cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1523
Views
0
Helpful
5
Replies
Netplace Support
Beginner

Nat in anyconnect VPN

Hi All,

 

Setup anyconnect client vpn  using command "sysopt connection permit-vpn" where it basically bypass interface access list for inbound vpn session.

 

As per my knowledge and some documentation on cisco community or cisco configuration guide we need to use exempt nat from inside to vpn pool subnet like "nat (inside,outside) source static inside inside destination static vpnpool vpnpool"

 

But in my case im able to access entire inside network without doing above no-nat. Is it possible without using above nat commads to access internal network for anyconnect client vpn users or im going on wrong path.

 

Attaching my asa configration 

 

Please help

5 REPLIES 5
Rob Ingram
VIP Mentor

You don't need a nat exempt rule if you aren't natting from inside to outside, which you aren't. Which is why it is working for you.

Hi RJI,

 

Thanks for looking at my issue. but i have also checked by natting inside interface (DMZ in my case) to outside. 

 

And still anyconnect client user are able to access Internal network without nat exempt as i mentioned in my 1st post.

 

Attaching new putty logs if its helps

Your DMZ interface is 10.1.1.0/30, you've created a NAT rule "nat (DMZ,outside) source dynamic NETWORK_OBJ_11.1.1.0_28 interface" that's the subnet of the VPN IP Pool subnet. That is incorrect VPN traffic would originate from the outside interface. You obviously aren't matching either of the existing nat rules you've defined, that's why you can access the network without a NAT exemption rule.

If that nat rule was referencing an object group containing all your dmz/internal networks, rather than the VPN IP Pool subnet then yes all outbound traffic would be natted and then you'd need a nat exemption rule.

Hi Rji

 

Your solution good and make sense also. Now i have created nat rule stating nat (DMZ,outside) source dynamic DMZ-NETWORK interface destination outside. But still im able to access internal network without any nat exepmt statement like "nat (inside,outside) source static inside inside destination static vpnpool vpnpool"

 

Can you please guide me if i want only exempt statement of internal network host would be accessible to vpn users it would be a great help.

 

Attahing asa putty log

Yes that is expected as you do not have any NAT statement for the inside network (192.168.1.0/24).  Remember that you only need a NAT exempt rule for VPN if that traffic is already matched by another NAT rule.

 

These are your current NAT statments:

nat (DMZ,outside) source dynamic DMZ-NETWORK interface
nat (outside,outside) source dynamic NETWORK_OBJ_11.1.1.0_28 interface

 

if you added:

object network 192.168.1.0_24

  subnet 192.168.1.0 255.255.255.0

  nat (inside,outside) dynamic interface

 

Now you would not be able to access the inside network without a twice nat statement (nat exempt).

--
Please remember to select a correct answer and rate helpful posts
Create
Recognize Your Peers
Content for Community-Ad