03-26-2020 08:07 AM
ello,
I have really little knowledge on how to setup an ASA5505.
I am working on one already setup but one configuration is not fully working and I can't figure how to fix it
network A (10.5.10.0) <-ASA5505---VPN-- STORMSHIELD-> network B (10.10.0.0)
This is the main setting and it is working, I can access a computer on 10.10.0.0 from a computer on 10.5.10.0
client less vpn (176.16.10.0) <---VPN ASA 5505---> network A (10.5.10.0)
This is working I can access a computer on network 10.5.10.0 from a computer connected through the clientless vpn, the client less vpn give an address in the rang 176.16.10.0.
My problem is that I can't access a compute on 10.10.0.0 form the computer connected via the client less vpn.
I think it is a NAT configuration but I can't figure out.
I am using the graphical interface 8.4 (4) 1 and the device manager version is 7.1(2)
Thank you for your help
As I have really little knowledge of how to set it up I need some help there.
03-26-2020 08:56 AM
Hi,
1. If you get an IP address when you connect to the VPN, it means you're not using clientless ssl vpn, but anyconnect.
2. Configure on the ASA "same-security-traffic permit intra-interface".
3. Configure a twice NAT rule to exclude traffic from users (172.16.10.0) towards the remote site protected network(10.10.0.0) from being NAT'ed, like for example:
object network vpn_clients
subnet 172.16.10.0 255.255.255.0
object network vpn_remote_network
subnet 10.10.0.0 255.255.0.0
nat (NAMEIF_OF_OUTSIDE_INT NAMEIF_OF_OUTSIDE_INT) 1 source static vpn_clients vpn_clients destination static vpn_remote_network vpn_remote_network no-proxy-arp
Regards,
Cristian Matei.
03-26-2020 01:53 PM
03-26-2020 02:02 PM
Hi,
There is a comma missing:
nat (NAMEIF_OF_OUTSIDE_INT, NAMEIF_OF_OUTSIDE_INT) 1 source static vpn_clients vpn_clients destination static vpn_remote_network vpn_remote_network no-proxy-arp
Regards,
Cristian Matei.
03-26-2020 02:30 PM
Hello,
The command worked, it creates the nat (I think it is the same as I was trying yesterday) but still no ping from a computer on 176.... to 10.10...
Is there something else I should look at ?
03-27-2020 04:54 AM
Hi,
Can you post the full current ASA configuration? You can PM me, if you don't want to share it here. Also, connect with the VPN client, generate some traffic towards the remote network and post the output of "show crypto ipsec sa detail" and "show vpn-sessiondb detail".
Regards,
Cristian Matei.
03-27-2020 11:51 AM
04-02-2020 04:06 AM
Hi,
You didn't add the VPN pool to the encryption domain, everything else looks good. Do these changes on the ASA side and try again (you would also need to configure the remote VPN endpoint and add traffic from 10.10.0.0/16 to 172.16.10.0/24 to the encryption domain with the ASA tunnel):
object-group network DM_INLINE_NETWORK_2
network-object object obj-172.16.10.0
Regards,
Cristian Matei.
04-02-2020 09:08 AM
I am actually working from home and I don't want to make the change from here, in case I will be disconnected.
I am really not a pro on this.
I will try on Monday and let you know
Thank you for your help.
Christophe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide