08-13-2014 11:06 AM - edited 02-21-2020 07:46 PM
Hi,
I have an ASA 5515-X with 9.1 version.
Where I have created 5 sub-interfaces in my 0/1, with individual subnets whereas Firewall is Gateway to my user.
0/0 - outside - WAN
0/1.1 - inside16 - 172.16.16.1/23
0/1.2 - inside30 - 172.16.30.1/24
0/1.3 - inside33 - 172.16.33.1/24
0/1.4 - inside40 - 172.16.40.1/24
0/1.5 - inside128 - 172.16.128.1/24
All sub-interfaces are kept with security level 100.
To permit traffic, I have used below command line :
access-list inside33_access_in extended permit ip any any
access-list inside40_access_in extended permit ip any any
access-list inside30_access_in extended permit ip any any
access-list inside128_access_in extended permit ip any4 any4
access-list inside16_access_in extended permit ip any4 any4
access-group inside16_access_in in interface inside16
access-group inside30_access_in in interface inside30
access-group inside33_access_in in interface inside33
access-group inside40_access_in in interface inside40
access-group inside128_access_in in interface inside128
I have Created a IPSEC VPN from my outside. I'am able to connect the VPN through VPN tunnel but its only communicating to 16-VLAN not the others. Even though if 128-VLAN machine's Firewall is disabled.
All the setting are diffault from the IPSec-VPN configuration wizard. And ACL's are inherited from Firewall ACL.
Attached is 'sh run' of ASA.
Please help.
Regards,
Ninad Thakare
Solved! Go to Solution.
08-14-2014 01:02 AM
nat (inside128,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup !Then see if you can connect to the VPN and access anything from the 16 and 128 subnet?
08-14-2014 01:02 AM
nat (inside128,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup !Then see if you can connect to the VPN and access anything from the 16 and 128 subnet?
08-15-2014 08:31 PM
Daniel is on the right track.
Your posted config has only exempted the one working subnet from NAT on the VPN. You need to add lines for each of the other subinterface VLANs.
08-17-2014 09:32 PM
Hi Marvin,
Yes, it worked.. I missed those statements, but still I have an issue that my VPN users are not able to access Internet even if its showing Internet access on NIC adaptor.
And my Firewall loses all (LAN & WAN) connectivity after 3-4 hrs. I need to PlugOut-PlugIN then again starts and again fails after some time.
Brgds,
Ninad
08-21-2014 06:13 AM
For your non-split-tunnel remote access VPN users to get internet via the ASA as VPN gateway, you need to make sure the VPN address pool is included in a nat(outside,outside) statement.
Your loss of connectivity would need some further testing and log message analysis to ascertain the root cause. For instance, can you ping your default gateway from the ASA itself when this happens?
08-21-2014 10:20 PM
Sorry.. which nat(outside,outside) statement...?
08-31-2014 09:41 PM
You need a new nat(outside,outside) statement to make the remote access VPN user traffic properly NATted.
08-31-2014 10:16 PM
So it will work as :
!
object network NETWORK_OBT_10.10.10.0_24
nat (outside,outside) dynamic interface.
!
09-01-2014 09:49 AM
Yes, that's correct.
Jouni explained it in a bit more detail in this post.
08-22-2014 10:36 PM
Do I need to use VPN pool from inside subnet so that it will be considered in :
nat (inside,outside) statement
08-20-2014 08:24 PM
Hi,
My IPSec Tunnel is UP and able to connect all network. But the VPN client is not able to get Internet. They are not able to access Internet.
Note : I have not configured split tunneling.
Please help.
Brgrds,
Ninad Thakare
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide