Nat 0 with 9.x code: anyconnect needs access to Ipsec tunnel

tryingtofixit · ‎04-29-2024

can you still do Nat 0 to get anyconnect clients direct access to IPsec tunnels that originate on the ASA

Got Anyconnect clients on the outside interface, trying to get to tunnels also on the outside interface

nat (outside) 0 access-list outside_nat0
nat (outside) 10.250.250.0 255.255.254.0

access-list outside_nat0 extended permit ip 10.249.248.0 255.255.254.0 172.23.17.0 255.255.255.0

Can I use a asa object group that contains IP ranges for my endpoint networks?

access-list outside_nat0 extended permit ip 10.249.248.0 255.255.254.0 Ext-Ipsec-SubNets

or do I have to list of them (20) line by line in the acl?

tryingtofixit · ‎04-29-2024

guess the better question is how do I in asa 9.x code allow the anyconnect clients on the outside interface direct access to the ipsec site-2-site tunnels on the same outside interface.

MHM Cisco World · ‎04-29-2024

This nat not for asa 9.0 it for 8.0' are you sure it 9.0?

MHM

tryingtofixit · ‎04-29-2024

running 9.1.x.x asa code wanting to do a nat 0 to allow anyconnect on outside interface to connect Ipsec site-to-site tunnels on the same outside interface.

Aref Alsouqi · ‎04-30-2024

I agree with @MHM Cisco World, the NAT commands you shared would not be supported on the ASA 9.x code. If you want to allow AnyConnect traffic to be sent out of the outside interface then you would need to create couple of network objects, one for the remote destination subnet and one for AnyConnect subnet, and then you would need to create a NAT exemption rule on the ASA. The AnyConnect subnet would also need to be added to the encryption domains for that IPsec tunnel. Example:

object network REMOTE
subnet 192.168.1.0 255.255.255.0
object network ANYCONNECT
subnet 172.16.1.0 255.255.255.0
nat (outside,outside) source static ANYCONNECT ANYCONNECT destination static REMOTE REMOTE