Solved: Re: Cisco ASA5510 vpn groups 8.3

pondersean · ‎11-10-2010

Hey everyone,

I've created 3 different tunnel-groups for remote access VPN, each being assigned addresses out of a different pool that doesn't coincide with an existing internal network. The problem I'm running into is that while the VPN client for members of each pool are being assigned IP addresses, DNS, domain, etc and I can see the split tunnel rules being applied at the client...no traffic is going anywhere. Clients get connected successfully, get issued an IP address, but cannot access any of the internal network that they are supposed to. Also I'm running 8.3 code...which has bee *fun* to configure.

I've done the following:

defined the tunnel-groups with all associated parameters.

defined the proper group-policies

defined my split tunnel ACLs

I've also gone so far in my troubleshooting to create sub-interfaces for each new LAN with associated vlan (and added the proper vlan tags to the group-policies). Also have played with defining NAT statements from that sub-interface to an internal int.

I'm clearly missing something...it seems like traffic isn't being NAT'd properly or isn't routing.

I can post config snippets if desired.

Thanks,

Sean

Jennifer Halim · ‎11-11-2010

No, with this new version of NAT (from ASA version 8.3 onwards), there is no more ACL assosiated with NAT statements.

Unfortunately, you would need to configure each internal subnets as follows:

object network obj-internal-networks-2

subnet

nat (inside,outside) source static obj-internal-networks-2 obj-internal-networks-2 destination static obj-vpn-pool obj-vpn-pool

object network obj-internal-networks-3

subnet

nat (inside,outside) source static obj-internal-networks-3 obj-internal-networks-3 destination static obj-vpn-pool obj-vpn-pool

View solution in original post

Jennifer Halim · ‎11-11-2010

Sounds like it could be a NAT exemption issue.

Have you configured the NAT exemption yet?

If you haven't, here is the how it should look like:

object network obj-internal-networks

subnet

object network obj-vpn-pool

subnet

nat (inside,outside) source static obj-internal-networks obj-internal-networks destination static obj-vpn-pool obj-vpn-pool

Hope that helps.

pondersean · ‎11-11-2010

So with this NAT I have only a single internal subnet that I'm NAT'ing to from my vpn pool. Once that NAT happens, how do I allow access to additional subnets? Will the ACLs take over from there?

Thanks for the help,

Sean

Jennifer Halim · ‎11-11-2010

No, with this new version of NAT (from ASA version 8.3 onwards), there is no more ACL assosiated with NAT statements.

Unfortunately, you would need to configure each internal subnets as follows:

object network obj-internal-networks-2

subnet

nat (inside,outside) source static obj-internal-networks-2 obj-internal-networks-2 destination static obj-vpn-pool obj-vpn-pool

object network obj-internal-networks-3

subnet

nat (inside,outside) source static obj-internal-networks-3 obj-internal-networks-3 destination static obj-vpn-pool obj-vpn-pool

pondersean · ‎12-20-2010

Sorry for taking so long to come back to this. It was definitely a NAT issue. There were 2 problems...first was I hadn't created a NAT for each interface I wanted that traffic to traverse. The second problem (and this was a KILLER) was the order of my NAT statements. if the relevant NATs are not at the TOP of the list, then they don't get properly applied. So NAT precedence is definitely order of entry.

Have to say the new 8.3 code is very non-intuitive (especially with NAT). These are not the first ASAs or VPN groups I've ever configured, but the new code makes me feel like it!

Thanks for the help,

Sean