Do I need an ACL to allow traffic from inside to go to the VPN users ? For now, I just have default ACL. If it's the case, I don't see why because the VPN users are suposed to be in the LAN, right ?
I won't be surprised to have a problem with NAT. I understand that the VPN has to be configured on the outside interface, but the ASA seems to assign the ip addresses of the vpn pool on the outside interface as shown in the log (nslookup request) :
[code:1]Built inbound UDP connection 1178 for WAN:10.20.0.120/52142 (10.20.0.120/52142) to LAN:10.20.0.4/53 (10.20.0.4/53) (hanapurna)[/code:1]
I think it will run better if I could have LAN:10.20.0.120 instead of WAN:10.20.0.120. How can I do that ? With NAT 0 ?
I also have some timeout in the log when a remote user try to access a web server in the LAN :
[code:1]Teardown TCP connection 693 for WAN:10.20.0.120/1043 to LAN:10.20.0.13/80 duration 0:00:30 bytes 0 SYN Timeout (hanapurna)[/code:1]
Ok, my problem is solved. I'm ashamed to say you what was wrong ... The inside/LAN switch was not connected to the ASA ... :roll: But it's difficult to find it when you do that remotely.
However, I would like to answer to my own questions if it can help.
About the ip pool for VPN users, several people say it's not recommended to have it in the inside subnet, which is not done here :
I tested it with a different subnet and it was the same.
But, if I use a different subnet, how can the appliance know how to route the traffic ? Do I need a static route ?
It works perfectly when you assign IP addresses to VPN users in the same subnet as inside. It works also with another subnet, without static route
I read that config made by the wizard are often bad.
I had no problem using the wizard; the generated config worked each time I used it. My version : ASA 7.2(4)/ASDM 5.2(4)
Do I need an ACL to allow traffic from inside to go to the VPN users ?
I didn't need any ACL
I won't be surprised to have a problem with NAT.
A NAT 0 rule is needed to translate traffic from inside to VPN users
[code:1]access-list LAN_nat0_outbound extended permit ip any 10.20.0.120 255.255.255.252[/code:1]
A NAT 0 rule to access the DMZ from inside
[code:1]access-list LAN_nat0_outbound extended permit ip 10.20.0.0 255.255.255.0 10.40.0.0 255.255.255.0[/code:1]
And optionaly, a NAT 0 rule to allow VPN users to access the DMZ
[code:1]access-list DMZ_nat0_outbound extended permit ip 10.40.0.0 255.255.255.0 10.20.0.120 255.255.255.252[/code:1]
NAT rules applied to interfaces
[code:1]global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 10.169.7.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 10.4.0.0 255.255.255.0[/code:1]
The only thing I can't do for now is administer the ASA through the VPN on the inside interface.