VPN Clients (NAT and RULES) on ASA 5505

Discussion in 'Cisco' started by TimParker, Jan 30, 2009.

  1. TimParker

    TimParker Guest

    I had posted previously under.

    ASA Config Needs some Help...
    http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/69cf11b018bf1def#

    I took the advice that was there and removed the NAT rules that were
    in there that was excluding everything and added one STATIC rule for
    the "external VPN IP" that I had set up for the start of my pool and
    my testing and am now able to connect. I set up one Policy that
    allowed me to my workstation with Remote Desktop and to one of our
    servers and it worked great.

    It was recommended to create a new subnet for these that was different
    then our inside LAN. I used 192.168.5.x with the pool starting at 95.
    I then created a nat rule that takes 192.168.5.95 and converts it
    internally to 192.168.16.95 so that it is on our internal LAN scheme.

    I don't want to have to write specific rules for my General users as
    most of them will need the same stuff. As Admin I will have some
    specific things that they won't naturally. Guess I am not sure on how
    to control this NAT and make sure that I don't end up with duplicate
    INSIDE IP's. Any best practices here?

    I don't want to have to rework the internal network right now or worry
    if we add another remote user in the future and have to create new
    rules and things.

    Hope I am clear in what I am looking for. TIA.

    Tim
     
    TimParker, Jan 30, 2009
    #1
    1. Advertisements

  2. TimParker

    DarbyWeaver

    Joined:
    Jul 8, 2006
    Messages:
    10
    Likes Received:
    0
    Look - the cryto map statement that you write that refers to the ACL works like a "route", that is it tells the VPN Clients where they can go. If it is not on this statement - they cannot route to it.

    Make one statement for general users.

    Make one statement for Admin users.

    Do not forget to "nonat" both them - do not use the same acl - you can - but don't.

    Create a profile for each.

    Watch the rules about the interface.

    Determine the policies you need.

    Create the complementary .pcf file - give it to the appropriate users.

    debug crypto isakmp
    debug crypto ipsec

    etc.

    Have fun!
     
    DarbyWeaver, Jan 30, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.