Things are easier when the

larbi farouk · ‎03-13-2017

Hello,

we have an issue with asa firewall(9.5) when configuring Anyconnect such as that our public ip address are not configured on outside interface but as a pool for nat, we have private subnet with our service provider (/30) to our router ,and other private subnet (/30) between router and firewall

after configuration when we try to access via anyconnect we get a timeout problem, my question is if there is other config to do for this situation or the wan ip address should be on physical outside interface

thankyou.

Karsten Iwen · ‎03-13-2017

Things are easier when the ASA has the public IP on it's outside interface. But it still should work in other setups. I would assume that you are doing something wrong with your NAT here.

Can you draw a diagram with your devices and where which addresses are located?

larbi farouk · ‎03-13-2017

Hi,

you can find in attachment the physical diagram

for NAT, actual I use for anyconnect a new ip address (not used for nat )

now how can redirect traffic from outside interface to wan ip address used for anyconnect.

should I apply translation from wan to lan address for anyconnect or nat rule are applied automatically

Karsten Iwen · ‎03-13-2017

Well, I have no idea why a network is build in a way like this ...

But to make it work, the ISP (or whoever is responsible for the device that holds the public IPs) needs a static translation for one of the public IPs to your ASA WAN-address. Is that NAT (and corresponding access-control for tcp/443, ump/443) in place?

ASA anyconnect issue with public pool