12-21-2018 05:05 PM
Hello,
I am having issue with Remote access VPN users which will not able to ping to inside network because of a dynamic PAT statement which translating that subnet to internet. However, once I removed that NAT statement VPN users will be able to reach that subnet. Please give some your advises.
Here is entire my NAT statements:
nat (inside,outside) source static DoS-Digitus DoS-Digitus-NAT-IP
nat (inside,outside) source static private_addresses private_addresses destination static private_addresses private_addresses no-proxy-arp description exempt s2s and all internal interfaces
nat (outside,outside) source static VPNpool VPNpool no-proxy-arp description anyconnect hairpin
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static ISP_CWFM ISP_CWFM no-proxy-arp route-lookup
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static 10.253.0.0_24 10.253.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj-10.0.0.0 interface description default pat
nat (inside,outside) source static NEC_10.0.0.0_8 NEC_10.0.0.0_8 destination static NBEC_INDIA NBEC_INDIA
nat (DMZ_CRL-R&D_Tokyo,outside) source static any any destination static NETWORK_OBJ_192.168.200.192_26 NETWORK_OBJ_192.168.200.192_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.0.96_28 NETWORK_OBJ_10.200.0.96_28 no-proxy-arp route-lookup
nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic ars-obj-192.168.0.0_16 interface description default pat
nat (DMZ_AGO,outside) source dynamic AGO_CWFM01_PROXY_SRV interface description Allow_AGO_Proxy_to_Internet
nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic obj-vcso-157.145.163.0_24 interface description Allow_VCSO_access_internet
!
As mentioned above, once I removed this statement:
nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic obj-vcso-157.145.163.0_24 interface description Allow_VCSO_access_internet
then it works.
Solved! Go to Solution.
05-10-2019 11:08 PM
I solved the issue. The issue was the NAT statement wasnt in correct order.
12-22-2018 01:05 AM
Hello,
post the full config of the ASA, we need to see the objects and check things like split tunneling (do you have that configured ?) and the routing...
12-22-2018 12:40 PM
Hi Georg,
Thanks for looking into my issue. Yes, the split tunneling is configured. I am using the dev_new VPN, so please lease look into the dev_new configuration
And here is my ASA configuration:
ip local pool genericVPN 10.100.0.100-10.100.0.199 mask 255.0.0.0
ip local pool dc_poc_addr 10.100.0.25-10.100.0.26 mask 255.0.0.0
ip local pool CCH_VPN_Pool 172.31.151.200-172.31.151.240 mask 255.255.255.0
ip local pool DCL-Tokyo-Pool 192.168.200.200-192.168.200.240 mask 255.255.255.0
ip local pool ARS_RAVPN_Pool 10.200.0.100-10.200.0.110 mask 255.0.0.0
ip local pool CCH_VPN_Pool_new 192.168.197.200-192.168.197.240 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ddns update primary
dhcp client update dns
ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet0/2
nameif DMZ_AGO
security-level 50
ip address 192.168.197.2 255.255.255.0
!
interface GigabitEthernet0/3
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
channel-group 2 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
channel-group 3 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
channel-group 3 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
nameif DMZ_CRL-R&D_Tokyo
security-level 50
ip address 192.168.200.1 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel1
lacp max-bundle 8
no nameif
security-level 50
ip address 172.100.2.2 255.255.255.252
!
interface Port-channel2
lacp max-bundle 8
nameif DMZ_AGO_CWFM01
security-level 50
ip address 172.31.151.254 255.255.255.0
!
interface Port-channel3
lacp max-bundle 8
nameif DMZ_AGO_CWFM02
security-level 50
ip address 172.31.156.254 255.255.255.0
!
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.0.0.12
domain-name ids.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.0.0.0
subnet 10.0.0.0 255.240.0.0
object network VPNpool
range 10.100.0.100 10.100.0.199
object network LVMPD
subnet 71.1.180.208 255.255.255.248
object network obj-10.4.32.21
host 10.4.32.21
object network obj-10.4.32.23
host 10.4.32.23
object network placeholder
host 10.4.50.253
description placeholder
object network placeholder1
host 10.4.50.252
description placeholder
object network NBEC_INDIA
subnet 172.30.51.0 255.255.255.0
object network NEC_10.4.0.0_16
subnet 10.4.0.0 255.255.0.0
object network NEC_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network SB_192.168.38.0
subnet 192.168.38.0 255.255.255.0
object network dmz_LA_build
subnet 172.31.142.0 255.255.255.0
object network DEV_TEMP_VLAN100
subnet 172.100.1.0 255.255.255.0
object network Australia_Nets
subnet 10.10.0.0 255.255.0.0
object network NEC_DHCP
subnet 10.0.0.0 255.255.255.0
object network Demo_Net
subnet 10.4.33.0 255.255.255.0
description Subnet where demo machines
object network ipaddress
host 10.4.33.221
object network 192.168.253.0_24
subnet 192.168.253.0 255.255.255.0
object network 192.168.252.0_24
subnet 192.168.252.0 255.255.255.0
object network 172.100.2.0_30
subnet 172.100.2.0 255.255.255.252
object network 172.31.148.0_24
subnet 172.31.148.0 255.255.255.0
object network 172.31.149.0_24
subnet 172.31.149.0 255.255.255.0
object network ISP_CWFM02_PROXY_SRV
host 192.168.253.64
object network 172.100.3.0_24
subnet 172.100.3.0 255.255.255.0
object network 192.168.146.0_24
subnet 192.168.146.0 255.255.255.0
object network 192.168.147.0_24
subnet 192.168.147.0 255.255.255.0
object network 192.168.148.0_24
subnet 192.168.148.0 255.255.255.0
object network DoS-Digitus
host 10.4.130.2
object service DoS-Digitus-Port
service tcp source eq 8380 destination eq 8380
object network 192.168.251.0_24
subnet 192.168.251.0 255.255.255.0
object network 10.0.0.0_13
subnet 10.0.0.0 255.248.0.0
object network 10.253.0.0_24
subnet 10.253.0.0 255.255.255.0
description WideNet_Net
object network ISM-Connect
host 10.4.126.12
object network NETWORK_OBJ_172.31.151.192_26
subnet 172.31.151.192 255.255.255.192
object network NETWORK_OBJ_192.168.200.192_26
subnet 192.168.200.192 255.255.255.192
object network AGO_CWFM01_PROXY_SRV
host 192.168.199.64
object network obj-ago-cwfm01-esx03
host 172.31.151.60
object network NETWORK_OBJ_10.200.0.96_28
subnet 10.200.0.96 255.255.255.240
object network ars-obj-192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object network obj-vcso-157.145.163.0_24
subnet 157.145.163.0 255.255.255.0
object-group network private_addresses
network-object 10.0.0.0 255.0.0.0
network-object 172.24.26.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network ISP_CWFM01
network-object object 172.100.3.0_24
network-object object 192.168.146.0_24
network-object object 192.168.147.0_24
network-object object 192.168.148.0_24
object-group network ISP_AWFM
network-object object 172.100.2.0_30
network-object object 172.31.148.0_24
network-object object 172.31.149.0_24
object-group network ISP_CWFM
network-object object 192.168.252.0_24
network-object object 192.168.251.0_24
network-object object 192.168.253.0_24
object-group network AGO_CWFM01_MBIS
network-object 172.31.150.0 255.255.255.0
network-object 172.31.151.0 255.255.255.0
network-object 172.31.152.0 255.255.255.0
object-group network AGO_CWFM02_MBIS
network-object 172.31.155.0 255.255.255.0
network-object 172.31.156.0 255.255.255.0
network-object 172.31.157.0 255.255.255.0
access-list split_tunnel_azdot standard permit 10.4.50.0 255.255.255.0
access-list split_tunnel_azdot standard permit host 10.0.0.10
access-list split_tunnel_dev_new standard permit 10.0.0.0 255.0.0.0
access-list split_tunnel_dev_new standard permit 157.145.163.0 255.255.255.0
access-list split_tunnel_dev_new standard permit 172.16.233.0 255.255.255.0
access-list split_tunnel_dev_int standard permit 10.0.0.0 255.0.0.0
access-list NEC_RC-to_NBEC_INDIA extended deny ip 10.10.0.0 255.255.0.0 object NBEC_INDIA
access-list NEC_RC-to_NBEC_INDIA extended permit ip object NEC_10.0.0.0_8 object NBEC_INDIA
access-list DEMO_ISM extended deny ip object ipaddress any
access-list DEMO_ISM extended permit ip object ipaddress object Demo_Net
access-list DEV_TEMP_VLAN100_access_in extended permit ip object DEV_TEMP_VLAN100 10.0.0.0 255.0.0.0
access-list AGO_CCH_ACCESS_IN extended permit ip any 192.168.199.192 255.255.255.192
access-list AGO_CCH_ACCESS_IN extended permit ip any 192.168.198.192 255.255.255.192
access-list DMZ_CRL-R&D_Tokyo_access_in extended permit ip any any
access-list Allow-Outside-In extended permit tcp any object DoS-Digitus eq 8380
access-list Allow-Outside-In extended permit ip any object ISM-Connect
access-list outside_access_in extended permit icmp any any
access-list outside_cryptomap_1 extended permit ip object 10.0.0.0_13 object-group ISP_CWFM
access-list outside_cryptomap_2 extended permit ip object 10.0.0.0_13 object 10.253.0.0_24
access-list VPN_ACCESS_IN extended permit ip host 10.0.101.29 host 10.4.33.155
access-list VPN_ACCESS_IN extended permit ip host 10.0.101.29 host 10.4.33.58
access-list VPN_ACCESS_IN extended deny ip host 10.0.101.29 any
access-list VPN_ACCESS_IN extended permit ip any any
access-list DMZ_AGO_access_in extended permit ip any any
nat (inside,outside) source static DoS-Digitus DoS-Digitus-NAT-IP
nat (inside,outside) source static private_addresses private_addresses destination static private_addresses private_addresses no-proxy-arp description exempt s2s and all internal interfaces
nat (outside,outside) source static VPNpool VPNpool no-proxy-arp description anyconnect hairpin
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static ISP_CWFM ISP_CWFM no-proxy-arp route-lookup
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static 10.253.0.0_24 10.253.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj-10.0.0.0 interface description default pat
nat (inside,outside) source static NEC_10.0.0.0_8 NEC_10.0.0.0_8 destination static NBEC_INDIA NBEC_INDIA
nat (DMZ_CRL-R&D_Tokyo,outside) source static any any destination static NETWORK_OBJ_192.168.200.192_26 NETWORK_OBJ_192.168.200.192_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.0.96_28 NETWORK_OBJ_10.200.0.96_28 no-proxy-arp route-lookup
nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic ars-obj-192.168.0.0_16 interface description default pat
nat (DMZ_AGO,outside) source dynamic AGO_CWFM01_PROXY_SRV interface description Allow_AGO_Proxy_to_Internet
!
access-group outside_access_in in interface outside
access-group DMZ_AGO_access_in in interface DMZ_AGO
access-group DMZ_CRL-R&D_Tokyo_access_in in interface DMZ_CRL-R&D_Tokyo
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.10.0.0 255.255.0.0 10.0.0.254 1
route DMZ_CRL-R&D_Tokyo 157.145.163.0 255.255.255.0 192.168.200.2 1
route DMZ_CRL-R&D_Tokyo 172.16.233.0 255.255.255.0 192.168.200.2 1
route DMZ_AGO 192.168.198.0 255.255.255.0 192.168.197.1 1
route DMZ_AGO 192.168.199.0 255.255.255.0 192.168.197.1 1
route DMZ_CRL-R&D_Tokyo 192.168.201.0 255.255.255.0 192.168.200.2 1
ldap attribute-map AD_MAP
map-name memberOf Group-Policy
map-value memberOf "CN=System Engineers,OU=IDS,DC=IDS,DC=com" GroupPolicy_ARS_RAVPN
map-value memberOf "CN=vpn_test,OU=VPN,OU=IDS,DC=IDS,DC=com" GroupPolicy_ARS_RAVPN_TEST
map-name msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.0.0.10
server-port 389
ldap-base-dn DC=IDS,DC=com
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=admin,cn=users,DC=IDS,DC=com
server-type microsoft
aaa-server LDAP_SRV protocol ldap
aaa-server LDAP_SRV (inside) host 10.0.0.10
server-port 389
ldap-base-dn OU=IDS,DC=IDS,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=cisco_asa,OU=Engineering,OU=IDS,DC=IDS,DC=com
server-type microsoft
ldap-attribute-map AD_MAP
aaa-server LDAP_SRV_192 protocol ldap
aaa-server LDAP_SRV_192 (DMZ_CRL-R&D_Tokyo) host 192.168.200.10
server-port 636
ldap-base-dn OU=IDS,DC=IDS,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=cisco_asa,OU=Engineering,OU=IDS,DC=IDS,DC=com
ldap-over-ssl enable
server-type microsoft
dhcpd dns 10.0.0.10 8.8.8.8
dhcpd lease 600
dhcpd update dns both
!
dhcpd address 10.0.0.240-10.0.0.250 inside
dhcpd dns 10.0.0.12 68.94.157.1 interface inside
dhcpd lease 86400 interface inside
dhcpd update dns both interface inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint4 outside
webvpn
enable outside
default-idle-timeout 86400
anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles ARS_RAVPN_client_profile disk0:/ARS_RAVPN_client_profile.xml
anyconnect profiles CCH_VPN_client_profile disk0:/CCH_VPN_client_profile.xml
anyconnect profiles DCL-Tokyo_client_profile disk0:/DCL-Tokyo_client_profile.xml
anyconnect profiles RAVPN_TEST_client_profile disk0:/RAVPN_TEST_client_profile.xml
anyconnect profiles generic_client_profile disk0:/generic_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.10
vpn-simultaneous-logins 2
vpn-idle-timeout 180
vpn-session-timeout 1440
default-domain value ciscoasa.com
group-policy dfltgrppolicy internal
group-policy GroupPolicy_DCL-Tokyo internal
group-policy GroupPolicy_DCL-Tokyo attributes
wins-server none
dns-server value 192.168.201.10
vpn-tunnel-protocol ikev2 ssl-client
default-domain value ids.com
webvpn
anyconnect profiles value DCL-Tokyo_client_profile type user
group-policy GroupPolicy_CCH_VPN internal
group-policy GroupPolicy_CCH_VPN attributes
wins-server none
dns-server value 172.31.150.65
vpn-filter value AGO_CCH_ACCESS_IN
vpn-tunnel-protocol ikev2 ssl-client
default-domain value necbiometrics.net
webvpn
anyconnect profiles value CCH_VPN_client_profile type user
group-policy GroupPolicy_ARS_RAVPN internal
group-policy GroupPolicy_ARS_RAVPN attributes
wins-server none
dns-server value 10.0.0.12
vpn-tunnel-protocol ikev2 ssl-client
default-domain value necbiometrics.net
webvpn
anyconnect profiles value ARS_RAVPN_client_profile type user
group-policy GroupPolicy_dev_new internal
group-policy GroupPolicy_dev_new attributes
wins-server none
dns-server value 10.0.0.10
vpn-filter value VPN_ACCESS_IN
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_dev_new
default-domain value ciscoasa.com
webvpn
anyconnect profiles value generic_client_profile type user
group-policy GroupPolicy_azdot internal
group-policy GroupPolicy_azdot attributes
wins-server none
dns-server value 10.0.0.10
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_azdot
default-domain value ciscoasa.com
webvpn
anyconnect profiles value generic_client_profile type user
group-policy GroupPolicy_dev_int internal
group-policy GroupPolicy_dev_int attributes
wins-server none
dns-server value 10.0.0.10
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_dev_int
default-domain value ciscoasa.com
webvpn
anyconnect profiles value generic_client_profile type user
group-policy GroupPolicy_ARS_RAVPN_TEST internal
group-policy GroupPolicy_ARS_RAVPN_TEST attributes
wins-server none
dns-server value 10.0.0.12
vpn-tunnel-protocol ikev2 ssl-client
default-domain value necbiometrics.net
group-policy GroupPolicy_generic internal
group-policy GroupPolicy_generic attributes
wins-server none
dns-server value 10.0.0.10
vpn-simultaneous-logins 2
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value ciscoasa.com
split-tunnel-all-dns enable
webvpn
anyconnect profiles value generic_client_profile type user
group-policy GroupPolicy_dc_poc internal
group-policy GroupPolicy_dc_poc attributes
wins-server none
dns-server value 10.0.0.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_dev_new
default-domain value ids.com
address-pools value dc_poc_addr
group-policy GroupPolicy_209.11.207.212 internal
group-policy GroupPolicy_209.11.207.212 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_52.247.157.60 internal
group-policy GroupPolicy_52.247.157.60 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group generic type remote-access
tunnel-group generic general-attributes
address-pool genericVPN
default-group-policy GroupPolicy_generic
tunnel-group generic webvpn-attributes
group-alias General enable
group-alias generic disable
tunnel-group Remote_Access_Group type remote-access
tunnel-group Remote_Access_Group general-attributes
address-pool genericVPN
authentication-server-group LDAP_SRV_GRP
tunnel-group Remote_Access_Group ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group azdot type remote-access
tunnel-group azdot general-attributes
address-pool genericVPN
default-group-policy GroupPolicy_azdot
tunnel-group azdot webvpn-attributes
group-alias AZDOT enable
tunnel-group dev_new type remote-access
tunnel-group dev_new general-attributes
address-pool genericVPN
tunnel-group dev_new webvpn-attributes
group-alias DEV_NEW enable
tunnel-group dev_int type remote-access
tunnel-group dev_int general-attributes
address-pool genericVPN
default-group-policy GroupPolicy_dev_int
tunnel-group dev_int webvpn-attributes
group-alias DEV_INT enable
tunnel-group 14.142.5.41 type ipsec-l2l
tunnel-group 14.142.5.41 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group z_dc_poc type remote-access
tunnel-group z_dc_poc general-attributes
address-pool dc_poc_addr
default-group-policy GroupPolicy_dc_poc
tunnel-group z_dc_poc webvpn-attributes
group-alias Z_DC_POC enable
tunnel-group 125.16.168.18 type ipsec-l2l
tunnel-group 125.16.168.18 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 209.11.207.212 type ipsec-l2l
tunnel-group 209.11.207.212 general-attributes
default-group-policy GroupPolicy_209.11.207.212
tunnel-group 209.11.207.212 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 52.247.157.60 type ipsec-l2l
tunnel-group 52.247.157.60 general-attributes
default-group-policy GroupPolicy_52.247.157.60
tunnel-group 52.247.157.60 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group CCH_VPN type remote-access
tunnel-group CCH_VPN general-attributes
address-pool CCH_VPN_Pool_new
default-group-policy GroupPolicy_CCH_VPN
tunnel-group CCH_VPN webvpn-attributes
group-alias CCH_VPN enable
tunnel-group DCL-Tokyo type remote-access
tunnel-group DCL-Tokyo general-attributes
address-pool DCL-Tokyo-Pool
authentication-server-group LDAP_SRV_192
default-group-policy GroupPolicy_DCL-Tokyo
password-management password-expire-in-days 100
tunnel-group DCL-Tokyo webvpn-attributes
group-alias DCL-Tokyo enable
tunnel-group ARS_RAVPN type remote-access
tunnel-group ARS_RAVPN general-attributes
address-pool ARS_RAVPN_Pool
authentication-server-group LDAP_SRV
default-group-policy GroupPolicy_ARS_RAVPN
password-management password-expire-in-days 5
tunnel-group ARS_RAVPN webvpn-attributes
group-alias ARS_RAVPN enable
!
12-22-2018 12:52 PM
12-23-2018 10:41 AM
Hello,
it is hard to figure out what belongs to what in your configuration, especially since I don't see network 157.145.163.0/24 configured on any of the interfaces on your ASA. Where is that network ? I don't know what the hairpinning is for, better to post a schematic drawing of your topology. I have removed that line.
Either way, a standard way to configure the VPN access would look like the below:
--> no nat (outside,outside) source static VPNpool VPNpool no-proxy-arp description anyconnect hairpin
Make sure your config looks like this:
ip local pool dc_poc_addr 10.100.0.25-10.100.0.26 mask 255.0.0.0
!
access-list split_tunnel_dev_new standard permit 157.145.163.0 255.255.255.0
!
group-policy GroupPolicy_dc_poc internal
group-policy GroupPolicy_dc_poc attributes
wins-server none
dns-server value 10.0.0.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_dev_new
default-domain value ids.com
address-pools value dc_poc_add
webvpn
anyconnect profiles value generic_client_profile type user
--
tunnel-group z_dc_poc type remote-access
tunnel-group z_dc_poc general-attributes
address-pool dc_poc_addr
default-group-policy GroupPolicy_dc_poc
tunnel-group z_dc_poc webvpn-attributes
group-alias Z_DC_POC enable
!
object network VPNpool
range 10.100.0.100 10.100.0.199
!
nat (inside,outside) 1 source static any any destination static VPNpool VPNpool no-proxy-arp route-lookup
nat (inside,outside) 2 source dynamic any interface
12-27-2018 11:27 AM
12-27-2018 11:38 AM
05-10-2019 11:08 PM
I solved the issue. The issue was the NAT statement wasnt in correct order.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide