# show ver

Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)

Compiled on Wed 28-Nov-12 11:15 PST by builders
System image file is "disk0:/asa911-smp-k8.bin"
Config file at boot was "startup-config"

ATIASA5525-01 up 1 day 16 hours

Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
            ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash S25FL064 @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-PLUS-T020
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0022
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


0: Int: Internal-Data0/0    : address is e02f.6dbb.6b69, irq 11
1: Ext: GigabitEthernet0/0  : address is e02f.6dbb.6b6e, irq 5
2: Ext: GigabitEthernet0/1  : address is e02f.6dbb.6b6a, irq 5
3: Ext: GigabitEthernet0/2  : address is e02f.6dbb.6b6f, irq 10
4: Ext: GigabitEthernet0/3  : address is e02f.6dbb.6b6b, irq 10
5: Ext: GigabitEthernet0/4  : address is e02f.6dbb.6b70, irq 5
6: Ext: GigabitEthernet0/5  : address is e02f.6dbb.6b6c, irq 5
7: Ext: GigabitEthernet0/6  : address is e02f.6dbb.6b71, irq 10
8: Ext: GigabitEthernet0/7  : address is e02f.6dbb.6b6d, irq 10
9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is e02f.6dbb.6b69, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 200            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number:
Running Permanent Activation Key:
Configuration register is 0x1
Configuration last modified by root at 00:40:16.146 CDT Fri Mar 22 2013
ATIASA5525-01# show run sysopt
ATIASA5525-01#

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Steven Williams

‎03-22-2013 11:39 AM

Hi,

It would seem to me that you will need NAT0 / NAT Exempt type configuration for the VPN Pools to enable communication between LAN and VPN users

Try these

object network VPN-POOL-PUBLIC

subnet 192.168.65.0 255.255.255.0

object network VPN-POOL-GIS

subnet 192.168.90.0 255.255.255.0

object-group network LAN-NETWORKS

network-object 10.40.0.0 255.255.0.0

network-object 10.170.0.0 255.255.0.0

network-object host 10.70.1.180

network-object host 10.70.1.202

network-object host 10.92.2.188

nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL-PUBLIC VPN-POOL-PUBLIC

nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL-GIS VPN-POOL-GIS

If you dont want all those networks routed towards "inside" to be accessible through both of the VPNs then we will need to modify the above NAT configurations a bit.

- Jouni

0 Helpful

Steven Williams
Level 4
Level 4
In response to Jouni Forss

‎03-22-2013 03:15 PM

what do those ACLs mean from language standpoint?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Steven Williams

‎03-22-2013 04:11 PM

Hi.

I am not quite sure what ACLs you mean?

I only listed a NAT configuration above.

You shouldnt need any ACLs to allow VPN client user connections to your LAN at the moment.

But what you are missing is NAT configuration for LAN to VPN traffic.

- Jouni

0 Helpful

Steven Williams
Level 4
Level 4
In response to Jouni Forss

‎03-22-2013 04:27 PM

I meant the NAT statements, I view that as you are NATing each of those IP subnets to themselves?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Steven Williams

‎03-22-2013 04:34 PM

Hi,

Well basically this is the way to do NAT0 / NAT Exempt in the newer softwares.

The NAT Rule type is called Twice NAT. The name comes from the fact that you have both source and destination parameter for the NAT and would have the possiblity to NAT both the source and destination networks.

What the NAT configuration basically tells is that

  • NAT is being done between "inside" and "outside" interfaces
  • NAT is being done between the "inside" networks and the VPN Pool
  • As both the real and mapped values of both source and destination networks are identical it means that NO NAT will be done to either of the networks

You would have a chance to NAT both source and destination networks but in this case we naturally want that there is NO NAT being done.

The format of the Twice NAT is

nat (sourceinterface,destinationinterface) source static destination static

- Jouni

0 Helpful

Steven Williams
Level 4
Level 4
In response to Jouni Forss

‎03-22-2013 05:22 PM 

JouniForss wrote:
Hi,
It would seem to me that you will need NAT0 / NAT Exempt type configuration for the VPN Pools to enable communication between LAN and VPN users
Try these
object network VPN-POOL-PUBLIC
subnet 192.168.65.0 255.255.255.0
object network VPN-POOL-GIS
subnet 192.168.90.0 255.255.255.0
object-group network LAN-NETWORKS
network-object 10.40.0.0 255.255.0.0
network-object 10.170.0.0 255.255.0.0
network-object host 10.70.1.180
network-object host 10.70.1.202
network-object host 10.92.2.188
nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL-PUBLIC VPN-POOL-PUBLIC
nat (inside,outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL-GIS VPN-POOL-GIS
If you dont want all those networks routed towards "inside" to be accessible through both of the VPNs then we will need to modify the above NAT configurations a bit.
- Jouni


The above syntax did not work, but when I switched the LAN network with VPN pool address for the source and destination, packet tracer says flow is allowed, when before with the above syntax it errored at the ACL.

Why is that?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Steven Williams

‎03-22-2013 05:48 PM

What exactly did you test with "packet-tracer"? It isnt very ideal to test VPN related traffic.

The NAT configuration doesnt make sense if you switch the networks since VPN pool isnt located in your "inside" and LAN isnt located on the "outside".

- Jouni

0 Helpful

Steven Williams
Level 4
Level 4
In response to Jouni Forss

‎03-22-2013 05:58 PM

TCP 3389 to a host on the inside network from a VPN ip address within the pool....said traffic allowed.

If i did it your way, it failed.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Steven Williams

‎03-22-2013 06:15 PM

As I said if you use "packet-tracer" from the "outside" to "inside" to simulate a connection coming from a VPN Client it might show completely wrong information as the "packet-tracer" isnt really meant to simulate the connections coming from a VPN connection.

Have you tested an actual TCP/3389 connection while connected on VPN Client  to the inside network?

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card