07-07-2016 04:17 AM
Hi,
Using an ASA 5512-x running 9.3(3). I have Anyconnect VPN configured to PAT the remote access subnet to one of the inside interfaces (due to internal routing restrictions).
For example...
Remote subnet: 192.168.10.0/24
Internal subnet: 192.168.1.0/24
Inside Interface: 192.168.1.254
All remote access clients hide behind 192.168.1.254 and this is working correctly until I add a dynamic NAT rule for outbound traffic, then I start to see 'reverse NAT path failure' errors when VPN clients try to access internal resources.
object network LAN1
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Is there a way to get around this since all remote access clients are hiding behind the interface address?
Thanks for any help.
Solved! Go to Solution.
07-07-2016 06:38 AM
Hi
Instead of doing nat under group, did you tried to do in global mode like:
nat (inside_101_infrastructure,outside) source dynamic LAN-GROUP interface destination static ANYCONNECT_VPN_SUBNET ANYCONNECT_VPN_SUBNET
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
07-07-2016 05:09 AM
Hi
Could you drop the asa config (nat + access-list)
Thanks
07-07-2016 05:56 AM
Sure, below are the relevant bits. Let me know if you need anything else.
access-list ANYCONNECT_VPN_ACL_ST standard permit 192.168.1.0 255.255.255.0
object network ANYCONNECT_VPN_SUBNET
subnet 192.168.10.0 255.255.255.0
nat (outside,inside_101_infrastructure) dynamic interface
object network LAN1
subnet 192.168.1.0 255.255.255.0
nat (inside_101_infrastructure,outside) dynamic interface
07-07-2016 06:38 AM
Hi
Instead of doing nat under group, did you tried to do in global mode like:
nat (inside_101_infrastructure,outside) source dynamic LAN-GROUP interface destination static ANYCONNECT_VPN_SUBNET ANYCONNECT_VPN_SUBNET
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
07-07-2016 09:23 AM
Don't I need two NAT statements, one to translate VPN clients to the inside interface and the other NAT for normal outbound Internet access?
07-07-2016 10:25 AM
as it is dynamic, the thing is that it will be one way communication, I mean, communications will be started from LAN to anyconnect client.
I'm sorry I will be very quick as I'm on meeting right now. Why do you want to map every LAN to the LAN interface itself?
07-07-2016 01:44 PM
The connection needs to be the other way, so AnyConnect client needs to be able to reach devices on the LAN. And the Anyconnect client needs to 'hide' behind the inside interface as the AnyConnect subnet is not internally routeable.
Also, LAN clients needs to be able to access the Internet.
07-07-2016 01:58 PM
Ok then do the nat in tbe other way. It has to be the 1st nat rule.
Did you tried?
Did you do packet-capture?
07-07-2016 02:30 PM
Ok, it seems to work with manual NAT statements below. Although the order looked right to me before too.
1. nat (outside, inside) source dynamic ANYCONNECT_VPN_SUBNET interface
2. nat (inside, outside) source dynamic LAN1 interface
Thanks for your help.
07-07-2016 02:33 PM
Nice to hear that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide