03-01-2014 12:14 AM
Hi,
Solution : remote users connect to the ASA outside interface through AnyConnect.there is no any routing or nat to inside interface.
Problem 1 : authentication test is successful and password is checking by radius server, but user is not appears on the accounting consol.
Problem 2 : NAT rule ( outside,outside) doesn't work, does any body have a sample configuration same as my solution ?
Source address : VPN Users
Source interface: outside
Destination add : any
Destination int : outside
Thank You
Best Regards
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
03-02-2014 08:55 AM
Hi,
I am not sure what the problem is with your first point and I am not sure what you mean.
With regards to the second problem, do you mean that you are not able to perform NAT from "outside" to "outside" so that the VPN users can connect to the Internet?
A very simple Dynamic PAT configurations for VPN users could be done in the following way
object network VPN-PAT
subnet
nat (outside,outside) dynamic interface
Notice that you will also need to add this command if you dont have it yet. It will enable traffic to enter through the "outside" interface and leave through the "outside" interface which would need to happen when VPN users access Internet through the ASA.
same-security-traffic permit intra-interface
Hope this helps
- Jouni
03-02-2014 09:12 AM
Hi,
Jouni, you are absolutely correct
On the other hand, for the first point, make sure you add your RADIUS server as the account server under the tunnel-group:
tunnel-group your-group general-attributes
accounting-server-group your-RADIUS-server-group
HTH.
- Javier
03-02-2014 08:55 AM
Hi,
I am not sure what the problem is with your first point and I am not sure what you mean.
With regards to the second problem, do you mean that you are not able to perform NAT from "outside" to "outside" so that the VPN users can connect to the Internet?
A very simple Dynamic PAT configurations for VPN users could be done in the following way
object network VPN-PAT
subnet
nat (outside,outside) dynamic interface
Notice that you will also need to add this command if you dont have it yet. It will enable traffic to enter through the "outside" interface and leave through the "outside" interface which would need to happen when VPN users access Internet through the ASA.
same-security-traffic permit intra-interface
Hope this helps
- Jouni
03-02-2014 09:12 AM
Hi,
Jouni, you are absolutely correct
On the other hand, for the first point, make sure you add your RADIUS server as the account server under the tunnel-group:
tunnel-group your-group general-attributes
accounting-server-group your-RADIUS-server-group
HTH.
- Javier
03-05-2014 08:59 AM
Hi,
Thank you,
Its working fine
Appreciate
Sent from Cisco Technical Support iPad App
03-05-2014 09:02 AM
You are welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide