Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
4
Replies

User Any connect VPN

khoirul.iman
Level 1
Level 1

‎02-18-2016 08:05 AM

Hi All

I have a problem. I already setting up VPN Anyconnect on Cisco ASA 5512.

But when user success establish connection and user connected to internal network and internet. Then no long after that, network internal getting down (all the users internal cannot connected to anything) and administrator also can not access interface ASA from VPN connection.

If any problem in my NAT configuration, the user cannot connect to internal and internet from their begin establish connection.

I attach my show run configuration

Labels:
Preview file
19 KB
0 Helpful
4 Replies 4

jj27
Spotlight
Spotlight

‎02-18-2016 09:10 AM

With a quick glance, try the following:

no nat (any,outside) source dynamic NETWORK_OBJ_192.168.120.0 interface
object network NETWORK_OBJ_192.168.120.0
 subnet 192.168.120.0 255.255.255.240
 nat(outside,outside) dynamic interface
no nat (poc,outside) source static any any destination static NETWORK_OBJ_192.168.120.0 NETWORK_OBJ_192.168.120.0 no-proxy-arp route-lookup
nat (poc,outside) 1 source static Net-Local Net-Local destination static NETWORK_OBJ_192.168.120.0 NETWORK_OBJ_192.168.120.0 no-proxy-arp route-lookup

0 Helpful

khoirul.iman
Level 1
Level 1
In response to jj27

‎02-19-2016 03:31 AM

Hi John,

I am still can not solved the problem. User from internal could PING inside interface but couldn't PING outside interface

Thanks

Khoirul

0 Helpful

David Castro F.
Spotlight
Spotlight
In response to khoirul.iman

‎03-08-2016 03:00 PM

Hello Khoirul,

According to your VPN configuration I found this:

nat (any,outside) source dynamic NETWORK_OBJ_192.168.120.0 interface **********************
nat (poc,outside) source static any any destination static NETWORK_OBJ_192.168.120.0 NETWORK_OBJ_192.168.120.0 no-proxy-arp route-lookup

VPN Pool:
ip local pool vpn 192.168.120.1-192.168.120.10 mask 255.255.255.0


So it seems that the very first NAT statement is taking precedence over the NAT exemption in the NAT order of operation, so you will need to do the following, delete the NAT statement for the NAT exemption and put a priority Number:

no nat (poc,outside) source static any any destination static NETWORK_OBJ_192.168.120.0 NETWORK_OBJ_192.168.120.0 no-proxy-arp route-lookup
nat (poc,outside) 1 source static any any destination static NETWORK_OBJ_192.168.120.0 NETWORK_OBJ_192.168.120.0 no-proxy-arp route-lookup 

I can see that you are running tunnel-all and providing access to internet to the users using U-Turn, which it will still work, go ahead and run a packet tracer from inside to the outside (VPN pool) so we can see that it is taking the correct NAT,

Please proceed to rate and mark as correct the helpful post! keep me posted!

Regards

David Castro,

0 Helpful

khoirul.iman
Level 1
Level 1
In response to David Castro F.

‎03-22-2016 08:52 PM

Hi David

This the solutions that I done for this case :

1. no nat (inside,outside) source static any any

2. no nat (inside,outside) source static Net-Local interface

Because it affects arp cache

Regards,

Khoirul

0 Helpful
Customers Also Viewed These Support Documents