Avatar of dr_pr
dr_pr
 asked on

Cisco ASA 5510 8.25 VPN Client access issues

Hi Experts

I'm having issues with clients accessing inside resources from my SSLVPN pool

Inside address range 10.10.10.0/24

VPN Pool 10.10.1.0/24

I had the VPN pool statically NAT'ed to the inside addresses and it worked fine but i don't want to use this configuration.

Commands used

NAT Exemption

access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT

I also tried

access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NONAT

i have a static route set 0.0.0.0 0.0.0.0 <outside interface ip>

Am i missing a route to get to the VPN Pool or something?

I set another VPN pool using some the inside addresses (10.10.10.129 - 10.10.10.250) to test my NONAT access-list. This of course worked as the VPN clients are on the same subnet as the internal resources.


access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NONAT

When i try and ping the VPN clients after connection to the VPN, the clients (iPhones) disconnect and reconnect to the VPN.

I can post my config tomorrow if necessary
VPNCisco

Avatar of undefined
Last Comment
dr_pr

8/22/2022 - Mon
SOLUTION
cstosgale

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
fgasimzade

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
dr_pr

ASKER
Inside <10.10.10.0> ---- <10.10.10.253>ASA<PublicIP>----VPNClients<10.10.1.0>

Do you mean the inside clients? I have a clients on the inside, the default gateway is set to the ASA (10.10.10.253).
fgasimzade

Ok, you should have this in place

access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT


And show us your config pls.
cstosgale

Also make sure the access-list on the inside interface is configured to permit ip from 10.10.10.0 to 10.10.1.0
Your help has saved me hundreds of hours of internet surfing.
fblack61
dr_pr

ASKER
Ok, i'll post my config in a few hours. Not near the device right now.

fgasimzade:

Your suggestion was one of the configs i used earlier with no success

access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT

Thanks for the help so far.
fgasimzade

NONAT statement is necessary anyway, it must be in your config, but it does not guarantee that with it in place everything will start working :)
dr_pr

ASKER
(: ok thanks.

I will post my config later on
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
dr_pr

ASKER
The information given by the experts was spot on, you can never account for the actions of other people. In this case, all  my configuration was correct but due to: "Too many cooks spoiling the broth" and not communicating, time and effort was wasted!!!!!