dr_pr
asked on
Cisco ASA 5510 8.25 VPN Client access issues
Hi Experts
I'm having issues with clients accessing inside resources from my SSLVPN pool
Inside address range 10.10.10.0/24
VPN Pool 10.10.1.0/24
I had the VPN pool statically NAT'ed to the inside addresses and it worked fine but i don't want to use this configuration.
Commands used
NAT Exemption
access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
I also tried
access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NONAT
i have a static route set 0.0.0.0 0.0.0.0 <outside interface ip>
Am i missing a route to get to the VPN Pool or something?
I set another VPN pool using some the inside addresses (10.10.10.129 - 10.10.10.250) to test my NONAT access-list. This of course worked as the VPN clients are on the same subnet as the internal resources.
access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NONAT
When i try and ping the VPN clients after connection to the VPN, the clients (iPhones) disconnect and reconnect to the VPN.
I can post my config tomorrow if necessary
I'm having issues with clients accessing inside resources from my SSLVPN pool
Inside address range 10.10.10.0/24
VPN Pool 10.10.1.0/24
I had the VPN pool statically NAT'ed to the inside addresses and it worked fine but i don't want to use this configuration.
Commands used
NAT Exemption
access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
I also tried
access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NONAT
i have a static route set 0.0.0.0 0.0.0.0 <outside interface ip>
Am i missing a route to get to the VPN Pool or something?
I set another VPN pool using some the inside addresses (10.10.10.129 - 10.10.10.250) to test my NONAT access-list. This of course worked as the VPN clients are on the same subnet as the internal resources.
access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NONAT
When i try and ping the VPN clients after connection to the VPN, the clients (iPhones) disconnect and reconnect to the VPN.
I can post my config tomorrow if necessary
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok, you should have this in place
access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
And show us your config pls.
access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
And show us your config pls.
Also make sure the access-list on the inside interface is configured to permit ip from 10.10.10.0 to 10.10.1.0
ASKER
Ok, i'll post my config in a few hours. Not near the device right now.
fgasimzade:
Your suggestion was one of the configs i used earlier with no success
access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
Thanks for the help so far.
fgasimzade:
Your suggestion was one of the configs i used earlier with no success
access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
Thanks for the help so far.
NONAT statement is necessary anyway, it must be in your config, but it does not guarantee that with it in place everything will start working :)
ASKER
(: ok thanks.
I will post my config later on
I will post my config later on
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The information given by the experts was spot on, you can never account for the actions of other people. In this case, all my configuration was correct but due to: "Too many cooks spoiling the broth" and not communicating, time and effort was wasted!!!!!
ASKER
Do you mean the inside clients? I have a clients on the inside, the default gateway is set to the ASA (10.10.10.253).