10-26-2017 10:13 PM - edited 03-12-2019 04:40 AM
Hello,
I've successfully configured remote access to multiple internal subnets by using NAT0 statements between the remote subnet and the internal subnets. But I'm unable to determine the configuration that that is allowing access to our a storage subnet that is not configured for remote access?
Could someone help me to identify the code that is allowing remote users on subnet 192.168.85.0/24 access to subnet 192.168.100.0/24?
interface Vlan100
nameif HUDSON-STORAGE
security-level 100
ip address 192.168.100.100 255.255.255.0
object network NAT0-TO-ANYCONNECT-HOST
subnet 0.0.0.0 0.0.0.0
object network ANYCONNECT-VPN85-HOST
range 192.168.85.1 192.168.85.25
ip local pool ANYCONNECT-VPN85-POOL 192.168.85.1-192.168.85.25 mask 255.255.255.0
nat (HUDSON-SECURITY,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup
nat (HUDSON-TV,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup
nat (HUDSON-SERVERS,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup
nat (INSIDE-VLAN4,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup
nat (HUDSON-KUNA,OUTSIDE-COMCAST) source dynamic HUDSON-KUNA-SUBNET interface
nat (HUDSON-SECURITY,OUTSIDE-COMCAST) source dynamic HUDSON-SECURITY interface
nat (HUDSON-SERVERS,OUTSIDE-COMCAST) source dynamic HUDSON-SERVERS interface
nat (INSIDE-VLAN4,OUTSIDE-COMCAST) source dynamic INSIDE-VLAN4-NETWORK interface
nat (HUDSON-TV,OUTSIDE-COMCAST) source dynamic HUDSON-TVs interface
nat (OUTSIDE-COMCAST,OUTSIDE-COMCAST) source dynamic ANYCONNECT-VPN85-HOST interface
group-policy ANYCONNECT-HUDSON85-GP internal
group-policy ANYCONNECT-HUDSON85-GP attributes
dns-server value 8.8.8.8
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1 ikev2 ssl-client
webvpn
anyconnect keep-installer installed
anyconnect dpd-interval client 180
anyconnect profiles value HUDSON-IKEv2-ANYCONNECT-PROFILE type user
anyconnect ask none default anyconnect
tunnel-group ANYCONNECT-VPN85-TG type remote-access
tunnel-group ANYCONNECT-VPN85-TG general-attributes
address-pool ANYCONNECT-VPN85-POOL
default-group-policy ANYCONNECT-HUDSON85-GP
tunnel-group ANYCONNECT-VPN85-TG webvpn-attributes
group-alias HUDSON.NET enable
Solved! Go to Solution.
10-27-2017 04:13 AM
If you want the users to only access certain subnets internally, you would need to create a VPN filter to specifically allow only those networks. An example for this is below:
Nat exemption is only needed when you have a dynamic PAT rule that users will hit by default. So if HUDSON-STORAGE network has no PAT rule for internet access (or any other NAT rule), it will basically be passed through the ASA untranslated and to the VPN users. NAT exemption is not an effective way of blocking network access for VPN users.
10-27-2017 04:13 AM
If you want the users to only access certain subnets internally, you would need to create a VPN filter to specifically allow only those networks. An example for this is below:
Nat exemption is only needed when you have a dynamic PAT rule that users will hit by default. So if HUDSON-STORAGE network has no PAT rule for internet access (or any other NAT rule), it will basically be passed through the ASA untranslated and to the VPN users. NAT exemption is not an effective way of blocking network access for VPN users.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide