cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
0
Helpful
1
Replies

Anyconnect users are able to connect to subnets that are not configured for NAT0

Illini79
Level 1
Level 1

Hello,

 

I've successfully configured remote access to multiple internal subnets by using NAT0 statements between the remote subnet and the internal subnets.  But I'm unable to determine the configuration that that is allowing access to our a storage subnet that is not configured for remote access?

 

Could someone help me to identify the code that is allowing remote users on subnet 192.168.85.0/24 access to subnet 192.168.100.0/24?

 

 

interface Vlan100
 nameif HUDSON-STORAGE
 security-level 100
 ip address 192.168.100.100 255.255.255.0

 

object network NAT0-TO-ANYCONNECT-HOST
 subnet 0.0.0.0 0.0.0.0

 

object network ANYCONNECT-VPN85-HOST

 range 192.168.85.1 192.168.85.25

 

ip local pool ANYCONNECT-VPN85-POOL 192.168.85.1-192.168.85.25 mask 255.255.255.0

 

nat (HUDSON-SECURITY,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup

nat (HUDSON-TV,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup

nat (HUDSON-SERVERS,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup

nat (INSIDE-VLAN4,OUTSIDE-COMCAST) source static NAT0-TO-ANYCONNECT-HOST NAT0-TO-ANYCONNECT-HOST destination static ANYCONNECT-VPN85-HOST ANYCONNECT-VPN85-HOST no-proxy-arp route-lookup

nat (HUDSON-KUNA,OUTSIDE-COMCAST) source dynamic HUDSON-KUNA-SUBNET interface
nat (HUDSON-SECURITY,OUTSIDE-COMCAST) source dynamic HUDSON-SECURITY interface
nat (HUDSON-SERVERS,OUTSIDE-COMCAST) source dynamic HUDSON-SERVERS interface
nat (INSIDE-VLAN4,OUTSIDE-COMCAST) source dynamic INSIDE-VLAN4-NETWORK interface
nat (HUDSON-TV,OUTSIDE-COMCAST) source dynamic HUDSON-TVs interface
nat (OUTSIDE-COMCAST,OUTSIDE-COMCAST) source dynamic ANYCONNECT-VPN85-HOST interface

 

group-policy ANYCONNECT-HUDSON85-GP internal
group-policy ANYCONNECT-HUDSON85-GP attributes
 dns-server value 8.8.8.8
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 ikev2 ssl-client
 webvpn
  anyconnect keep-installer installed
  anyconnect dpd-interval client 180
  anyconnect profiles value HUDSON-IKEv2-ANYCONNECT-PROFILE type user
  anyconnect ask none default anyconnect

 

tunnel-group ANYCONNECT-VPN85-TG type remote-access
tunnel-group ANYCONNECT-VPN85-TG general-attributes
 address-pool ANYCONNECT-VPN85-POOL
 default-group-policy ANYCONNECT-HUDSON85-GP
tunnel-group ANYCONNECT-VPN85-TG webvpn-attributes
 group-alias HUDSON.NET enable

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

If you want the users to only access certain subnets internally, you would need to create a VPN filter to specifically allow only those networks. An example for this is below:

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

Nat exemption is only needed when you have a dynamic PAT rule that users will hit by default. So if HUDSON-STORAGE network has no PAT rule for internet access (or any other NAT rule), it will basically be passed through the ASA untranslated and to the VPN users. NAT exemption is not an effective way of blocking network access for VPN users.

View solution in original post

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

If you want the users to only access certain subnets internally, you would need to create a VPN filter to specifically allow only those networks. An example for this is below:

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

Nat exemption is only needed when you have a dynamic PAT rule that users will hit by default. So if HUDSON-STORAGE network has no PAT rule for internet access (or any other NAT rule), it will basically be passed through the ASA untranslated and to the VPN users. NAT exemption is not an effective way of blocking network access for VPN users.