11-20-2012 10:03 AM
Hello,
I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can someone point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
The Core LAN router is 1.2.3.1.
!
ASA Version 8.3(1)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.2.3.2 255.255.255.0
!
ip local pool anyconnect-vpn-pool 1.2.9.10-1.2.9.20 mask 255.255.255.0
!
object network DataVLAN
subnet 1.2.3.0 255.255.255.0
!
object-group network Internal-Data
network-object object DataVLAN
!
nat (any,any) after-auto source dynamic Internal-Data Outside_INT
!
route inside 1.2.0.0 255.255.0.0 1.2.3.1 1
!
dynamic-access-policy-record DfltAccessPolicy
!
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
address-pools value anyconnect-vpn-pool
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
address-pools value anyconnect-vpn-pool
group-policy vpn-anyconnecct-policy internal
group-policy vpn-anyconnecct-policy attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
!
tunnel-group vpn-users type remote-access
tunnel-group vpn-users general-attributes
address-pool anyconnect-vpn-pool
default-group-policy vpn-anyconnecct-policy
tunnel-group anyconnect2 type remote-access
tunnel-group anyconnect2 general-attributes
address-pool anyconnect-vpn-pool
!
TIA.
Mike
11-20-2012 10:27 AM
Mike it would be good to use nat (inside,outside) source static
11-20-2012 10:47 AM
Hi Rohan,
Are you saying to replace "nat (any,any)" with "nat (inside,outside)"? I was wondering about this because I'd always done "nat (inside,outside)" but a colleague had performed the initial configuration which already contained "nat (any,any)" statement and I was not sure if this was just something new in 8.3.1. I also noticed the "global" command is no longer available.
I will give this a try. Thanks.
-Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide