Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
933
Views
0
Helpful
2
Replies

VPN users unable to access internal network - ASA 8.3.1

Michael Grann
Level 1
Level 1

‎11-20-2012 10:03 AM

Hello,

I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can someone point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?

The Core LAN router is 1.2.3.1.

!

ASA Version 8.3(1)

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 1.2.3.2 255.255.255.0

!

ip local pool anyconnect-vpn-pool 1.2.9.10-1.2.9.20 mask 255.255.255.0

!

object network DataVLAN

subnet 1.2.3.0 255.255.255.0

!

object-group network Internal-Data

network-object object DataVLAN

!

nat (any,any) after-auto source dynamic Internal-Data Outside_INT

!

route inside 1.2.0.0 255.255.0.0 1.2.3.1 1

!

dynamic-access-policy-record DfltAccessPolicy

!

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

address-pools value anyconnect-vpn-pool

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

address-pools value anyconnect-vpn-pool

group-policy vpn-anyconnecct-policy internal

group-policy vpn-anyconnecct-policy attributes

vpn-tunnel-protocol svc webvpn

webvpn

  url-list none

  svc ask enable

!

tunnel-group vpn-users type remote-access

tunnel-group vpn-users general-attributes

address-pool anyconnect-vpn-pool

default-group-policy vpn-anyconnecct-policy

tunnel-group anyconnect2 type remote-access

tunnel-group anyconnect2 general-attributes

address-pool anyconnect-vpn-pool

!

TIA.

Mike

Labels:
0 Helpful
2 Replies 2

rohaverm
Level 1
Level 1

‎11-20-2012 10:27 AM

Mike it would be good to use nat (inside,outside) source static

destination static . Check this if it resolves the issue of internal access.

0 Helpful

Michael Grann
Level 1
Level 1
In response to rohaverm

‎11-20-2012 10:47 AM

Hi Rohan,

Are you saying to replace "nat (any,any)" with "nat (inside,outside)"? I was wondering about this because I'd always done "nat (inside,outside)" but a colleague had performed the initial configuration which already contained "nat (any,any)" statement and I was not sure if this was just something new in 8.3.1. I also noticed the "global" command is no longer available.

I will give this a try. Thanks.

-Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents