ASDM/Internal LAN via Client VPN

eoghan_murtagh · ‎08-22-2012

Hi All,

I've seen a number of posts on a similar topic but cannot find my problem exactly. I've setup client VPN with address pools etc.... The VPN client connects perfectly and I can launch ASDM ok. Then I discover that I don't have access to internal servers. I have a Eureka moment and remember that I need a NAT exemption. Being the ASA 8.6 I put in a double NAT entry eg

NAT(INSIDE, OUTSIDE) source static LOCAL_SUBNETS LOCAL_SUBNETS destination static VPN_SUBNET VPN_SUBNET

Now I have access to internal servers but do not have access to manage ASDM. I get unable to launch device manager from xxx.xxx.xxx.xxx

Management-access is set to INSIDE and the address pool is different from internal LAN. I've sure it is only something small but I can't seem to figure it out.

I've set this up previousily with older ASAs and never had a problem but this is my first time with newer 8.6 and NAT rules so I could be doing something incorrectly

Thanks in advance for you help

Eoghan

eoghan_murtagh · ‎08-25-2012

In case anyone is interested and comes acress this. I found the answer to my own question here

https://supportforums.cisco.com/thread/2120561.

This is the detail

CSCtr16184 Bug Details

To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2.

Symptom:
After upgrading the ASA to 8.4.2, all management traffic to-the-box(including
icmp/telnet/ssh/ASDM) from hosts over the VPN (L2L or Remote ACcess VPN) may
fail when destined to the management-access interface IP address.

Conditions:
1. Issue is observed if ASA is on 8.4.2. Not observed on 8.4.1.
2. Users directly connected to the internal interfaces face no issues with
icmp/telnet/ssh/asdm to their respective interfaces.

Workaround:
The problem can be traced to a Manual NAT statement that overlaps with the
management-access interface IP address. The NAT statement must have both the
source and destination fields. Adding the "route-lookup" keyword at the end of
the NAT statement resolves the issue.

Ex:
ASA's Management-Access Interface IP address is 192.168.1.1.

! Overlapping NAT statement:
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination
static obj-vpn obj-vpn

! New Statement:
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination
static obj-vpn obj-vpn route-lookup

So I entered the following commands

no NAT(INSIDE, OUTSIDE) source static LOCAL_SUBNETS LOCAL_SUBNETS destination static VPN_SUBNET VPN_SUBNET

NAT(INSIDE, OUTSIDE) source static LOCAL_SUBNETS LOCAL_SUBNETS destination static VPN_SUBNET VPN_SUBNET route-lookup

and now have access to both internal servers and ASA via ASDM from the same client VPN profile

Thanks,

Eoghan

Marvin Rhoads · ‎08-25-2012

Thanks for posting the resolution. +5 for that!

Dealersocket · ‎10-10-2013

I'm running into this exact same problem on a ASA 5525-x running software version 8.6(1)2

The solution doesn't work becuase the route-lookup keyword doesn't exist. Example:

nat (inside,any) source static INTERNAL-SUBNETS INTERNAL-SUBNETS destination static VPN-Subnet VPN-Subnet no-proxy-arp route-lookup

^

ERROR: % Invalid input detected at '^' marker.

How do I access my ASA over ssh with an overlapping NAT statement when I can't enter the route-lookup keyword?

Dealersocket · ‎10-10-2013

I found the issue. You can't use the route-lookup keyword if one of the interfaces is set to "any". This nat statement fixed the issue:

nat (inside,outside) source static INTERNAL-SUBNETS INTERNAL-SUBNETS destination static VPN-Subnet VPN-Subnet no-proxy-arp route-lookup