09-06-2011 12:38 PM
I'm setting up an ASA 5505 with IOS 8.4(2) and ASDM 6.4(5) using the SSL client (well, and the Clientless SSL, but one thing at a time.) This is for a SOHO (they're on a cable modem) such that I should be able to remotely VPN into this system from anywhere on the Internet for support purposes.
I have the certificate generated, I can authenticate via AnyConnect - no errors. I'm used to using NAT exempt commands to move forward, but the ASA is telling me that my commands are invalid (as are the suggestions from the Cisco site, which apply to an earlier version of the ASA's software.) My local LAN access is fine.
Symptoms:
My network behind the 5505 is 192.168.0.0/24; I have a VPN-Pool of 192.168.101.0/24;
My object groups are basic:
object network VLAN1
subnet 192.168.0.0 255.255.255.0
object network VPN
subnet 192.168.101.0 255.255.255.0
object-group icmp-type Allowed_ICMP
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
I have an extended IP access-list called VPN2Anywhere that permits access for both IP and ICMP, and a standard one called SplitTunnel:
access-list VPN2Anywhere extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0 log disable
access-list VPN2Anywhere extended permit icmp 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0 object-group Allowed_ICMP log disable
access-list VPN2Anywhere extended permit ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list VPN2Anywhere extended permit icmp 192.168.101.0 255.255.255.0 192.168.0.0 255.255.255.0 object-group Allowed_ICMP log disable
access-list SplitTunnel standard permit 192.168.0.0 255.255.255.0
access-list SplitTunnel standard permit 192.168.101.0 255.255.255.0
my NAT is relatively simple:
nat (inside,any) source static VPN VPN destination static VLAN1 VLAN1
nat (inside,outside) source dynamic any interface
I didn't create a lot in the way of new policies - just modify the existing ones.:
dynamic-access-policy-record DfltAccessPolicy
description "Default Access Policy"
network-acl VPN2Anywhere
webvpn
appl-acl All-Permit
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.0.253
dns-server value 192.168.0.253
vpn-tunnel-protocol ssl-client
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN2Anywhere
default-domain value WK9.com
address-pools value VPN-Pool
webvpn
filter value All-Permit
anyconnect ask none default webvpn
customization value DfltCustomization
smart-tunnel enable AllExternalApplications
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN-Pool
authorization-server-group LOCAL
authorization-required
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias VPN enable
What am I missing here?
Thanks!
09-07-2011 04:26 AM
A few modifications are required for it to work:
1) Split tunnel ACL should not include the VPN pool, so you should remove the following:
no access-list SplitTunnel standard permit 192.168.101.0 255.255.255.0
2) Split tunnel ACL assign to the group-policy is incorrect, it should be the standard ACL (SplitTunnel):
vpn-tunnel-protocol ssl-client
no split-tunnel-network-list value VPN2Anywhere
split-tunnel-network-list value SplitTunnel
3) NAT statement is the other way round. The existing NAT should be removed:
no nat (inside,any) source static VPN VPN destination static VLAN1 VLAN1
To be changed to:
nat (inside,outside) source static VLAN1 VLAN1 destination static VPN VPN
Hope this resolves the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide