We have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is 10.10.10.0/24 and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a 10.10.10.0/24 address from the pool, but cannot access anything on the internal 10.10.20.0/24 network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?
Solved! Go to Solution.
I'd rather not as this is quite a large configuration and I don't have time to change the publid IP addresses. You have the networks listed above and can use "inside" and "outside" for the interfaces. Can you just give me the "short answer", such as: the access rule should be xxx, the NAT ecemption should be yyy, and the routeing should be zzz. I'd really appreciate that as it would expand my understanding of this product. Thanx!
For nat bypass, it should look like the following
access-list nonat permit ip 10.010.20.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list nonat
You don't need permit this VPN traffic on outside interface since VPN traffic bypass interface ACL check automatically.
When vpn client is connected to ASA, a static route should be added automatically in routing table. But you need make sure the internal host should forward the traffic to vpn client 10.10.10.x to the ASA.
OK, I understand (and have implemented) the access-list and the nat statements. By "But you need make sure the internal host should forward the traffic to vpn client 10.10.10.x to the ASA", I'm assuming that you mean that the default gateway for internal hosts should be the IP of the inside interface - and it is. I still can't get the VPN client to connect to an internal host, however. Any suggestions? Thanx!
Ok, do a packet capture on the inside interface,
access-list capin permit ip host 10.10.10.x host 10.10.20.x
access-list capin permit ip host 10.10.20.x host 10.10.10.x
capture in access-list capin interface inside
then initiate the traffic from client to server, and use "show capture capin" to see if you can see the traffic in both directions.
By the way, is there any FW on your server which might block the access from vpn client?
I set up and looked at the captures and only saw inbound traffic from the client. That will cause the issue, but what do I need to do to allow the VPN address pool access to the internal network? There is no firewall on the client nor on the server.
1: 09:10:47.606490 10.10.10.1 > 10.10.20.123: icmp: echo request
2: 09:10:53.053982 10.10.10.1 > 10.10.20.123: icmp: echo request
3: 09:10:58.543154 10.10.10.1 > 10.10.20.123: icmp: echo request
4: 09:11:04.045407 10.10.10.1 > 10.10.20.123: icmp: echo request
As I'm working with a test ASA, using a different IP for the inside interface, I will try to configure a device on the inside network with a default gateway of the test ASA to see if that works. If that works, then I can set up the production ASA the same way as all devices use that inside IP as their default gateway.
Eureka! I set up an internal machine with the default gateway of the test ASA and it worked - that was really dumb of me not to remember that the internal devices do not know the test ASA's IP to use as a default gateway! Thanx for all your help - it rerranged my thinking.
1: 09:23:07.826876 10.10.10.1 > 10.10.20.4: icmp: echo request
2: 09:23:07.827914 10.20.20.4 > 10.10.10.1: icmp: echo reply
3: 09:23:08.875687 10.10.10.1 > 10.10.20.4: icmp: echo request
4: 09:23:08.876663 10.20.20.4 > 10.10.10.1: icmp: echo reply
5: 09:23:09.850419 10.10.10.1 > 10.10.20.4: icmp: echo request
6: 09:23:09.851365 10.20.20.4 > 10.10.10.1: icmp: echo reply
7: 09:23:10.836626 10.10.10.1 > 10.10.20.4: icmp: echo request
8: 09:23:10.837511 10.20.20.4 > 10.10.10.1: icmp: echo reply