First time configureing remote access VPN for 8.3 / 8.4 so the NAT and VPN commands are a bit diffrent for me.
Below is the VPN config and the coresponding NAT to NO NAT the IP space. If someone could have a look over it and let me know if I am missing anything. The network is 192.0.0.0 / 24 ha, not a typo.
crypto ikev1 enable outside
crypto ikev1 policy 10
encryption 3des
authentication pre-share
hash sha
access-list SPLIT-TUNNEL-VPN standard permit 192.0.1.0 255.255.255.0
access-list SPLIT-TUNNEL-VPN standard permit 192.0.0.0 255.255.255.0
group-policy REMOTE-VPN-GP internal
group-policy REMOTE-VPN-GP attributes
vpn-tunnel-protocol ikev1
address-pools value REMOTE-VPN-POOL
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL-VPN
dns-server value 192.0.0.201
tunnel-group REMOTE-VPN-TG type remote-access
tunnel-group REMOTE-VPN-TG general-attributes
default-group-policy REMOTE-VPN-GP
authentication-server-group LOCAL
tunnel-group REMOTE-VPN-TG ipsec-attributes
ikev1 pre-shared-key **********
ip local pool REMOTE-VPN-POOL 192.0.1.1-192.0.1.100 mask 255.255.255.0
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map OUTSIDE-DYNMAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTSIDE-DYNMAP
crypto map OUTSIDE_MAP interface outside
//No NAT subnet
object network INSIDE_LAN
subnet 192.0.0.0 255.255.255.0
object network VPN_LAN
subnet 192.0.1.0 255.255.255.0
nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static VPN_LAN VPN_LAN
or would I do this for the no nat:
nat (inside,outside) 1 source static any any destination static VPN_LAN VPN_LAN
My NAT is currently set up as:
object network LAN_NAT
subnet 192.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface
Best Answer
If
192.0.0.0/24
is your inside interface/LAN then what is192.0.1.0/24
?You have given the object name of
VPN_LAN
to the192.0.1.0/24
subnet? However, you define the remote-access VPN address pool as10.1.2.140-10.1.2.145
. The addresses assigned to the client VPN adapters will be in the range of10.1.2.140-10.1.2.145
.I am going to assume that
192.0.1.0/24
is not needed and that your inside is192.0.0.0/24
and your VPN client adapters will have IP's pulled from the10.1.2.140-10.1.2.145
pool -- you may just want to make this 10.1.2.0/24 -- however I will continue with your existing pool.You can configure your inside outbound dynamic interface PAT setup with the following. You have created another
LAN_NAT
object when you can define your dynamic interface PAT right in theINSIDE_LAN
object -- they appear in two different parts of the configuration (subnet definition and object NAT) but are (and can) still defined in the same object.Below is a network object created that represents the IP block that is the pool. Does not redefine the pool itself as that is
ip local pool
.Configure your identity NAT (no nat) as follows -- not in an object, but a twice NAT.
Assuming I understand your setup you can then rid yourself of the
LAN_NAT
andVPN_LAN
objects and the192.0.1.0/24
entry in theSPLIT-TUNNEL-VPN
ACL.There are some additional things to be considered on your P1/IKE policy as well -- 3DES/MD5 in P1 when you have P2 defined as 3DES/SHA is fine, but slightly odd.