cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
987
Views
0
Helpful
4
Replies

Cisco ASA5510 vpn groups 8.3

pondersean
Level 1
Level 1

Hey everyone,

  I've created 3 different tunnel-groups for remote access VPN, each being assigned addresses out of a different pool that doesn't coincide with an existing internal network.  The problem I'm running into is that while the VPN client for members of each pool are being assigned IP addresses, DNS, domain, etc and I can see the split tunnel rules being applied at the client...no traffic is going anywhere.  Clients get connected successfully, get issued an IP address, but cannot access any of the internal network that they are supposed to.  Also I'm running 8.3 code...which has bee *fun* to configure.

I've done the following:

defined the tunnel-groups with all associated parameters.

defined the proper group-policies

defined my split tunnel ACLs

I've also gone so far in my troubleshooting to create sub-interfaces for each new LAN with associated vlan (and added the proper vlan tags to the group-policies).  Also have played with defining NAT statements from that sub-interface to an internal int.

I'm clearly missing something...it seems like traffic isn't being NAT'd properly or isn't routing.

I can post config snippets if desired.

Thanks,

Sean

1 Accepted Solution

Accepted Solutions

No, with this new version of NAT (from ASA version 8.3 onwards), there is no more ACL assosiated with NAT statements.

Unfortunately, you would need to configure each internal subnets as follows:

object network obj-internal-networks-2

     subnet


nat (inside,outside) source static obj-internal-networks-2 obj-internal-networks-2 destination static obj-vpn-pool obj-vpn-pool

object network obj-internal-networks-3

     subnet


nat (inside,outside) source static obj-internal-networks-3 obj-internal-networks-3 destination static obj-vpn-pool obj-vpn-pool

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Sounds like it could be a NAT exemption issue.

Have you configured the NAT exemption yet?

If you haven't, here is the how it should look like:

object network obj-internal-networks

     subnet


object network obj-vpn-pool

     subnet


nat (inside,outside) source static obj-internal-networks obj-internal-networks destination static obj-vpn-pool obj-vpn-pool

Hope that helps.

So with this NAT I have only a single internal subnet that I'm NAT'ing to from my vpn pool.  Once that NAT happens, how do I allow access to additional subnets?  Will the ACLs take over from there?

Thanks for the help,

Sean

No, with this new version of NAT (from ASA version 8.3 onwards), there is no more ACL assosiated with NAT statements.

Unfortunately, you would need to configure each internal subnets as follows:

object network obj-internal-networks-2

     subnet


nat (inside,outside) source static obj-internal-networks-2 obj-internal-networks-2 destination static obj-vpn-pool obj-vpn-pool

object network obj-internal-networks-3

     subnet


nat (inside,outside) source static obj-internal-networks-3 obj-internal-networks-3 destination static obj-vpn-pool obj-vpn-pool

Sorry for taking so long to come back to this.  It was definitely a NAT issue.  There were 2 problems...first was I hadn't created a NAT for each interface I wanted that traffic to traverse.  The second problem (and this was a KILLER) was the order of my NAT statements.  if the relevant NATs are not at the TOP of the list, then they don't get properly applied.  So NAT precedence is definitely order of entry.

Have to say the new 8.3 code is very non-intuitive (especially with NAT).  These are not the first ASAs or VPN groups I've ever configured, but the new code makes me feel like it!

Thanks for the help,

Sean