Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
4
Replies

Anyconnect, change to DHCP from Local Pool

Tim Jeens
Beginner
Beginner

‎01-08-2021 03:37 AM

Hi,

I would like to change away from a local pool on the ASA, to an internal DHCP server, and the DHCP addresses will be in the same IP range as the internal network.

Can someone help with the set up?

When I set myself a static IP on my anyconnect connection, of an internal IP address, I cannot access anything on the internal network.

When I run a ICMP packet tracer I get an ACL block.

packet-tracer input outside icmp 192.168.0.25 8 0 192.168.0.2

but it gets blocked by the default deny rule..

If I add:

access-list outside_in extended permit ip object inside-network object inside-network

Then I get a NAT drop from: 

object network inside-network
nat (inside,outside) dynamic interface

I have added:

sysopt connection permit-vpn

but that made no difference.

 

I don't want to change to the DHCP Server config without testing with a static internal.

Thanks,

Tim Jeens

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP Master VIP Master
VIP Master

‎01-08-2021 03:47 AM

@Tim Jeens if you are matching that nat rule then the return traffic is being natted behind the outside interface IP address. You should define a NAT exemption rule to ensure traffic between the RAVPN pool and the inside network is not natted.

0 Helpful

Tim Jeens
Beginner
Beginner
In response to Rob Ingram

‎01-08-2021 04:46 AM

Hi Rob,

Thanks for your reply.

I'm not really sure how to do a NAT Exemption, and google doesn't seem to help

My current NAT for vpn users is this:

object network objvpnpool
subnet 192.168.20.0 255.255.255.0

object network inside-network
subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source static inside-network inside-network destination static objvpnpool objvpnpool

object network inside-network
nat (inside,outside) dynamic interface

but as I say, I want VPN users to be in the same network/subnet as the inside network..

Thanks,

Tim

 

0 Helpful

Rob Ingram
VIP Master VIP Master
VIP Master

‎01-08-2021 04:53 AM

Looks like you already have a NAT exemption rule, it won't be working as your destination network is not objvpnpool. This is why it's hitting the other NAT rule.

 

Try this:

 

nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network

 

FYI, it would normally be a good idea to have a separate IP pool or DHCP scope for the VPN users to the inside network, but it's your choice.

0 Helpful

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎01-08-2021 11:16 AM

ASA-RAVPN

RAVPN is use IP from pool with same inside?

and now you want to change it to DHCP instead of pool?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents