04-26-2010 06:00 PM
I setup port 0 as an Inside interface and port 1 as an Outside interface. I would like to switch them (port 0 = outside, port 1 = inside). Do I connect to the ASA through the Console Port or Management Port to make this change? I was connecting through SSH and ASA did not allow me to save this change. Thanks.
Solved! Go to Solution.
04-26-2010 06:41 PM
Console port would be the best option as you are changing the interfaces around, and console connection will not affect your communication to the ASA itself.
04-26-2010 06:55 PM
If you're modyfing parameters on an interface (which you're connected to), you need to be careful not to lose connectivity to the
Firewall (in case you have a remote session).
It has happened to me before to get locked-out of the ASA because of this, so if you are physically in the same location of the ASA, better to use the console connection.
If you have more than one interface that you can SSH into, then you can modify the other interface without any problem.
Normally, the rule is to use port 0 for outside and port 1 for inside as you mentioned.
Federico.
04-27-2010 12:12 PM
Hi Laura,
Check if you have internet access from the ASA itself.
From the ASA itself:
ASA# ping 4.2.2.2
Check if you receive results.
If Internet is fine from the ASA, try the same thing from a computer behind the ASA.
If it does not work, do a traceroute and check the path of the packet.
Federico.
04-27-2010 02:02 PM
The VPN traffic is not even getting to the ASA.
I think the problem is that the crypto map is applied to the inside interface.
Remove these commands, and reapply them to the outside interface:
no crypto map Outside_map interface Inside
no crypto isakmp enable Inside
crypto map Outside_map interface Outside
crypto isakmp enable Outside
Please try again.
Federico.
04-27-2010 04:07 PM
If the Internet traffic from the VPN clients does not go through the ASA (split-tunneling enabled), then you don't need
the nat (outside) statement.
You can make sure by looking at your VPN client and checking the route details tab under statistics (while connected) and see the protected routes.
If you see 0.0.0.0 0.0.0.0 it means there's no split-tunneling. If you get a network or networks, it means you do have split-tunneling and therefore you can remove the nat (outside) statement.
Let me know how does it goes.
Federico.
04-28-2010 08:17 AM
Laura,
The only reason that you would possibly need the command:
nat (Outside) 1 192.168.101.0 255.255.255.0
is in case you want to do NAT for the VPN pool when going out another interface.
The most clear example, is when you want the ASA to provide Internet access to the VPN clients.
So, the VPN clients connect to the ASA (sending all traffic = without split-tunneling) and the ASA translates the connections to the outside interface to re-route the traffic backout the outside interface.
If this is not the case (since you're using split-tunneling and therefore not sending the Internet traffic from the VPN clients to the ASA), there's no reason to have that command in your configuration.
Hope it helps.
Federico.
04-26-2010 06:41 PM
Console port would be the best option as you are changing the interfaces around, and console connection will not affect your communication to the ASA itself.
04-26-2010 06:55 PM
If you're modyfing parameters on an interface (which you're connected to), you need to be careful not to lose connectivity to the
Firewall (in case you have a remote session).
It has happened to me before to get locked-out of the ASA because of this, so if you are physically in the same location of the ASA, better to use the console connection.
If you have more than one interface that you can SSH into, then you can modify the other interface without any problem.
Normally, the rule is to use port 0 for outside and port 1 for inside as you mentioned.
Federico.
04-27-2010 07:35 AM
I was able to change the interfaces (inside to outside and outside to inside) and the IP addresses and save the config. I also switch the cables. I was able to ping all the internal servers. However, I am not able to get on the internet. I used to be able to SSH to the outside interface of the ASA. I can no longer get to the outside interface of the ASA. Is there something else that I need to do? Thanks.
04-27-2010 11:36 AM
After changing the inside to outside interface and outside to inside interface and the IP addresses, everything that is "inside" is changed to "outside" and the "outside" is changed to "inside" by themselves. Then, I changed everything back. Still, I cannot get on the internet. I still cannot login through VPN client either from any groups. When I connect through VPN client, I got the error message "Secure VPN client terminated locally by the client. Reason: 412: The remote peer is no longer responding". However, I can ping all internal servers. Everything was working until I changed the interfaces. Attached is the config. Thanks.
04-27-2010 12:12 PM
Hi Laura,
Check if you have internet access from the ASA itself.
From the ASA itself:
ASA# ping 4.2.2.2
Check if you receive results.
If Internet is fine from the ASA, try the same thing from a computer behind the ASA.
If it does not work, do a traceroute and check the path of the packet.
Federico.
04-27-2010 01:33 PM
I apologize for my error. For some reason, I am now able to get on the internet. I guess it takes a while for the servers to recognize the changes. I am sorry for the trouble that you went through. However, I am still unable to login to the VPN client. I still got the 412 error message. I created a new group and still got the same error. Do you have any suggestions? Thanks.
04-27-2010 01:37 PM
To which VPN group are you connected?
To easily resolve the issue, please post the output of:
sh cry isa sa
sh cry ips sa
When attempting to establish the tunnel from the VPN client.
Federico.
04-27-2010 01:56 PM
I tried all the groups. When I typed "sh cry isa sa", I got the message "There are no isakmp sas". When I typed "sh cry ips sa", I got the message "There are no ipsec sas". Thanks.
04-27-2010 02:02 PM
The VPN traffic is not even getting to the ASA.
I think the problem is that the crypto map is applied to the inside interface.
Remove these commands, and reapply them to the outside interface:
no crypto map Outside_map interface Inside
no crypto isakmp enable Inside
crypto map Outside_map interface Outside
crypto isakmp enable Outside
Please try again.
Federico.
04-27-2010 02:16 PM
Thanks Federico. You solved my problems again!!! Those commands fixed the VPN authentication. Thank you very much for your time.
Laura
04-27-2010 02:19 PM
May I ask you another question? Does it make any difference of the NAT order? Would you put the NAT (inside) first before NAT (Outside)?
nat (Outside) 1 192.168.101.0 255.255.255.0
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
Thanks.
Laura
04-27-2010 02:34 PM
The order does not matter. What matters is the identifier, for example NAT 1, NAT 2, etc.
Actually, why do you have a nat (outside) command?
This is normally used if you want to give Internet access to your VPN clients, is that the case?
Federico.
04-27-2010 02:53 PM
I want the VPN users to have access to the internet while logging in to VPN client. That is why NAT (outside) was setup. Since I setup Split-tunneling, the internet access does not go through my system while users are logging in to VPN client. Let me know if you would set it up differently. Thanks.
04-27-2010 04:07 PM
If the Internet traffic from the VPN clients does not go through the ASA (split-tunneling enabled), then you don't need
the nat (outside) statement.
You can make sure by looking at your VPN client and checking the route details tab under statistics (while connected) and see the protected routes.
If you see 0.0.0.0 0.0.0.0 it means there's no split-tunneling. If you get a network or networks, it means you do have split-tunneling and therefore you can remove the nat (outside) statement.
Let me know how does it goes.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide