1. Home
  2. Cisco Systems
  3. Remote Access VPN

Remote Access VPN

Hi,

I am having a problem with my remote access VPN. The outside interface of my ASA is being NATed with static nat the an inside server. Whenever i try to connect to my ASA through a remote access VPN, these packets are being passed to the server instead of being processed by the ASA. It is not a request from the ASA to the server which is running IAS because IAS is set to log everyything and it has not even created a log file.

Can I use my outside interface for static NAT and still VPN to it? Is there a way to not NAT on the ports using the VPN?

Thanks a million. I need to get this working!!

Reply to
K.J. 44
Loading thread data ...

Here is my config. Thanks again:

Result of the command: "sh running"

: Saved : ASA Version 7.0(5) ! hostname domain-name enable password MsKIE8kJNDmkdKIi encrypted names dns-guard ! interface Ethernet0/0 description INside interface. NAT to private IPs nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/1 description Outside Interface. nameif outside security-level 0 ip address OUTSIDE INTERFACE - NAT TO MAIL SERVER ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address 192.168.2.2 255.255.255.252 management-only ! passwd SisLvDjB/rijelPS encrypted banner exec # You are logging into a corporate device. Unauthorized access is prohibited. banner motd # "We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle # ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns name-server 192.168.1.4 object-group service NecessaryServices tcp port-object eq echo port-object eq www port-object eq domain port-object eq ssh port-object eq smtp port-object eq ftp-data port-object eq pop3 port-object eq aol port-object eq ftp port-object eq https object-group service UDPServices udp port-object eq nameserver port-object eq www port-object eq isakmp port-object eq domain object-group service TCP-UDPServices tcp-udp port-object eq echo port-object eq www port-object eq domain object-group service ChatServices tcp-udp description object group to allow GoogleTalk, AIM, MSN Messenger, and Yahoo Messenger port-object range 6900 6901 port-object eq 6891 port-object eq 5223 port-object eq 5552 port-object eq 1863 port-object eq 5050 access-list inbound_on_outside remark This ACL filters traffic on the outside interface into the network access-list inbound_on_outside remark This ACL filters traffic on the outside interface into the network

TRAFFIC ACLs

access-list 110 extended permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging list ASALog level notifications logging monitor notifications logging trap notifications logging asdm informational logging device-id hostname logging host inside 192.168.1.4 mtu management 1500 mtu inside 1500 mtu outside 1500 ip local pool vpnclient 192.168.10.1-192.168.10.254 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp permit any inside icmp permit any outside asdm image disk0:/asdm505.bin asdm history enable arp timeout 14400 nat-control global (outside) 2 PUBLIC PAT IP netmask 255.255.255.255 nat (inside) 0 access-list 110 nat (inside) 2 192.168.0.0 255.255.0.0 static (inside,outside) OUTSIDE INTERFACE - NAT TO MAIL SERVER 192.168.1.4 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 NEXT HOP1 ! router ospf 1 NETWORK COMMANDS log-adj-changes ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server vpn protocol radius aaa-server vpn host 192.168.1.4 key theKEY group-policy group internal group-policy group attributes banner value You are remotely accessing a corporate network. Any unauthorized use is strictly prohibited. dns-server value 192.168.1.4 ipsec-udp enable ipsec-udp-port PORT split-tunnel-policy tunnelall webvpn username ALOCALUSERNAME password wDylMAaR4hoo.oAa encrypted http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet crypto dynamic-map RemoteVPNDynmap 10 set reverse-route crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap crypto map RemoteVPNMap interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) vpn tunnel-group groupName type ipsec-ra tunnel-group groupName general-attributes address-pool vpnclient authentication-server-group vpn tunnel-group groupName ipsec-attributes pre-shared-key * telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 50 ! class-map global-policy match default-inspection-traffic class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect http policy-map global-policy class global-policy inspect http inspect icmp inspect ftp inspect dns inspect esmtp ! service-policy global_policy global smtp-server 192.168.1.4 Cryptochecksum:2bde9bde88a4ef5b54e95ce0cec8676a : end K.J. 44 wrote:
Reply to
K.J. 44

Where you have 2 IP's you have it backwards of the way it should be. Users should be PAT'd to the outside IP, the mail server should be using the other IP for it's NAT. You should not be using the outside interface for NAT, only PAT.

Reply to
Brian V

Except I don't have enough public IPs so I kind of cheated and used the network address for PAT which works fine except that I cannot apply this to an interface. So instead of changing the MX record, it is just the outside interface of the ASA.

Brian V wrote:

Reply to
K.J. 44

You CAN NOT use the outside interface for NAT, you can ONLY use it for PAT. Why can't you simply swap the IP's, put the one you are using for PAT on the outside interface and use the one that is your current outside interface and use that for your mail servers NAT?

Reply to
Brian V

That's what I was afraid of. Damn! Its just a pain because i have to go through a parent company to have it changed and it usually takes a while.... oh well if that's what i have to do ....

Thanks for your help.

Brian V wrote:

Reply to
K.J. 44

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.