cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
197
Views
0
Helpful
4
Replies

Nat 0 with 9.x code: anyconnect needs access to Ipsec tunnel

tryingtofixit
Level 1
Level 1

can you still do Nat 0 to get anyconnect clients direct access to IPsec tunnels that originate on the ASA

Got Anyconnect clients on the outside interface, trying to get to tunnels also on the outside interface

nat (outside) 0 access-list outside_nat0
nat (outside) 10.250.250.0 255.255.254.0

access-list outside_nat0 extended permit ip 10.249.248.0 255.255.254.0 172.23.17.0 255.255.255.0

Can I use a asa object group that contains IP ranges for my endpoint networks? 

access-list outside_nat0 extended permit ip 10.249.248.0 255.255.254.0  Ext-Ipsec-SubNets

or do I have to list  of them (20) line by line in the acl? 

 

 

4 Replies 4

tryingtofixit
Level 1
Level 1

guess the better question is how do I in asa 9.x code allow the anyconnect clients on the outside interface direct access to the ipsec site-2-site tunnels on the same outside interface. 

This nat not for asa 9.0 it for 8.0' are you sure it 9.0?

MHM

running 9.1.x.x asa code wanting to do a nat 0 to allow anyconnect on outside interface to connect Ipsec site-to-site tunnels on the same outside interface.

 

I agree with @MHM Cisco World, the NAT commands you shared would not be supported on the ASA 9.x code. If you want to allow AnyConnect traffic to be sent out of the outside interface then you would need to create couple of network objects, one for the remote destination subnet and one for AnyConnect subnet, and then you would need to create a NAT exemption rule on the ASA. The AnyConnect subnet would also need to be added to the encryption domains for that IPsec tunnel. Example:

object network REMOTE
   subnet 192.168.1.0 255.255.255.0
object network ANYCONNECT
   subnet 172.16.1.0 255.255.255.0
nat (outside,outside) source static ANYCONNECT ANYCONNECT destination static REMOTE REMOTE