10-02-2019 10:27 AM
Hi All,
Setup anyconnect client vpn using command "sysopt connection permit-vpn" where it basically bypass interface access list for inbound vpn session.
As per my knowledge and some documentation on cisco community or cisco configuration guide we need to use exempt nat from inside to vpn pool subnet like "nat (inside,outside) source static inside inside destination static vpnpool vpnpool"
But in my case im able to access entire inside network without doing above no-nat. Is it possible without using above nat commads to access internal network for anyconnect client vpn users or im going on wrong path.
Attaching my asa configration
Please help
10-02-2019 10:40 AM
10-02-2019 01:09 PM
10-02-2019 01:30 PM
10-02-2019 10:25 PM
Hi Rji
Your solution good and make sense also. Now i have created nat rule stating nat (DMZ,outside) source dynamic DMZ-NETWORK interface destination outside. But still im able to access internal network without any nat exepmt statement like "nat (inside,outside) source static inside inside destination static vpnpool vpnpool"
Can you please guide me if i want only exempt statement of internal network host would be accessible to vpn users it would be a great help.
Attahing asa putty log
10-05-2019 10:03 AM
Yes that is expected as you do not have any NAT statement for the inside network (192.168.1.0/24). Remember that you only need a NAT exempt rule for VPN if that traffic is already matched by another NAT rule.
These are your current NAT statments:
nat (DMZ,outside) source dynamic DMZ-NETWORK interface
nat (outside,outside) source dynamic NETWORK_OBJ_11.1.1.0_28 interface
if you added:
object network 192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Now you would not be able to access the inside network without a twice nat statement (nat exempt).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide