Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
643
Views
0
Helpful
4
Replies

Anyconnect remote VPN and NAT issue with BAD ADDRESS and Duplicate IP

xariskk24
Level 1
Level 1

ā€Ž05-09-2023 04:55 AM - edited ā€Ž05-09-2023 04:56 AM

hello all,

We have a strainge situation with anyconnect plus remote access. We have FTD and OUtsid Interface (10.10.10.2) , DMZ (10.33.162.0/23) and Inside (192.168.1.0/20). We did the all initial configuration. Infront of ASA ouside interface its a router that is managed for other company, so when  o client go to internet via Outside tooks X1 public ip. When go to internet from Internal was a PAT and took X2 public ip. So anyconnect working fine if i use spittunnel. But because some systems allow access only for X2 public ip we thing that we must use full tunnel. So when we configure full tunnel we add the 2 bellow NAT rules

Static inside-zone  outside-zone Internal_LAN VPN_Pool    Internal_LAN Vpn_pool (no proxy, no route)

Dynamic  outside-zone outside-zone  VPN_pool                   Satic_Public

also existing a PAT NAT internal to outside PAT_pool

this worked and users can access internet woith public X2 but... after a few days we had errors DHCP FULL. and thousand of BAD ADDRESSES. After investigation when disabled the NAT this error stop occuring. 

What is the wrong ?? How to use the Public X2 without having issueS? CAn you write me the correct NAt rules if those i used are not correct?

ASA firepower  ver 6.2.3 and one more question , if i want to update this to the latest can i do it direct or i must update one version at a time?

thanks

 

 

 

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

ā€Ž05-09-2023 05:20 AM

NAT need no proxy-arp' ot then will not reply to any arp from dhcp.

0 Helpful

xariskk24
Level 1
Level 1
In response to MHM Cisco World

ā€Ž05-09-2023 05:27 AM

i did the config via this Configure AnyConnect VPN Client on FTD: Hairpin and NAT Exemption - Cisco

and on Uturn nat cant choose no-proxy.. so how to implement this..

0 Helpful

xariskk24
Level 1
Level 1
In response to MHM Cisco World

ā€Ž05-10-2023 01:29 AM - edited ā€Ž05-10-2023 01:30 AM

i have this 

xariskk24_0-1683707142432.png

so to be possible VPN users reach DMZ (servers) no need to reachinternal network.

i have also this 

xariskk24_1-1683707218531.png

 

existing before vpn , for internal users to go to outside via an ip public X2.

So with those two nat and fulltunnel vpn , vpn clients can go to DMZ but not to the internet... what extra UTURN?? rule must add so users from VPN can reach internet via X2 public? 

maybe this one? 

xariskk24_2-1683707377813.png

 

thanks

 

 

0 Helpful

xariskk24
Level 1
Level 1

ā€Ž05-09-2023 06:46 AM

can you write me down what rule on NAt i must add for the above scanario ? 

0 Helpful
Customers Also Viewed These Support Documents