ASA site-to-site with remote vpn clients

Damir Reic · ‎01-21-2013

Hi,

i scessuflly configured ASA ver7 to ASA ver8 site-to-site VPN. Dail-in vpn users (cisco vpn client) have to use resources on other side of the tunnel is enabled and working. Dial-in users from the ASA ver8 (SSL anyconnect) have to also use resources on the other side. There is also NAT involved.

Since ver8 remote clients can't reach resources on other side (but they are available to the local servers) suspecting this is the problem:

nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets no-proxy-arp route-lookup

on the other side i had to do following v7 asa:

access-list inside_nat0_outbound2 extended permit ip object-group LocalSubnets object-group RemoteSubnets

nat (inside_140) 0 access-list inside_nat0_outbound2

nat (inside_139) 0 access-list inside_nat0_outbound2

nat (Developer_LAN) 0 access-list inside_nat0_outbound2

nat (Developer_LAN) 10 192.168.3.0 255.255.255.0

So i guess i should do this on ver8:?

access-list inside_nat0_outbound extended permit ip object-group LocalSubnets object-group RemoteSubnets

no nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets no-proxy-arp route-lookup

nat (inside) 0 access-list inside_nat0_outbound

Since site-to-site works between servers at the moment not sure will this command break anything? VPN pool on ver8 is part of local subnet (subnet 192.168.0.0/24 - VPN pool is from .100-150) so if i do this will LAN clients loose internet?

Damir Reic · ‎01-21-2013

So the command on v8 side would be:

nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets no-proxy-arp route-lookup

and i don't need access list. But still i can't ping other side of tunnel from remote vpn user.

Damir Reic · ‎01-21-2013

Since i suspected the problem could be related to remote VPN cleints have IP range from internal network LAN i created pool 10.23.50.100-200 pool for VNP clients

object-group network LocalSubnets

network-object 192.168.0.0 255.255.255.0

network-object 10.23.50.0 255.255.255.0

object-group network RemoteSubnets

network-object 192.168.3.0 255.255.255.0

network-object 192.168.12.0 255.255.255.0

network-object 211.45.139.0 255.255.255.224

network-object 211.45.140.208 255.255.255.240

object-group network LocalLAN

network-object 192.168.0.0 255.255.255.0

object-group network VPNClients

network-object 10.23.50.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.3.0 255.255.255.0

access-list Split_Tunnel_List standard permit 211.45.139.0 255.255.255.224

access-list Split_Tunnel_List standard permit 211.45.140.208 255.255.255.240

access-list outside_cryptomap extended permit ip object-group LocalSubnets object-group RemoteSubnets

nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets no-proxy-arp route-lookup

nat (inside,outside) source static LocalLAN LocalLAN destination static VPNClients VPNClients no-proxy-arp route-lookup

And still i can't ping anything from remote client to the other side the tunnel.

m.chase · ‎05-06-2013

You need a "nat (outside,inside)" as well which mirrors your other NAT statement for the Remote Access VPN clients. That's the trick that usually throws everyone for a loop. ;-)

I usually do one that looks like this:

nat (inside,outside) source static inside-networks inside-networks destination static inside-networks inside-networks no-proxy-arp route-lookup

nat (outside,inside) source static inside-networks inside-networks destination static inside-networks inside-networks no-proxy-arp route-lookup

nat (inside,outside) source dynamic any interface dns