Cisco ASA 5510 8.25 VPN Client access issues

dr_pr
dr_pr used Ask the Experts™
on
Hi Experts

I'm having issues with clients accessing inside resources from my SSLVPN pool

Inside address range 10.10.10.0/24

VPN Pool 10.10.1.0/24

I had the VPN pool statically NAT'ed to the inside addresses and it worked fine but i don't want to use this configuration.

Commands used

NAT Exemption

access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT

I also tried

access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NONAT

i have a static route set 0.0.0.0 0.0.0.0 <outside interface ip>

Am i missing a route to get to the VPN Pool or something?

I set another VPN pool using some the inside addresses (10.10.10.129 - 10.10.10.250) to test my NONAT access-list. This of course worked as the VPN clients are on the same subnet as the internal resources.


access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list NONAT

When i try and ping the VPN clients after connection to the VPN, the clients (iPhones) disconnect and reconnect to the VPN.

I can post my config tomorrow if necessary
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi,

Your config would certainly help, but the other likely cause, is what is the default gateway for your clients? If it is not this ASA, whatever device this is will need a route to the VPN pool on it pointing to the ASA.
Top Expert 2011
Commented:
What is your default gateway on inside network?

Author

Commented:
Inside <10.10.10.0> ---- <10.10.10.253>ASA<PublicIP>----VPNClients<10.10.1.0>

Do you mean the inside clients? I have a clients on the inside, the default gateway is set to the ASA (10.10.10.253).
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2011

Commented:
Ok, you should have this in place

access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT


And show us your config pls.
Also make sure the access-list on the inside interface is configured to permit ip from 10.10.10.0 to 10.10.1.0

Author

Commented:
Ok, i'll post my config in a few hours. Not near the device right now.

fgasimzade:

Your suggestion was one of the configs i used earlier with no success

access-list NONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.1.0 255.255.255.0
nat (inside) 0 access-list NONAT

Thanks for the help so far.
Top Expert 2011

Commented:
NONAT statement is necessary anyway, it must be in your config, but it does not guarantee that with it in place everything will start working :)

Author

Commented:
(: ok thanks.

I will post my config later on
Commented:
This is a case of to many cooks spoil the broth.

My colleague has another egress point for our inside network to suit himself, leaving my traffic to bounce around in limbo.

We have a mixture of linux and windows on the inside network so it was necessary to create routes in both OS's, giving the ability to have multiple routes of egressing the network to our VPN client subnets

For anyone thats interested this was my solution, albeit a workaround:

On Linux:

i edited the /etc/rc.local file to include my egress point:

ip route -inet 10.10.1.0 netmask 255.255.255.0 gw 10.10.10.253

On Windows:

I created a batch file that added a route:

route add 10.10.1.0 netmask 255.255.255.0 10.10.10.253

and added that as a schedule task to run on start up.

Thanks to cstogale and fgasimzade for g'ing me up to re-check the DG's.....

This is what happens when the correct information isn't passed as it should be....lesson learned!!!

Author

Commented:
The information given by the experts was spot on, you can never account for the actions of other people. In this case, all  my configuration was correct but due to: "Too many cooks spoiling the broth" and not communicating, time and effort was wasted!!!!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial