More than likely, is is a nat

Chris Whiteley · ‎01-26-2017

Hello All,

I have a Cisco ASA 5550 that I have all my static routes setup on and everything seems to work just fine. The issue I am having is with NAT and my Anyconnect VPN clients needing a NAT statement in order to go from an Internal Pool address into my network. The minute I take the NAT statement out even though I have given them access to the network, communication stops.

Here is what I have:

Client IP Pool: 192.168.209.0/24

Inside Network: 10.0.0.0/18

I have setup an access list saying access-list VPN_Access extended permit ip 192.168.209.0/24 10.0.0.0/18.
I have also setup a split-tunnel to have access to the network (10.0.0.0/18)

Am I doing something incorrectly? Is it because it has nowhere to route? I didn't add a static route for these addresses unless it was from the inside going out.

Hopefully this wasn't too confusing.

Thanks,

Philip D'Ath · ‎01-26-2017

More than likely, is is a nat statement saying "not to do nat" that you need.

Chris Whiteley · ‎01-26-2017

When I remove the NAT statement saying to go from my internal to the VPN IP Pool, I get no more connectivity. I add it back and it works again.

Philip D'Ath · ‎01-26-2017

I don't understand your problem. You need the NAT statement. It is working.

Chris Whiteley · ‎01-26-2017

I guess my biggest question is, Why do I need it? Can I set a route on my L3 switch so that the traffic knows where to go? It is just a different IP address space as far as anything is concerned. It is tunneled into my whole network. I guess I just don't understand why a NAT statement.

Chris Whiteley · ‎01-27-2017

Do you have any ideas on this?

Cisco ASA 5505 NAT/Routing Question with Anyconnect Clients