Hi guys,

I'm trying to setup VPN client access for ASA5505. It's almost done, but I'm confused with new NAT rules from v8.3.

VPN Client is able to connect, but no traffic after it.

Client IP: 192.168.2.1-192.168.2.5

Local net: 192.168.17.0/24

Remote VPN Site-to-Site network: 192.168.10.0/24 - I'd like to have access after VPN client connect

There is current config:

: Saved

:

ASA Version 8.4(3)

!

hostname host

domain-name domain

enable password password encrypted

passwd password encrypted

names

!

interface Ethernet0/0

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport trunk allowed vlan 2,6

switchport mode trunk

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description INTERNET

mac-address 1234.5678.0001

nameif WAN

security-level 0

ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1

ospf cost 10

!

interface Vlan2

description OLD-PRIVATE

mac-address 1234.5678.0102

nameif OLD-Private

security-level 100

ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3

ospf cost 10

!

interface Vlan6

description MANAGEMENT

mac-address 1234.5678.0106

nameif Management

security-level 100

ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3

ospf cost 10

!

interface Vlan100

description LAN Failover Interface

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone NZST 12

clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00

dns domain-lookup WAN

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 156.154.70.1

domain-name domain

same-security-traffic permit intra-interface

object network obj-192.168.17.0

subnet 192.168.17.0 255.255.255.0

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-192.168.9.0

subnet 192.168.9.0 255.255.255.0

object network obj-192.168.33.0

subnet 192.168.33.0 255.255.255.0

object network obj-192.168.44.0

subnet 192.168.44.0 255.255.255.0

object network obj_any

object network obj_any-01

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_192.168.17.0_24

subnet 192.168.17.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.0_29

subnet 192.168.2.0 255.255.255.248

object network CiscoVPNClient_nat

subnet 192.168.17.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service RDP tcp

description RDP

port-object eq 3389

object-group network OFFICE_ALL_VLANS

network-object 192.168.11.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.33.0 255.255.255.0

network-object 192.168.44.0 255.255.255.0

network-object 192.168.55.0 255.255.255.0

network-object 192.168.22.0 255.255.255.0

object-group network subnet-17

network-object 192.168.17.0 255.255.255.0

object-group network subnet-2

network-object 192.168.2.0 255.255.255.0

object-group network subnet-9

network-object 192.168.9.0 255.255.255.0

object-group network subnet-10

network-object 192.168.10.0 255.255.255.0

access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-17 object-group subnet-2

access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-2 object-group subnet-2

access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-2 object-group subnet-17

access-list WAN_access_in extended permit ip any any log debugging

access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging

access-list WAN_access_in extended permit icmp a3.a3.a3.a3 255.255.255.248 192.168.10.0 255.255.255.0

access-list MANAGEMENT_access_in extended permit ip any any log debugging

access-list OLD-PRIVATE_access_in extended permit ip any any log debugging

access-list OLD-PRIVATE_access_in extended permit icmp any object-group OFFICE_ALL_VLANS

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.44.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu WAN 1500

mtu OLD-Private 1500

mtu Management 1500

ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0

ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface failover Vlan100

failover polltime interface 15 holdtime 75

failover key *****

failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (OLD-Private,WAN) source static subnet-17 subnet-17 destination static OFFICE_ALL_VLANS OFFICE_ALL_VLANS no-proxy-arp

nat (OLD-Private,WAN) source static obj-192.168.17.0 obj-192.168.17.0 destination static obj-192.168.2.0 obj-192.168.2.0

access-group WAN_access_in in interface WAN

access-group OLD-PRIVATE_access_in in interface OLD-Private

access-group MANAGEMENT_access_in in interface Management

route WAN 0.0.0.0 0.0.0.0 a2.a2.a2.a2 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 10

http server enable

http a.a.a.a 255.255.255.255 WAN

http 0.0.0.0 0.0.0.0 WAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Office 2 match address WAN_1_cryptomap

crypto map Office 2 set peer b.b.b.b

crypto map Office 2 set ikev1 transform-set OFFICE

crypto map Office 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Office interface WAN

crypto ikev1 enable WAN

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

management-access OLD-Private

dhcpd auto_config OLD-Private

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 129.6.15.28 source WAN prefer

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

group-policy GroupPolicy_b.b.b.b internal

group-policy GroupPolicy_b.b.b.b attributes

vpn-tunnel-protocol ikev1

group-policy CiscoVPNClient internal

group-policy CiscoVPNClient attributes

wins-server value 192.168.17.80 192.168.10.10

dns-server value 208.67.222.222 156.154.70.1

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list none

default-domain value domain

username admin password XHrDm53Lyz1aEtAN encrypted privilege 15

tunnel-group CiscoVPNClient type remote-access

tunnel-group CiscoVPNClient general-attributes

address-pool vpnclient

default-group-policy CiscoVPNClient

tunnel-group CiscoVPNClient ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group b.b.b.b type ipsec-l2l

tunnel-group b.b.b.b general-attributes

default-group-policy GroupPolicy_b.b.b.b

tunnel-group b.b.b.b ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

------------------------------------------------------------------------------------------------------------------------------------------------------------

Result of the command: "show crypto ipsec sa"

interface: WAN

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: a.a.a.a

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)

      current_peer: c.c.c.c, username: admin

      dynamic allocated peer ip: 192.168.2.1

      #pkts encaps: 751, #pkts encrypt: 751, #pkts digest: 751

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 751, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: a.a.a.a/0, remote crypto endpt.: c.c.c.c/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 5D3CD2FC

      current inbound spi : 85561A07

    inbound esp sas:

      spi: 0x85561A07 (2237012487)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 1044480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 25045

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x5D3CD2FC (1564267260)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 1044480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 25045

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Thanks,

Nick