cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1121
Views
0
Helpful
10
Replies

IPSec VPN on ASA 9.1

Ninad Thakare
Level 1
Level 1

Hi,

I have an ASA 5515-X with 9.1 version.

Where I have created 5 sub-interfaces in my 0/1, with individual subnets whereas Firewall is Gateway to my user.

0/0 - outside - WAN

0/1.1 - inside16 - 172.16.16.1/23

0/1.2 - inside30 - 172.16.30.1/24

0/1.3 - inside33 - 172.16.33.1/24

0/1.4 - inside40 - 172.16.40.1/24

0/1.5 - inside128 - 172.16.128.1/24

All sub-interfaces are kept with security level 100.

To permit traffic, I have used below command line :

access-list inside33_access_in extended permit ip any any 
access-list inside40_access_in extended permit ip any any 
access-list inside30_access_in extended permit ip any any 
access-list inside128_access_in extended permit ip any4 any4 
access-list inside16_access_in extended permit ip any4 any4 

access-group inside16_access_in in interface inside16
access-group inside30_access_in in interface inside30
access-group inside33_access_in in interface inside33
access-group inside40_access_in in interface inside40
access-group inside128_access_in in interface inside128

I have Created a IPSEC VPN from my outside. I'am able to connect the VPN through VPN tunnel but its only communicating to 16-VLAN not the others. Even though if 128-VLAN machine's Firewall is disabled.

All the setting are diffault from the IPSec-VPN configuration wizard. And ACL's are inherited from Firewall ACL.

Attached is 'sh run' of ASA.

Please help.

 

Regards,

Ninad Thakare

 

1 Accepted Solution

Accepted Solutions

Daniel Hood
Level 1
Level 1
I'm not 100% sure with AnyConnect VPNs but try this?
nat (inside128,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup
!
Then see if you can connect to the VPN and access anything from the 16 and 128 subnet?

View solution in original post

10 Replies 10

Daniel Hood
Level 1
Level 1
I'm not 100% sure with AnyConnect VPNs but try this?
nat (inside128,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup
!
Then see if you can connect to the VPN and access anything from the 16 and 128 subnet?

Marvin Rhoads
Hall of Fame
Hall of Fame

Daniel is on the right track.

Your posted config has only exempted the one working subnet from NAT on the VPN. You need to add lines for each of the other subinterface VLANs.

Hi Marvin,

 

Yes, it worked.. I missed those statements, but still I have an issue that my VPN users are not able to access Internet even if its showing Internet access on NIC adaptor. 

And my Firewall loses all (LAN & WAN) connectivity after 3-4 hrs. I need to PlugOut-PlugIN then again starts and again fails after some time.

 

Brgds,

Ninad 

For your non-split-tunnel remote access VPN users to get internet via the ASA as VPN gateway, you need to make sure the VPN address pool is included in a nat(outside,outside) statement. 

Your loss of connectivity would need some further testing and log message analysis to ascertain the root cause. For instance, can you ping your default gateway from the ASA itself when this happens?

 

Sorry.. which nat(outside,outside) statement...?

You need a new nat(outside,outside) statement to make the remote access VPN user traffic properly NATted.

 

So it will work as :

!

 object network NETWORK_OBT_10.10.10.0_24

 nat (outside,outside) dynamic interface.

!

Yes, that's correct.

Jouni explained it in a bit more detail in this post.

 

Do I need to use VPN pool from inside subnet so that it will be considered in :

nat (inside,outside) statement

 

Hi,

My IPSec Tunnel is UP and able to connect all network. But the VPN client is not able to get Internet. They are not able to access Internet.

Note : I have not configured split tunneling.

Please help.

Brgrds,

Ninad Thakare

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: