No announcement yet.

1 Internet IP Static NAT and cisco vpn client?

  • Filter
  • Time
  • Show
Clear All
new posts

  • 1 Internet IP Static NAT and cisco vpn client?

    Is there any way to make the cisco vpn client work on the same external IP that is static natted?

    I have to use the static nat because I need DNS rewrites, but that has killed external access using the cisco vpn client, as I beleive that traffic is being routed to the internal server. here is my config;

    Result of the command: "show running-config"

    : Saved
    ASA Version 7.2(4)
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password ** encrypted
    passwd ** encrypted
    name KLEIN
    name OPENFILER
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 3
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp any interface outside eq 32400
    access-list inside_nat0_outbound extended permit ip any
    access-list internallan standard permit
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool vpnpool mask
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1
    nat (dmz) 1
    static (inside,outside) interface KLEIN netmask dns
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http inside
    http dmz
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address inside
    dhcpd enable inside
    dhcpd address dmz
    dhcpd enable dmz

    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage enable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value internallan
    default-domain none
    split-dns none
    intercept-dhcp disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    group-policy kleinvpn internal
    group-policy kleinvpn attributes
    dns-server value
    vpn-tunnel-protocol IPSec
    username ** password ** encrypted privilege 0
    username ** attributes
    vpn-group-policy kleinvpn
    tunnel-group kleinvpn type ipsec-ra
    tunnel-group kleinvpn general-attributes
    address-pool vpnpool
    default-group-policy kleinvpn
    tunnel-group kleinvpn ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    : end

  • #2
    Re: 1 Internet IP Static NAT and cisco vpn client?

    I would do some debugging here to see what is going on when the vpn client tries to connect.

    debug crypto isakmp

    Have you tried removing the static nat as a test and see if they can connect then? The best option is to get a few public ip's from your provider and set this up right.
    Last edited by auglan; 21st June 2012, 20:38.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)


    • #3
      Re: 1 Internet IP Static NAT and cisco vpn client?

      If you use NAT-T you shouldn't have any problem with that...


      • #4
        Re: 1 Internet IP Static NAT and cisco vpn client?

        NAT-T is for devices behind a nat device. This traffic is terminating on the ASA itself. (The ASA is the vpn server) Anyway NAT-T should be automatically negotiated between the server and client.I think the issue is an order of operations with NAT. Have you tried debugging phase 1 to see what the logs say?
        Last edited by auglan; 25th June 2012, 14:23.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)