08-30-2013 09:40 AM
I've been reading everything I can find, and I think I understand what is asked of me, but I'm not sure exactly how to do it within ASDM
I have used the "wizard" to set up the anyconnect VPN and think that's all fine.
But the wizard reminded me that I needed to add a nat exempt rule ok so the wizard isn't such a wiz after all and can't set everything up.
My VPN pool is 10.10.35.1 through 50
My internal networks are 10.10.30.0/24 and 10.10.10.0/24
Do I need 2 nat exempt rules to allow windows remote desktop to the internal machines via AnyConnect?
and if so, how do I do that in ASDM (I'm totally clueless about using the CLI, and if that would work better, I would like a step by step)
Thanks
Dennis
Solved! Go to Solution.
08-30-2013 11:05 AM
Hi,
You can insert the following configuration to configure the NAT0 / NAT Exempt required
access-list INSIDE-NAT0 remark NAT0 for VPN
access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.
Hope this helps
- Jouni
08-30-2013 11:12 PM
Hi,
Which "username" are you logging in with?
username vpntest
username vpntest attributes
vpn-group-policy VPN
username DNewman
username DNewman attributes
vpn-group-policy DfltGrpPolicy
The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.
You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.
If you want to configure Split Tunnel then you can use these configurations
access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0
group-policy VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
- Jouni
08-30-2013 10:48 AM
Hi,
Most of the configuration situations and problem situations here are gone through in CLI format as the ASDM side is simply tedious to go through.
Furthermore the problem in my case is the fact that I dont use ASDM for any ACL or NAT configurations. I might use it for VPN related settings but thats about it.
First thing we would need to know is your ASA software level so we know what the NAT configuration format will be.
Depending on that software level we would then need some output of the current configurations on the device to determine the correct configuration for your situation.
We would also need to know the interface names of your firewall. Are they the default "inside" and "outside" or have you configured something else?
You can actually use the CLI from the ASDM too.
You can go to Tools -> Command Line Interface and use the ASDM to insert the configurations or take different "show" command outputs.
- Jouni
08-30-2013 11:00 AM
08-30-2013 11:05 AM
Hi,
You can insert the following configuration to configure the NAT0 / NAT Exempt required
access-list INSIDE-NAT0 remark NAT0 for VPN
access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.
Hope this helps
- Jouni
08-30-2013 05:31 PM
Thank You - That makes two problems that you have helped me through - Much appreciated!!
Dennis
Sorry to add to this, but after reading other posts, if I want to allow the VPN users to connect to the internet while vpn'ing into the network, I think I need to add -
same-security-traffic permit intra-interface
and
nat (outside) 1 10.01.35.0 255.255.255.0
would that be correct?
Dennis
08-30-2013 10:09 PM
Hi,
There is a small typo there and the "nat" command should use the ID 101 like your Dynamic PAT configuration at the moment
So use
nat (outside) 101 10.10.35.0 255.255.255.0
and the one you mentioned already
same-security-traffic permit intra-interface
- Jouni
08-30-2013 11:03 PM
Well, I think I may have screwed something up by attempting to follow several different instruction threads to allow vpn users to access the internet.
I'm getting connected to the network just fine - even allows the Novell network login to access my netware servers via the VPN which is what > I < want to be able to do, but my usere will gripe if they can't use the internet while logged into the VPN.
I'm being assigned IP 10.10.35.1 with a gateway of 10.10.35.2 - but not seeing any DNS servers in my network status report - not sure if that's what the issue is.
If you could please take a look at my new config and see if something jumps out at you, I would appreciate it.
Thanks
08-30-2013 11:12 PM
Hi,
Which "username" are you logging in with?
username vpntest
username vpntest attributes
vpn-group-policy VPN
username DNewman
username DNewman attributes
vpn-group-policy DfltGrpPolicy
The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.
You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.
If you want to configure Split Tunnel then you can use these configurations
access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0
group-policy VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
- Jouni
08-31-2013 08:22 AM
Once again - Thank You
I was attempting to configure for vpntest, but logging on as myself
But it looks like using the split tunnel might be a smarter way to go
Now all I need to do is figure out how many vpn users I'm allowed (standard out of the box 50 user asa5505), and how many extra licenses I need to purchase for my users. - Amazing how when I ask which of the users "need" VPN access, they all say they do, but with our last VPN setup only about 10% actually ever logged in.
Dennis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide