02-27-2012 01:58 PM - edited 03-07-2019 05:13 AM
I think I'm having an issue with NAT translations coming from the inside network designated for the ASA's outside interface.
Networks:
External (ASA GE0/0): 216.x.x.34
Internal LAN (ASA GE0/1): 192.168.0.0/255.255.0.0
Nat configuration:
nat (outside,outside) source static obj-192.168 obj-192.168 destination static subnet_dc subnet_dc no-proxy-arp route-lookup
nat (inside,outside) source static lan_internal lan_internal destination static lan lan no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic lan_internal interface
In the end, I need our wireless (non-trusted) users in the 192.168.x.x subnet to be able to connect to the external interface for VPN access. Can anyone point me in the right direction?
02-27-2012 06:50 PM
If your inside network (192.168.0.0/16) need to access in the internet you need dynamic nat.
Please follow the example below.
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.0.0
nat (inside, outside) dynamic interface
I hope this answers your question.
Thanks
Rizwan Rafeek
02-28-2012 07:19 AM
Thanks Rizwan,
Isn't that essentially what I've already defined?
I did try it however, with no luck (this is ASA 8.4(3)):
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.0.0
nat (inside, outside) dynamic interface
nat (inside,outside) source dynamic obj-192.168 interface
02-28-2012 08:10 AM
Plese post your current running config on the forum for easier trouble shooting
thanks
02-28-2012 08:19 AM
Current running config (sanitized):
ASA Version 8.4(3)
!
hostname gw
domain-name internal.company.com
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 216.x.x.x 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone MST -7
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name internal.company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network subnet_a
subnet 192.168.20.0 255.255.255.0
object network subnet_a_wireless
subnet 192.168.21.0 255.255.255.0
object network subnet_b
subnet 192.168.10.0 255.255.255.0
object network subnet_b_wireless
subnet 192.168.11.0 255.255.255.0
object network subnet_c
subnet 192.168.30.0 255.255.255.0
object network subnet_c_wireless
subnet 192.168.31.0 255.255.255.0
object network subnet_dc
subnet 10.10.10.0 255.255.255.192
object network subnet_server
subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network subnet_primary
subnet 192.168.0.0 255.255.255.0
object network EXTERNAL_PAT
host 216.x.x.x
object network subnet_192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network vpn_nat
subnet 192.168.0.0 255.255.0.0
object network obj-192.168
subnet 192.168.0.0 255.255.255.0
object-group network internal_lan_wireless
network-object object subnet_b_wireless
network-object object subnet_c_wireless
network-object object subnet_a_wireless
object-group network company_trusted_lan
network-object object subnet_a
network-object object subnet_b
network-object object subnet_c
network-object object subnet_server
network-object object subnet_dc
network-object object subnet_primary
object-group network company_lan
network-object object subnet_a
network-object object subnet_a_wireless
network-object object subnet_b
network-object object subnet_b_wireless
network-object object subnet_c
network-object object subnet_c_wireless
network-object object subnet_dc
network-object object subnet_primary
network-object object subnet_server
object-group network company_lan_internal
network-object object subnet_a
network-object object subnet_a_wireless
network-object object subnet_b
network-object object subnet_b_wireless
network-object object subnet_c
network-object object subnet_c_wireless
network-object object subnet_primary
network-object object subnet_server
access-list inside_access_in extended permit ip any any log disable
access-list global_access extended permit icmp any any log disable
access-list global_access extended permit ip any any log disable
access-list outside_access_in extended permit ip any any log disable
access-list outside_access_in extended permit icmp any any log disable
access-list split_tunnel extended permit ip object-group company_lan any log disable
access-list split_tunnel extended permit icmp object-group company_lan any log
access-list DC_VPN_TRAFFIC extended permit ip object subnet_192.168.0.0 object subnet_dc
access-list inside_access extended permit ip any any
access-list inside_acl extended permit ip object-group company_lan any
access-list inside_acl extended permit icmp object-group company_lan any
access-list outside_access_out extended permit ip any any log disable
access-list outside_access_out extended permit icmp any any log disable
pager lines 30
logging enable
logging buffered debugging
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu vpn 1500
mtu management 1500
ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (outside,outside) source static obj-192.168 obj-192.168 destination static subnet_dc subnet_dc no-proxy-arp route-lookup
nat (inside,outside) source static company_lan_internal company_lan_internal destination static company_lan company_lan no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic company_lan_internal interface
access-group global_access global
!
router eigrp 10
no auto-summary
network 192.168.0.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server company protocol radius
aaa-server company (inside) host 192.168.5.29
key *
radius-common-pw *
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec fragmentation after-encryption outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map DC_VPN_MAP 1 match address DC_VPN_TRAFFIC
crypto map DC_VPN_MAP 1 set pfs
crypto map DC_VPN_MAP 1 set peer 204.x.x.x
crypto map DC_VPN_MAP 1 set ikev1 transform-set ESP-3DES-SHA
crypto map DC_VPN_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map DC_VPN_MAP interface outside
crypto ca trustpoint anyconnect_trustpoint
enrollment self
subject-name CN=gw
crl configure
crypto ca certificate chain anyconnect_trustpoint
certificate 48733d4f
quit
crypto isakmp nat-traversal 21
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint anyconnect_trustpoint
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.0.20-192.168.0.100 inside
dhcpd dns 192.168.5.47 interface inside
dhcpd wins 192.168.5.29 interface inside
dhcpd ping_timeout 20 interface inside
dhcpd domain internal.company.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 91.189.94.4 source outside prefer
ssl trust-point anyconnect_trustpoint outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-2.5.3054-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.5.3054-k9.pkg 4
anyconnect profiles company_anyconnect_client_profile disk0:/company_anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.5.29
dns-server value 192.168.5.46
vpn-tunnel-protocol ikev1 ikev2 ssl-client
password-storage enable
split-tunnel-network-list value split_tunnel
default-domain value internal.company.com
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value internal.company.com
group-policy company internal
group-policy company attributes
wins-server value 192.168.5.29
dns-server value 192.168.5.46
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-network-list value split_tunnel
default-domain value internal.company.com
group-policy GroupPolicy_company_anyconnect internal
group-policy GroupPolicy_company_anyconnect attributes
wins-server value 192.168.5.29
dns-server value 192.168.5.46
vpn-tunnel-protocol ikev2 ssl-client
password-storage enable
split-tunnel-network-list value split_tunnel
default-domain value internal.company.com
webvpn
anyconnect profiles value company_anyconnect_client_profile type user
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
authentication-server-group company LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group company LOCAL
tunnel-group company_anyconnect type remote-access
tunnel-group company_anyconnect general-attributes
address-pool vpn_pool
authentication-server-group company LOCAL
default-group-policy GroupPolicy_company_anyconnect
tunnel-group company_anyconnect webvpn-attributes
group-alias company_anyconnect enable
tunnel-group company type remote-access
tunnel-group company general-attributes
address-pool vpn_pool
authentication-server-group company LOCAL
default-group-policy company
tunnel-group company ipsec-attributes
ikev1 pre-shared-key *
tunnel-group DC_VPN type ipsec-l2l
tunnel-group 204.x.x.x type ipsec-l2l
tunnel-group 204.x.x.x ipsec-attributes
ikev1 pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
02-28-2012 08:53 PM
Hi Ben,
"nat (inside,outside) source dynamic obj-192.168 interface"
object network obj-192.168
subnet 192.168.0.0 255.255.255.0
The mask your defined in the above object is /24, however your request was for /16.
only above network alone will be dynamic as per above maks in the obj-192.168
However your requested on your post, the network mask as /16.
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.0.0
nat (inside, outside) dynamic interface
that is the difference as far as I can see but syntax is correct.
Look forward to hear from you.
02-29-2012 07:31 AM
Hi Rizwan,
The posted config did not include the fix you mentioned, that's the current running config (our object names just happened to be the same).
If I use the exact same config posted above and then add the following:
object network test-obj
subnet 192.168.0.0 255.255.0.0
nat (inside, outside) dynamic interface
I am still not able to access the VPN from an internal interface.
02-29-2012 01:56 PM
"I am still not able to access the VPN from an internal interface"
"In the end, I need our wireless (non-trusted) users in the 192.168.x.x subnet to be able to connect to the external interface for VPN access. Can anyone point me in the right direction"
I am no so cleaner what is that you are trying to, you cannot access internal network while remote in via remote-vpn client?
-------------------------------------------------------------------------------------------------------------------------------------
ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
As you can see, these two segment are on the same network, can you break it down, to different mask /25?
Your setup is recipe routing nightmare ?
-------------------------------------------------------------------------------------------------------------------------------------
Please update me.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide