Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
3
Replies

Exempting NAT traffic for VPN when sysopt is disabled...

abatson
Level 1
Level 1

‎05-22-2015 11:40 AM

Greetings;

I set up a IP Pool for my remote-access VPN users (AnyConnect). I also have the sysopt vpn-connection turned off, so that the IP Pool needs to pass thru 'outside-access-in' to get anywhere, but that's the way I want it.  When I try to access any internal resources, I get the message about Asymetric NAT for inbound & outbound.   I know I need to excempt the VPN's IP Pool from NAT, so the VPN traffic can route properly once inside the firewall.  I can't find very much info on ASA 9.0+  NAT exemption.    ALSO: do I have to exempt the IP Pool for VPN in BOTH directions?  However, the VPN client will always be initiating traffic, no one will ever initiate traffic from the internal network, toward a VPN client.


Can someone give me an example or two, for exempting the VPN IP Pool from NAT?   My VPN IP Pool for the VPN is  192.168.88.0 (255.255.255.240)

 

object network Red
 subnet 192.168.20.0 255.255.255.0

object network Blue
 subnet 192.168.99.0 255.255.255.0

object network Orange
 subnet 192.168.30.0 255.255.255.0

object network Purple
 subnet 192.168.40.0 255.255.255.0

object network management77-to-Outside
 subnet 192.168.77.0 255.255.255.0

object network Brown
 subnet 192.168.10.0 255.255.255.0

object network webVPN
 subnet 192.168.88.0 255.255.255.240

 

nat (Blue-int,Outside) source dynamic Blue interface
nat (Orange-in,Outside) source dynamic Orange interface
nat (Purple-int,Outside) source dynamic Purple interface
nat (management77,Outside) source dynamic management77-to-Outside interface
nat (Brown-int,Outside) source dynamic Brown interface

Thanks!

A.R.B

 

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎05-22-2015 01:44 PM

You only need one new NAT-rule at the beginning of the NAT-list:

object-group network INTERNAL-LANS
 network-object object Red
 network-object object Blue
 network-object ...
 ...
!
nat (any,outside) 1 source static INTERNAL-LANS INTERNAL-LANS destination static webVPN webVPN no-proxy-arp route-lookup

With this, all traffic from the networks in INTERNAL-LANS will get exempted from NAT when communicating with webVPN. 

This nat-rule will work in both directions, so you don't need to care about the fact that only the clients initiate the connections.

But in this scenario, using the vpn-filters is very useful, easy and more secure then using the interface ACLs for traffic filtering. I would think again about using the interface ACL for VPN-filtering.

0 Helpful

abatson
Level 1
Level 1
In response to Karsten Iwen

‎05-25-2015 01:22 PM

Thanks, Karsten!    I'm all about security -- can you show me a link that shows the use of the "vpn-filters".  I'll try the nat-exemption tommorow at work.   thanks!

0 Helpful

Karsten Iwen
VIP
VIP
In response to abatson

‎05-25-2015 02:53 PM

The vpn-filter is shown in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_groups.html#pgfId-1373989

In your scenario, they'll work as expected, but the moment you want to also filter traffic sent to the client, take care about the swap of source and destination-address as shown in the guide.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents