cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12437
Views
0
Helpful
8
Replies

NAT exempt for vpn pool in ASDM

Dennis Newman
Level 1
Level 1

I've been reading everything I can find, and I think I understand what is asked of me, but I'm not sure exactly how to do it within ASDM

I have used the "wizard" to set up the anyconnect VPN and think that's all fine.

But the wizard reminded me that I needed to add a nat exempt rule  ok so the wizard isn't such a wiz after all and can't set everything up.

My VPN pool is 10.10.35.1 through 50

My internal networks are 10.10.30.0/24 and 10.10.10.0/24

Do I need 2 nat exempt rules to allow windows remote desktop to the internal machines via AnyConnect?

and if so, how do I do that in ASDM (I'm totally clueless about using the CLI, and if that would work better, I would like a step by step)

Thanks

Dennis

2 Accepted Solutions

Accepted Solutions

Hi,

You can insert the following configuration to configure the NAT0 / NAT Exempt required

access-list INSIDE-NAT0 remark NAT0 for VPN

access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0


nat (inside) 0 access-list INSIDE-NAT0

You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.

Hope this helps

- Jouni

View solution in original post

Hi,

Which "username" are you logging in with?

username vpntest

username vpntest attributes

vpn-group-policy VPN

username DNewman

username DNewman attributes

vpn-group-policy DfltGrpPolicy

The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.

You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.

If you want to configure Split Tunnel then you can use these configurations

access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Most of the configuration situations and problem situations here are gone through in CLI format as the ASDM side is simply tedious to go through.

Furthermore the problem in my case is the fact that I dont use ASDM for any ACL or NAT configurations. I might use it for VPN related settings but thats about it.

First thing we would need to know is your ASA software level so we know what the NAT configuration format will be.

Depending on that software level we would then need some output of the current configurations on the device to determine the correct configuration for your situation.

We would also need to know the interface names of your firewall. Are they the default "inside" and "outside" or have you configured something else?

You can actually use the CLI from the ASDM too.

You can go to Tools -> Command Line Interface and use the ASDM to insert the configurations or take different "show" command outputs.

- Jouni

ASA version 8.2(5)

running on a 5505

Configuration attached - Yes I kept the default interface names

Hi,

You can insert the following configuration to configure the NAT0 / NAT Exempt required

access-list INSIDE-NAT0 remark NAT0 for VPN

access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0


nat (inside) 0 access-list INSIDE-NAT0

You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.

Hope this helps

- Jouni

Thank You - That makes two problems that you have helped me through - Much appreciated!!

Dennis

Sorry to add to this, but after  reading other posts, if I want to allow the VPN users to connect to the  internet while vpn'ing into the network, I think I need to add -

same-security-traffic permit intra-interface

and

nat (outside) 1 10.01.35.0 255.255.255.0

would that be correct?

Dennis

Hi,

There is a small typo there and the "nat" command should use the ID 101 like your Dynamic PAT configuration at the moment

So use

nat (outside) 101 10.10.35.0 255.255.255.0

and the one you mentioned already

same-security-traffic permit intra-interface

- Jouni

Well, I think I may have screwed something up by attempting to follow several different instruction threads to allow vpn users to access the internet.

I'm getting connected to the network just fine - even allows the Novell network login to access my netware servers via the VPN which is what > I < want to be able to do, but my usere will gripe if they can't use the internet while logged into the VPN.

I'm being assigned IP 10.10.35.1 with a gateway of 10.10.35.2 - but not seeing any DNS servers in my network status report - not sure if that's what the issue is.

If you could please take a look at my new config and see if something jumps out at you, I would appreciate it.

Thanks

Hi,

Which "username" are you logging in with?

username vpntest

username vpntest attributes

vpn-group-policy VPN

username DNewman

username DNewman attributes

vpn-group-policy DfltGrpPolicy

The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.

You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.

If you want to configure Split Tunnel then you can use these configurations

access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

- Jouni

Once again - Thank You

I was attempting to configure for vpntest, but logging on as myself

But it looks like using the split tunnel might be a smarter way to go

Now all I need to do is figure out how many vpn users I'm allowed (standard out of the box 50 user asa5505), and how many extra licenses I need to purchase for my users. - Amazing how when I ask which of the users "need" VPN access, they all say they do, but with our last VPN setup only about 10% actually ever logged in.

Dennis