Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
4
Replies

ASA Always Tunnel Problems

achaisiriwatanasai
Level 1
Level 1

‎05-17-2011 09:27 AM

Hi,

Sorry if this config is a mess...I'm not a network guy by trade, but trying to set up my ASA to allow for people to VPN into my lab environment using their AnyConnect client.  It appears I can get split tunneling to work, but nothing I do can allow for always tunnel.  Since this is a three-leg firewall and not a concentrator, I believe this is called hairpinning?  I've looked at what sparse examples there are on the web and still can't get it to work.  Any suggestions anybody could provide would be really helpful.

Thanks in advance!

-AC

Labels:
86466-ASA5500.txt.zip
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-18-2011 12:46 AM

Sorry, do you mean that once connected, you can access the Internet, however, you are not able to access anything in the internal network?

The following NAT statement is incorect, and you might want to remove the following:

nat (inside,any) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,any) source static any any destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.3.0_27 NETWORK_OBJ_192.168.3.0_27

and replace them with the following:

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.3.0 obj-192.168.3.0


object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0

nat (dmz,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.3.0 obj-192.168.3.0

Then "clear xlate" after the above changes.

Hope that helps.

0 Helpful

achaisiriwatanasai
Level 1
Level 1
In response to Jennifer Halim

‎05-26-2011 12:09 PM

Hi Jen,

Thanks so much for your reply.  I can connect to devices on the internal network just fine, but what I want to do is force all traffic to go through the VPN tunnel.  At the moment, its defaulting to split tunneling.

I've tried your nat commands below and that doesn't seem to fix the issue.  Is there anything else you would suggest?

Thanks again,

Art

0 Helpful

achaisiriwatanasai
Level 1
Level 1
In response to achaisiriwatanasai

‎05-26-2011 12:18 PM

Also, if it helps, I think I found a part of the problem.  Under the group policy -> advanced -> Split Tunneling -> Policy menu, I didn't have the "Tunnel All Networks" checked.  When I switch to this setting, I can't seem to get out to the Internet at all when connected through VPN. Do I need to create a static route in order to get out?

0 Helpful

achaisiriwatanasai
Level 1
Level 1
In response to achaisiriwatanasai

‎05-26-2011 02:48 PM

Nevermind, got it.  The commands below fixed it for me.

ASA(config)# same-security-traffic permit intra-interface

ASA(config)#object network obj-192.168.3.0

ASA(config-network-object)#nat (outside,outside) dynamic interface

0 Helpful
Customers Also Viewed These Support Documents