Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1960
Views
5
Helpful
6
Replies

ASA 5506-X - Remote Access VPN - SSL Configuration

Go to solution
NetworkGuyMark
Level 1
Level 1

‎05-13-2020 04:21 PM

Hello Everyone,

 

So I just installed a new ASA 5506-X and ran into an issue right at the end of the VPN configuration.  I used the ASDM for AnyConnect VPN Wizard... I chose a what should be a simple SSL and made it all the way through to the end and got an error on the NAT statement.  Here is my configuration... how do I configure the NAT statement needed?

 

Normally you'd have something like this:

 

nat (inside,outside) source static any any destination VPN_Subnet VPN_Subnet no-proxy-arp route-lookup

 

The fact that I've got the interface on the ASA bridged is making things a little trickier, so I'm not sure how to do this.

 

 

hostname ASA

domain-name XXXXX.com

enable password XXXXX

names

ip local pool VPN_DHCP_Pool 192.168.255.50-192.168.255.75 mask 255.255.255.0

 

!

interface GigabitEthernet1/1

 description Outside Interface to ISP

 nameif outside

 security-level 0

 ip address XXX.XXX.XXX.XXX 255.255.255.0 

!

interface GigabitEthernet1/2

 description Inside interface to LAN

 bridge-group 1

 nameif inside_1

 security-level 100

!

interface GigabitEthernet1/3

 bridge-group 1

 nameif inside_2

 security-level 100

!

interface GigabitEthernet1/4

 bridge-group 1

 nameif inside_3

 security-level 100

!

interface GigabitEthernet1/5

 bridge-group 1

 nameif inside_4

 security-level 100

!

interface GigabitEthernet1/6

 description Outside AP 2

 bridge-group 1

 nameif inside_5

 security-level 100

!

interface GigabitEthernet1/7

 description Outside AP 1

 bridge-group 1

 nameif inside_6

 security-level 100

!

interface GigabitEthernet1/8

 description Container AP

 bridge-group 1

 nameif inside_7

 security-level 100

!

interface Management1/1

 management-only

 no nameif

 no security-level

 no ip address

!

interface BVI1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

ftp mode passive

dns server-group DefaultDNS

 domain-name XXXXX.com

same-security-traffic permit inter-interface

object network obj_any1

 subnet 0.0.0.0 0.0.0.0

object network obj_any2

 subnet 0.0.0.0 0.0.0.0

object network obj_any3

 subnet 0.0.0.0 0.0.0.0

object network obj_any4

 subnet 0.0.0.0 0.0.0.0

object network obj_any5

 subnet 0.0.0.0 0.0.0.0

object network obj_any6

 subnet 0.0.0.0 0.0.0.0

object network obj_any7

 subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.255.0_25

 subnet 192.168.255.0 255.255.255.128

object network NETWORK_OBJ_192.168.1.0_24

 subnet 192.168.1.0 255.255.255.0

access-list Split_Tunnel_ACL standard permit 192.168.1.0 255.255.255.0 

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

no failover

no monitor-interface inside

no monitor-interface service-module 

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-782.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

!

object network obj_any1

 nat (inside_1,outside) dynamic interface

object network obj_any2

 nat (inside_2,outside) dynamic interface

object network obj_any3

 nat (inside_3,outside) dynamic interface

object network obj_any4

 nat (inside_4,outside) dynamic interface

object network obj_any5

 nat (inside_5,outside) dynamic interface

object network obj_any6

 nat (inside_6,outside) dynamic interface

object network obj_any7

 nat (inside_7,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 192.168.1.0 255.255.255.0 inside_1

http 192.168.1.0 255.255.255.0 inside_2

http 192.168.1.0 255.255.255.0 inside_3

http 192.168.1.0 255.255.255.0 inside_4

http 192.168.1.0 255.255.255.0 inside_5

http 192.168.1.0 255.255.255.0 inside_6

http 192.168.1.0 255.255.255.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd dns 8.8.8.8 4.4.4.4

dhcpd auto_config outside

dhcpd option 3 ip 192.168.1.1

!

dhcpd address 192.168.1.50-192.168.1.75 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

 enable outside

 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

 anyconnect enable

 tunnel-group-list enable

 cache

  disable

 error-recovery disable

group-policy GroupPolicy_VPN_Profile internal

group-policy GroupPolicy_VPN_Profile attributes

 wins-server none

 dns-server value 8.8.8.8 4.4.4.4

 vpn-tunnel-protocol ssl-client 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split_Tunnel_ACL

 default-domain value XXXXXX.com

dynamic-access-policy-record DfltAccessPolicy

username XXXXX password XXXXXXX

username XXXXX password XXXXXXX

username XXXXX password XXXXXXX privilege 15

tunnel-group VPN_Profile type remote-access

tunnel-group VPN_Profile general-attributes

 address-pool VPN_DHCP_Pool

 default-group-policy GroupPolicy_VPN_Profile

tunnel-group VPN_Profile webvpn-attributes

 group-alias VPN_Profile enable

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

policy-map global_default

 class inspection_default

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

 

Any help would be greatly appreciated.

 

Thank you,

Mark

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎05-13-2020 05:01 PM - edited ‎05-13-2020 05:43 PM

try this nat statement

no nat (inside,outside) source static any any destination VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (any,outside) source static any any destination NETWORK_OBJ_192.168.255.0_25 NETWORK_OBJ_192.168.255.0_25 no-proxy-arp route-lookup
!
object network NETWORK_OBJ_192.168.255.0_25
 subnet 192.168.255.0 255.255.255.128
 nat (outside,outside) dynamic interface

 

 

please do not forget to rate.

View solution in original post

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to NetworkGuyMark

‎05-14-2020 10:36 AM

To allow access to the local LAN and also the internet connection which the ASA Uses. So when a client connects to the VPN, they can access the local lan, as well as the internet connection that sits off from the ASA.

In order to set this up, we have to have something like this going, all performed in enable configuration mode.

  1. Define your VPN Pool of addresses 
    ip local pool VPN_DHCP_Pool 192.168.255.50-192.168.255.75 mask 255.255.255.0
  2. Relax the security rules between the interfaces a bit 
    same-security-traffic permit intra-interface
  3. Create an object for example like VPN, then NAT the outside interface to the outside, this allows routing of internet from VPN to the ASA using the ASA’s ISP connection on outside 
    object network NETWORK_OBJ_192.168.255.0_25
     subnet 192.168.255.0 255.255.255.128
     nat (outside,outside) dynamic interface
  4. Allow VPN Interface “Hairpin” on same interface and access to local LAN/Internet resources 
    nat (any,outside) source static any any destination NETWORK_OBJ_192.168.255.0_25 NETWORK_OBJ_192.168.255.0_25 no-proxy-arp route-lookup

    the above statement means if packet coming from any interface and going to outside interface with source ip any and destination ip any with condition that apply on only   NETWORK_OBJ_192.168.255.0_25. also remember the static nat is a bi-directional. this means your packet can come from any to outside or from outside to any. This rule is called nat nat exemption/twice nat/identity nat. 

    these nat rule are mostly used in site-to-site vpn or anyconnect vpns. here good document and explain the NAT in detail on ASA.

     

please do not forget to rate.

View solution in original post

Go to solution
NetworkGuyMark
Level 1
Level 1
In response to Sheraz.Salim

‎05-14-2020 02:09 PM

Hello Sheraz.Salim,

 

This did work with one modification.  I kept getting errors with the last NAT statement till I added the following:

 

nat (any,outside) source static any any destination static NETWORK_OBJ_192.168.255.0_25 NETWORK_OBJ_192.168.255.0_25 no-proxy-arp route-lookup

 

Thank you so much for your time, expertise and wonderful explanation. :)

 

Thank you!

 

Mark

View solution in original post

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to NetworkGuyMark

‎05-14-2020 02:18 PM

Hi Mark,

sorry typo error i forget to write "static" glad it work out for you :).

please do not forget to rate.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Sheraz.Salim
VIP
VIP

‎05-13-2020 05:01 PM - edited ‎05-13-2020 05:43 PM

try this nat statement

no nat (inside,outside) source static any any destination VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (any,outside) source static any any destination NETWORK_OBJ_192.168.255.0_25 NETWORK_OBJ_192.168.255.0_25 no-proxy-arp route-lookup
!
object network NETWORK_OBJ_192.168.255.0_25
 subnet 192.168.255.0 255.255.255.128
 nat (outside,outside) dynamic interface

 

 

please do not forget to rate.
0 Helpful

Go to solution
NetworkGuyMark
Level 1
Level 1
In response to Sheraz.Salim

‎05-13-2020 07:15 PM

Thank you for the reply.  I'll try this out tomorrow and let you know the results. I greatly appreciate your help.

0 Helpful

Go to solution
NetworkGuyMark
Level 1
Level 1
In response to Sheraz.Salim

‎05-14-2020 07:56 AM

Hello,

 

Today I'm going to test the configuration statements you sent me yesterday.  Can you explain to me exactly what is going on here?  I want to fully grasp what I am doing :)

 

nat (any,outside) source static any any destination NETWORK_OBJ_192.168.255.0_25 NETWORK_OBJ_192.168.255.0_25 no-proxy-arp route-lookup
!
object network NETWORK_OBJ_192.168.255.0_25
 subnet 192.168.255.0 255.255.255.128
 nat (outside,outside) dynamic interface

   

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to NetworkGuyMark

‎05-14-2020 10:36 AM

To allow access to the local LAN and also the internet connection which the ASA Uses. So when a client connects to the VPN, they can access the local lan, as well as the internet connection that sits off from the ASA.

In order to set this up, we have to have something like this going, all performed in enable configuration mode.

  1. Define your VPN Pool of addresses 
    ip local pool VPN_DHCP_Pool 192.168.255.50-192.168.255.75 mask 255.255.255.0
  2. Relax the security rules between the interfaces a bit 
    same-security-traffic permit intra-interface
  3. Create an object for example like VPN, then NAT the outside interface to the outside, this allows routing of internet from VPN to the ASA using the ASA’s ISP connection on outside 
    object network NETWORK_OBJ_192.168.255.0_25
     subnet 192.168.255.0 255.255.255.128
     nat (outside,outside) dynamic interface
  4. Allow VPN Interface “Hairpin” on same interface and access to local LAN/Internet resources 
    nat (any,outside) source static any any destination NETWORK_OBJ_192.168.255.0_25 NETWORK_OBJ_192.168.255.0_25 no-proxy-arp route-lookup

    the above statement means if packet coming from any interface and going to outside interface with source ip any and destination ip any with condition that apply on only   NETWORK_OBJ_192.168.255.0_25. also remember the static nat is a bi-directional. this means your packet can come from any to outside or from outside to any. This rule is called nat nat exemption/twice nat/identity nat. 

    these nat rule are mostly used in site-to-site vpn or anyconnect vpns. here good document and explain the NAT in detail on ASA.

     

please do not forget to rate.

Go to solution
NetworkGuyMark
Level 1
Level 1
In response to Sheraz.Salim

‎05-14-2020 02:09 PM

Hello Sheraz.Salim,

 

This did work with one modification.  I kept getting errors with the last NAT statement till I added the following:

 

nat (any,outside) source static any any destination static NETWORK_OBJ_192.168.255.0_25 NETWORK_OBJ_192.168.255.0_25 no-proxy-arp route-lookup

 

Thank you so much for your time, expertise and wonderful explanation. :)

 

Thank you!

 

Mark

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to NetworkGuyMark

‎05-14-2020 02:18 PM

Hi Mark,

sorry typo error i forget to write "static" glad it work out for you :).

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents