Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1275
Views
0
Helpful
7
Replies

ASA 9.x dynamic PAT issue

Go to solution
hungdoannguyen
Level 1
Level 1

‎12-21-2018 05:05 PM

Hello,

 

I am having issue with Remote access VPN users which will not able to ping to inside network because of a dynamic PAT statement which translating that subnet to internet. However, once I removed that NAT statement VPN users will be able to reach that subnet. Please give some your advises.

 

Here is entire my NAT statements:

 

nat (inside,outside) source static DoS-Digitus DoS-Digitus-NAT-IP
nat (inside,outside) source static private_addresses private_addresses destination static private_addresses private_addresses no-proxy-arp description exempt s2s and all internal interfaces
nat (outside,outside) source static VPNpool VPNpool no-proxy-arp description anyconnect hairpin
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static ISP_CWFM ISP_CWFM no-proxy-arp route-lookup
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static 10.253.0.0_24 10.253.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj-10.0.0.0 interface description default pat
nat (inside,outside) source static NEC_10.0.0.0_8 NEC_10.0.0.0_8 destination static NBEC_INDIA NBEC_INDIA
nat (DMZ_CRL-R&D_Tokyo,outside) source static any any destination static NETWORK_OBJ_192.168.200.192_26 NETWORK_OBJ_192.168.200.192_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.0.96_28 NETWORK_OBJ_10.200.0.96_28 no-proxy-arp route-lookup
nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic ars-obj-192.168.0.0_16 interface description default pat
nat (DMZ_AGO,outside) source dynamic AGO_CWFM01_PROXY_SRV interface description Allow_AGO_Proxy_to_Internet
nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic obj-vcso-157.145.163.0_24 interface description Allow_VCSO_access_internet
!

 

As mentioned above, once I removed this statement:

nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic obj-vcso-157.145.163.0_24 interface description Allow_VCSO_access_internet

 

then it works.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hungdoannguyen
Level 1
Level 1
In response to hungdoannguyen

‎05-10-2019 11:08 PM

I solved the issue. The issue was the NAT statement wasnt in correct order. 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Georg Pauwen
VIP
VIP

‎12-22-2018 01:05 AM

Hello,

 

post the full config of the ASA, we need to see the objects and check things like split tunneling (do you have that configured ?) and the routing...

0 Helpful

Go to solution
hungdoannguyen
Level 1
Level 1
In response to Georg Pauwen

‎12-22-2018 12:40 PM

Hi Georg,

 

Thanks for looking into my issue. Yes, the split tunneling is configured. I am using the dev_new VPN, so please lease look into the dev_new configuration

 

And here is my ASA configuration:

 

ip local pool genericVPN 10.100.0.100-10.100.0.199 mask 255.0.0.0
ip local pool dc_poc_addr 10.100.0.25-10.100.0.26 mask 255.0.0.0
ip local pool CCH_VPN_Pool 172.31.151.200-172.31.151.240 mask 255.255.255.0
ip local pool DCL-Tokyo-Pool 192.168.200.200-192.168.200.240 mask 255.255.255.0
ip local pool ARS_RAVPN_Pool 10.200.0.100-10.200.0.110 mask 255.0.0.0
ip local pool CCH_VPN_Pool_new 192.168.197.200-192.168.197.240 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ddns update primary
 dhcp client update dns
 ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet0/2
 nameif DMZ_AGO
 security-level 50
 ip address 192.168.197.2 255.255.255.0
!
interface GigabitEthernet0/3
 channel-group 2 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 channel-group 2 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 channel-group 3 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 channel-group 3 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 nameif DMZ_CRL-R&D_Tokyo
 security-level 50
 ip address 192.168.200.1 255.255.255.0
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Port-channel1
 lacp max-bundle 8
 no nameif
 security-level 50
 ip address 172.100.2.2 255.255.255.252
!
interface Port-channel2
 lacp max-bundle 8
 nameif DMZ_AGO_CWFM01
 security-level 50
 ip address 172.31.151.254 255.255.255.0
!
interface Port-channel3
 lacp max-bundle 8
 nameif DMZ_AGO_CWFM02
 security-level 50
 ip address 172.31.156.254 255.255.255.0
!
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.0.0.12
 domain-name ids.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.0.0.0
 subnet 10.0.0.0 255.240.0.0
object network VPNpool
 range 10.100.0.100 10.100.0.199
object network LVMPD
 subnet 71.1.180.208 255.255.255.248
object network obj-10.4.32.21
 host 10.4.32.21
object network obj-10.4.32.23
 host 10.4.32.23
object network placeholder
 host 10.4.50.253
 description placeholder
object network placeholder1
 host 10.4.50.252
 description placeholder
object network NBEC_INDIA
 subnet 172.30.51.0 255.255.255.0
object network NEC_10.4.0.0_16
 subnet 10.4.0.0 255.255.0.0
object network NEC_10.0.0.0_8
 subnet 10.0.0.0 255.0.0.0
object network SB_192.168.38.0
 subnet 192.168.38.0 255.255.255.0
object network dmz_LA_build
 subnet 172.31.142.0 255.255.255.0
object network DEV_TEMP_VLAN100
 subnet 172.100.1.0 255.255.255.0
object network Australia_Nets
 subnet 10.10.0.0 255.255.0.0
object network NEC_DHCP
 subnet 10.0.0.0 255.255.255.0
object network Demo_Net
 subnet 10.4.33.0 255.255.255.0
 description Subnet where demo machines
object network ipaddress
 host 10.4.33.221
object network 192.168.253.0_24
 subnet 192.168.253.0 255.255.255.0
object network 192.168.252.0_24
 subnet 192.168.252.0 255.255.255.0
object network 172.100.2.0_30
 subnet 172.100.2.0 255.255.255.252
object network 172.31.148.0_24
 subnet 172.31.148.0 255.255.255.0
object network 172.31.149.0_24
 subnet 172.31.149.0 255.255.255.0
object network ISP_CWFM02_PROXY_SRV
 host 192.168.253.64
object network 172.100.3.0_24
 subnet 172.100.3.0 255.255.255.0
object network 192.168.146.0_24
 subnet 192.168.146.0 255.255.255.0
object network 192.168.147.0_24
 subnet 192.168.147.0 255.255.255.0
object network 192.168.148.0_24
 subnet 192.168.148.0 255.255.255.0
object network DoS-Digitus
 host 10.4.130.2
object service DoS-Digitus-Port
 service tcp source eq 8380 destination eq 8380
object network 192.168.251.0_24
 subnet 192.168.251.0 255.255.255.0
object network 10.0.0.0_13
 subnet 10.0.0.0 255.248.0.0
object network 10.253.0.0_24
 subnet 10.253.0.0 255.255.255.0
 description WideNet_Net
object network ISM-Connect
 host 10.4.126.12
object network NETWORK_OBJ_172.31.151.192_26
 subnet 172.31.151.192 255.255.255.192
object network NETWORK_OBJ_192.168.200.192_26
 subnet 192.168.200.192 255.255.255.192
object network AGO_CWFM01_PROXY_SRV
 host 192.168.199.64
object network obj-ago-cwfm01-esx03
 host 172.31.151.60
object network NETWORK_OBJ_10.200.0.96_28
 subnet 10.200.0.96 255.255.255.240
object network ars-obj-192.168.0.0_16
 subnet 192.168.0.0 255.255.0.0
object network obj-vcso-157.145.163.0_24
 subnet 157.145.163.0 255.255.255.0
object-group network private_addresses
 network-object 10.0.0.0 255.0.0.0
 network-object 172.24.26.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network ISP_CWFM01
 network-object object 172.100.3.0_24
 network-object object 192.168.146.0_24
 network-object object 192.168.147.0_24
 network-object object 192.168.148.0_24
object-group network ISP_AWFM
 network-object object 172.100.2.0_30
 network-object object 172.31.148.0_24
 network-object object 172.31.149.0_24
object-group network ISP_CWFM
 network-object object 192.168.252.0_24
 network-object object 192.168.251.0_24
 network-object object 192.168.253.0_24
object-group network AGO_CWFM01_MBIS
 network-object 172.31.150.0 255.255.255.0
 network-object 172.31.151.0 255.255.255.0
 network-object 172.31.152.0 255.255.255.0
object-group network AGO_CWFM02_MBIS
 network-object 172.31.155.0 255.255.255.0
 network-object 172.31.156.0 255.255.255.0
 network-object 172.31.157.0 255.255.255.0
access-list split_tunnel_azdot standard permit 10.4.50.0 255.255.255.0
access-list split_tunnel_azdot standard permit host 10.0.0.10
access-list split_tunnel_dev_new standard permit 10.0.0.0 255.0.0.0
access-list split_tunnel_dev_new standard permit 157.145.163.0 255.255.255.0
access-list split_tunnel_dev_new standard permit 172.16.233.0 255.255.255.0
access-list split_tunnel_dev_int standard permit 10.0.0.0 255.0.0.0
access-list NEC_RC-to_NBEC_INDIA extended deny ip 10.10.0.0 255.255.0.0 object NBEC_INDIA
access-list NEC_RC-to_NBEC_INDIA extended permit ip object NEC_10.0.0.0_8 object NBEC_INDIA
access-list DEMO_ISM extended deny ip object ipaddress any
access-list DEMO_ISM extended permit ip object ipaddress object Demo_Net
access-list DEV_TEMP_VLAN100_access_in extended permit ip object DEV_TEMP_VLAN100 10.0.0.0 255.0.0.0
access-list AGO_CCH_ACCESS_IN extended permit ip any 192.168.199.192 255.255.255.192
access-list AGO_CCH_ACCESS_IN extended permit ip any 192.168.198.192 255.255.255.192
access-list DMZ_CRL-R&D_Tokyo_access_in extended permit ip any any
access-list Allow-Outside-In extended permit tcp any object DoS-Digitus eq 8380
access-list Allow-Outside-In extended permit ip any object ISM-Connect
access-list outside_access_in extended permit icmp any any
access-list outside_cryptomap_1 extended permit ip object 10.0.0.0_13 object-group ISP_CWFM
access-list outside_cryptomap_2 extended permit ip object 10.0.0.0_13 object 10.253.0.0_24
access-list VPN_ACCESS_IN extended permit ip host 10.0.101.29 host 10.4.33.155
access-list VPN_ACCESS_IN extended permit ip host 10.0.101.29 host 10.4.33.58
access-list VPN_ACCESS_IN extended deny ip host 10.0.101.29 any
access-list VPN_ACCESS_IN extended permit ip any any
access-list DMZ_AGO_access_in extended permit ip any any

nat (inside,outside) source static DoS-Digitus DoS-Digitus-NAT-IP
nat (inside,outside) source static private_addresses private_addresses destination static private_addresses private_addresses no-proxy-arp description exempt s2s and all internal interfaces
nat (outside,outside) source static VPNpool VPNpool no-proxy-arp description anyconnect hairpin
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static ISP_CWFM ISP_CWFM no-proxy-arp route-lookup
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static 10.253.0.0_24 10.253.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj-10.0.0.0 interface description default pat
nat (inside,outside) source static NEC_10.0.0.0_8 NEC_10.0.0.0_8 destination static NBEC_INDIA NBEC_INDIA
nat (DMZ_CRL-R&D_Tokyo,outside) source static any any destination static NETWORK_OBJ_192.168.200.192_26 NETWORK_OBJ_192.168.200.192_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.0.96_28 NETWORK_OBJ_10.200.0.96_28 no-proxy-arp route-lookup
nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic ars-obj-192.168.0.0_16 interface description default pat
nat (DMZ_AGO,outside) source dynamic AGO_CWFM01_PROXY_SRV interface description Allow_AGO_Proxy_to_Internet
!
access-group outside_access_in in interface outside
access-group DMZ_AGO_access_in in interface DMZ_AGO
access-group DMZ_CRL-R&D_Tokyo_access_in in interface DMZ_CRL-R&D_Tokyo
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.10.0.0 255.255.0.0 10.0.0.254 1
route DMZ_CRL-R&D_Tokyo 157.145.163.0 255.255.255.0 192.168.200.2 1
route DMZ_CRL-R&D_Tokyo 172.16.233.0 255.255.255.0 192.168.200.2 1
route DMZ_AGO 192.168.198.0 255.255.255.0 192.168.197.1 1
route DMZ_AGO 192.168.199.0 255.255.255.0 192.168.197.1 1
route DMZ_CRL-R&D_Tokyo 192.168.201.0 255.255.255.0 192.168.200.2 1

ldap attribute-map AD_MAP
  map-name  memberOf Group-Policy
  map-value memberOf "CN=System Engineers,OU=IDS,DC=IDS,DC=com" GroupPolicy_ARS_RAVPN
  map-value memberOf "CN=vpn_test,OU=VPN,OU=IDS,DC=IDS,DC=com" GroupPolicy_ARS_RAVPN_TEST
  map-name  msRADIUSFramedIPAddress IETF-Radius-Framed-IP-Address
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.0.0.10
 server-port 389
 ldap-base-dn DC=IDS,DC=com
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=admin,cn=users,DC=IDS,DC=com
 server-type microsoft
aaa-server LDAP_SRV protocol ldap
aaa-server LDAP_SRV (inside) host 10.0.0.10
 server-port 389
 ldap-base-dn OU=IDS,DC=IDS,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=cisco_asa,OU=Engineering,OU=IDS,DC=IDS,DC=com
 server-type microsoft
 ldap-attribute-map AD_MAP
aaa-server LDAP_SRV_192 protocol ldap
aaa-server LDAP_SRV_192 (DMZ_CRL-R&D_Tokyo) host 192.168.200.10
 server-port 636
 ldap-base-dn OU=IDS,DC=IDS,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=cisco_asa,OU=Engineering,OU=IDS,DC=IDS,DC=com
 ldap-over-ssl enable
 server-type microsoft

dhcpd dns 10.0.0.10 8.8.8.8
dhcpd lease 600
dhcpd update dns both
!
dhcpd address 10.0.0.240-10.0.0.250 inside
dhcpd dns 10.0.0.12 68.94.157.1 interface inside
dhcpd lease 86400 interface inside
dhcpd update dns both interface inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint4 outside
webvpn
 enable outside
 default-idle-timeout 86400
 anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
 anyconnect profiles ARS_RAVPN_client_profile disk0:/ARS_RAVPN_client_profile.xml
 anyconnect profiles CCH_VPN_client_profile disk0:/CCH_VPN_client_profile.xml
 anyconnect profiles DCL-Tokyo_client_profile disk0:/DCL-Tokyo_client_profile.xml
 anyconnect profiles RAVPN_TEST_client_profile disk0:/RAVPN_TEST_client_profile.xml
 anyconnect profiles generic_client_profile disk0:/generic_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.0.0.10
 vpn-simultaneous-logins 2
 vpn-idle-timeout 180
 vpn-session-timeout 1440
 default-domain value ciscoasa.com
group-policy dfltgrppolicy internal
group-policy GroupPolicy_DCL-Tokyo internal
group-policy GroupPolicy_DCL-Tokyo attributes
 wins-server none
 dns-server value 192.168.201.10
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value ids.com
 webvpn
  anyconnect profiles value DCL-Tokyo_client_profile type user
group-policy GroupPolicy_CCH_VPN internal
group-policy GroupPolicy_CCH_VPN attributes
 wins-server none
 dns-server value 172.31.150.65
 vpn-filter value AGO_CCH_ACCESS_IN
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value necbiometrics.net
 webvpn
  anyconnect profiles value CCH_VPN_client_profile type user
group-policy GroupPolicy_ARS_RAVPN internal
group-policy GroupPolicy_ARS_RAVPN attributes
 wins-server none
 dns-server value 10.0.0.12
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value necbiometrics.net
 webvpn
  anyconnect profiles value ARS_RAVPN_client_profile type user
group-policy GroupPolicy_dev_new internal
group-policy GroupPolicy_dev_new attributes
 wins-server none
 dns-server value 10.0.0.10
 vpn-filter value VPN_ACCESS_IN
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_dev_new
 default-domain value ciscoasa.com
 webvpn
  anyconnect profiles value generic_client_profile type user
group-policy GroupPolicy_azdot internal
group-policy GroupPolicy_azdot attributes
 wins-server none
 dns-server value 10.0.0.10
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_azdot
 default-domain value ciscoasa.com
 webvpn
  anyconnect profiles value generic_client_profile type user
group-policy GroupPolicy_dev_int internal
group-policy GroupPolicy_dev_int attributes
 wins-server none
 dns-server value 10.0.0.10
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_dev_int
 default-domain value ciscoasa.com
 webvpn
  anyconnect profiles value generic_client_profile type user
group-policy GroupPolicy_ARS_RAVPN_TEST internal
group-policy GroupPolicy_ARS_RAVPN_TEST attributes
 wins-server none
 dns-server value 10.0.0.12
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain value necbiometrics.net
group-policy GroupPolicy_generic internal
group-policy GroupPolicy_generic attributes
 wins-server none
 dns-server value 10.0.0.10
 vpn-simultaneous-logins 2
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelall
 default-domain value ciscoasa.com
 split-tunnel-all-dns enable
 webvpn
  anyconnect profiles value generic_client_profile type user
group-policy GroupPolicy_dc_poc internal
group-policy GroupPolicy_dc_poc attributes
 wins-server none
 dns-server value 10.0.0.10
 vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_dev_new
 default-domain value ids.com
 address-pools value dc_poc_addr
group-policy GroupPolicy_209.11.207.212 internal
group-policy GroupPolicy_209.11.207.212 attributes
 vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_52.247.157.60 internal
group-policy GroupPolicy_52.247.157.60 attributes
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group generic type remote-access
tunnel-group generic general-attributes
 address-pool genericVPN
 default-group-policy GroupPolicy_generic
tunnel-group generic webvpn-attributes
 group-alias General enable
 group-alias generic disable
tunnel-group Remote_Access_Group type remote-access
tunnel-group Remote_Access_Group general-attributes
 address-pool genericVPN
 authentication-server-group LDAP_SRV_GRP
tunnel-group Remote_Access_Group ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group azdot type remote-access
tunnel-group azdot general-attributes
 address-pool genericVPN
 default-group-policy GroupPolicy_azdot
tunnel-group azdot webvpn-attributes
 group-alias AZDOT enable
tunnel-group dev_new type remote-access
tunnel-group dev_new general-attributes
 address-pool genericVPN
tunnel-group dev_new webvpn-attributes
 group-alias DEV_NEW enable
tunnel-group dev_int type remote-access
tunnel-group dev_int general-attributes
 address-pool genericVPN
 default-group-policy GroupPolicy_dev_int
tunnel-group dev_int webvpn-attributes
 group-alias DEV_INT enable
tunnel-group 14.142.5.41 type ipsec-l2l
tunnel-group 14.142.5.41 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group z_dc_poc type remote-access
tunnel-group z_dc_poc general-attributes
 address-pool dc_poc_addr
 default-group-policy GroupPolicy_dc_poc
tunnel-group z_dc_poc webvpn-attributes
 group-alias Z_DC_POC enable
tunnel-group 125.16.168.18 type ipsec-l2l
tunnel-group 125.16.168.18 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 209.11.207.212 type ipsec-l2l
tunnel-group 209.11.207.212 general-attributes
 default-group-policy GroupPolicy_209.11.207.212
tunnel-group 209.11.207.212 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 52.247.157.60 type ipsec-l2l
tunnel-group 52.247.157.60 general-attributes
 default-group-policy GroupPolicy_52.247.157.60
tunnel-group 52.247.157.60 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group CCH_VPN type remote-access
tunnel-group CCH_VPN general-attributes
 address-pool CCH_VPN_Pool_new
 default-group-policy GroupPolicy_CCH_VPN
tunnel-group CCH_VPN webvpn-attributes
 group-alias CCH_VPN enable
tunnel-group DCL-Tokyo type remote-access
tunnel-group DCL-Tokyo general-attributes
 address-pool DCL-Tokyo-Pool
 authentication-server-group LDAP_SRV_192
 default-group-policy GroupPolicy_DCL-Tokyo
 password-management password-expire-in-days 100
tunnel-group DCL-Tokyo webvpn-attributes
 group-alias DCL-Tokyo enable
tunnel-group ARS_RAVPN type remote-access
tunnel-group ARS_RAVPN general-attributes
 address-pool ARS_RAVPN_Pool
 authentication-server-group LDAP_SRV
 default-group-policy GroupPolicy_ARS_RAVPN
 password-management password-expire-in-days 5
tunnel-group ARS_RAVPN webvpn-attributes
 group-alias ARS_RAVPN enable
!

 

0 Helpful

Go to solution
hungdoannguyen
Level 1
Level 1
In response to hungdoannguyen

‎12-22-2018 12:52 PM

Please notice that, I removed the NAT statement in the posted configuration, but after removed, that subnet is no longer able to access internet. If you have any solution which will allow VPN users in range 10.100.0.x able to reach the subnet 157.145.163.0/24 but this subnet is still able to access internet, please let me know. Thanks in advance.
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to hungdoannguyen

‎12-23-2018 10:41 AM

Hello,

 

it is hard to figure out what belongs to what in your configuration, especially since I don't see network 157.145.163.0/24 configured on any of the interfaces on your ASA. Where is that network ? I don't know what the hairpinning is for, better to post a schematic drawing of your topology. I have removed that line.

 

Either way, a standard way to configure the VPN access would look like the below:

 

--> no nat (outside,outside) source static VPNpool VPNpool no-proxy-arp description anyconnect hairpin

 

Make sure your config looks like this:

 

ip local pool dc_poc_addr 10.100.0.25-10.100.0.26 mask 255.0.0.0
!
access-list split_tunnel_dev_new standard permit 157.145.163.0 255.255.255.0
!
group-policy GroupPolicy_dc_poc internal
group-policy GroupPolicy_dc_poc attributes
wins-server none
dns-server value 10.0.0.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_dev_new
default-domain value ids.com
address-pools value dc_poc_add
webvpn
anyconnect profiles value generic_client_profile type user
--
tunnel-group z_dc_poc type remote-access
tunnel-group z_dc_poc general-attributes
address-pool dc_poc_addr
default-group-policy GroupPolicy_dc_poc
tunnel-group z_dc_poc webvpn-attributes
group-alias Z_DC_POC enable
!
object network VPNpool
range 10.100.0.100 10.100.0.199
!
nat (inside,outside) 1 source static any any destination static VPNpool VPNpool no-proxy-arp route-lookup
nat (inside,outside) 2 source dynamic any interface

0 Helpful

Go to solution
hungdoannguyen
Level 1
Level 1
In response to Georg Pauwen

‎12-27-2018 11:27 AM

Hi Georg,
Sorry for late response, I was out of town.

Here is the schematic diagram:
-----------
| ASA |
-----------
|
|192.168.200.0/24
-----------
| L3 SW |
-----------
/\
/ \
/ \
------- -------
| L2 SW | | L2 SW |
------- -------
VLAN 157 VLAN 172
157.145.163.0/24 172.16.233.0/24

0 Helpful

Go to solution
hungdoannguyen
Level 1
Level 1
In response to hungdoannguyen

‎12-27-2018 11:38 AM

I removed some of unrelated configuration to make it more clear.

ip local pool genericVPN 10.100.0.100-10.100.0.199 mask 255.0.0.0
ip local pool dc_poc_addr 10.100.0.25-10.100.0.26 mask 255.0.0.0
ip local pool CCH_VPN_Pool 172.31.151.200-172.31.151.240 mask 255.255.255.0
ip local pool DCL-Tokyo-Pool 192.168.200.200-192.168.200.240 mask 255.255.255.0
ip local pool ARS_RAVPN_Pool 10.200.0.100-10.200.0.110 mask 255.0.0.0
ip local pool CCH_VPN_Pool_new 192.168.197.200-192.168.197.240 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ddns update primary
dhcp client update dns
ip address 10.0.0.1 255.0.0.0
!
interface GigabitEthernet0/7
nameif DMZ_CRL-R&D_Tokyo
security-level 50
ip address 192.168.200.1 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network obj-10.0.0.0
subnet 10.0.0.0 255.240.0.0
object network VPNpool
range 10.100.0.100 10.100.0.199
object network NEC_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network DoS-Digitus
host 10.4.130.2
object service DoS-Digitus-Port
service tcp source eq 8380 destination eq 8380
object network 10.0.0.0_13
subnet 10.0.0.0 255.248.0.0
object network ISM-Connect
host 10.4.126.12
object network NETWORK_OBJ_192.168.200.192_26
subnet 192.168.200.192 255.255.255.192
object network AGO_CWFM01_PROXY_SRV
host 192.168.199.64
object network ars-obj-192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object network obj-vcso-157.145.163.0_24
subnet 157.145.163.0 255.255.255.0
object-group network private_addresses
network-object 10.0.0.0 255.0.0.0
network-object 172.24.26.0 255.255.255.0

access-list split_tunnel_azdot standard permit 10.4.50.0 255.255.255.0
access-list split_tunnel_azdot standard permit host 10.0.0.10
access-list split_tunnel_dev_new standard permit 10.0.0.0 255.0.0.0
access-list split_tunnel_dev_new standard permit 157.145.163.0 255.255.255.0
access-list split_tunnel_dev_new standard permit 172.16.233.0 255.255.255.0
access-list split_tunnel_dev_int standard permit 10.0.0.0 255.0.0.0
access-list NEC_RC-to_NBEC_INDIA extended deny ip 10.10.0.0 255.255.0.0 object NBEC_INDIA
access-list NEC_RC-to_NBEC_INDIA extended permit ip object NEC_10.0.0.0_8 object NBEC_INDIA
access-list DEMO_ISM extended deny ip object ipaddress any
access-list DEMO_ISM extended permit ip object ipaddress object Demo_Net
access-list DEV_TEMP_VLAN100_access_in extended permit ip object DEV_TEMP_VLAN100 10.0.0.0 255.0.0.0
access-list AGO_CCH_ACCESS_IN extended permit ip any 192.168.199.192 255.255.255.192
access-list AGO_CCH_ACCESS_IN extended permit ip any 192.168.198.192 255.255.255.192
access-list DMZ_CRL-R&D_Tokyo_access_in extended permit ip any any
access-list Allow-Outside-In extended permit tcp any object DoS-Digitus eq 8380
access-list Allow-Outside-In extended permit ip any object ISM-Connect
access-list outside_access_in extended permit icmp any any
access-list outside_cryptomap_1 extended permit ip object 10.0.0.0_13 object-group ISP_CWFM
access-list outside_cryptomap_2 extended permit ip object 10.0.0.0_13 object 10.253.0.0_24
access-list VPN_ACCESS_IN extended permit ip host 10.0.101.29 host 10.4.33.155
access-list VPN_ACCESS_IN extended permit ip host 10.0.101.29 host 10.4.33.58
access-list VPN_ACCESS_IN extended deny ip host 10.0.101.29 any
access-list VPN_ACCESS_IN extended permit ip any any
access-list DMZ_AGO_access_in extended permit ip any any

nat (inside,outside) source static DoS-Digitus DoS-Digitus-NAT-IP
nat (inside,outside) source static private_addresses private_addresses destination static private_addresses private_addresses no-proxy-arp description exempt s2s and all internal interfaces
nat (outside,outside) source static VPNpool VPNpool no-proxy-arp description anyconnect hairpin
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static ISP_CWFM ISP_CWFM no-proxy-arp route-lookup
nat (inside,outside) source static 10.0.0.0_13 10.0.0.0_13 destination static 10.253.0.0_24 10.253.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj-10.0.0.0 interface description default pat
nat (inside,outside) source static NEC_10.0.0.0_8 NEC_10.0.0.0_8 destination static NBEC_INDIA NBEC_INDIA
nat (DMZ_CRL-R&D_Tokyo,outside) source static any any destination static NETWORK_OBJ_192.168.200.192_26 NETWORK_OBJ_192.168.200.192_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.200.0.96_28 NETWORK_OBJ_10.200.0.96_28 no-proxy-arp route-lookup
nat (DMZ_CRL-R&D_Tokyo,outside) source dynamic ars-obj-192.168.0.0_16 interface description default pat
nat (DMZ_AGO,outside) source dynamic AGO_CWFM01_PROXY_SRV interface description Allow_AGO_Proxy_to_Internet
!
access-group outside_access_in in interface outside
access-group DMZ_AGO_access_in in interface DMZ_AGO
access-group DMZ_CRL-R&D_Tokyo_access_in in interface DMZ_CRL-R&D_Tokyo
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.10.0.0 255.255.0.0 10.0.0.254 1
route DMZ_CRL-R&D_Tokyo 157.145.163.0 255.255.255.0 192.168.200.2 1
route DMZ_CRL-R&D_Tokyo 172.16.233.0 255.255.255.0 192.168.200.2 1
route DMZ_AGO 192.168.198.0 255.255.255.0 192.168.197.1 1
route DMZ_AGO 192.168.199.0 255.255.255.0 192.168.197.1 1
route DMZ_CRL-R&D_Tokyo 192.168.201.0 255.255.255.0 192.168.200.2 1

group-policy GroupPolicy_dev_new internal
group-policy GroupPolicy_dev_new attributes
wins-server none
dns-server value 10.0.0.10
vpn-filter value VPN_ACCESS_IN
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_dev_new
default-domain value ciscoasa.com
webvpn
anyconnect profiles value generic_client_profile type user

tunnel-group dev_new type remote-access
tunnel-group dev_new general-attributes
address-pool genericVPN
tunnel-group dev_new webvpn-attributes
group-alias DEV_NEW enable
0 Helpful

Go to solution
hungdoannguyen
Level 1
Level 1
In response to hungdoannguyen

‎05-10-2019 11:08 PM

I solved the issue. The issue was the NAT statement wasnt in correct order. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card