03-19-2010 12:30 AM
I have an ASA 5505 configured for AnyConnect Remote Vpn access. Vpn users get ip addresses in the 192.168.10.0 network and the inside network is 192.168.1.0. I have followed the instructions from http://www.ciscohelp.info/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml pretty much by the letter but it does not work. It feels as a rather common thing to do so I'm a little surprised that the example fails for me. I am a newbie when it comes to configuring Cisco routers though so I may have missed something that would be obvious to any one else.
My configuration:
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy vpngroup internal
group-policy vpngroup attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
svc keep-installer installed
svc rekey time none
svc rekey method ssl
svc ask none default svc
tunnel-group RemoteVpnTunnelGroup type remote-access
tunnel-group RemoteVpnTunnelGroup general-attributes
address-pool vpnpool
default-group-policy vpngroup
tunnel-group RemoteVpnTunnelGroup webvpn-attributes
group-alias anyvpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1e801d987d9bc2b7a212a9541c905546
: end
no asdm history enable
What the log says when I try to ping from 192.168.10.0 to 192.168.1.0:
No translation group found for icmp src outside:192.168.10.1 dst inside:192.168.1.10 (type 8, code 0) What the log says when I try to access files on 192.168.1.0 from 192.168.10.0: No translation group found for tcp src outside:192.168.10.1/49852 dst inside:192.168.1.10/139 No translation group found for tcp src outside:192.168.10.1/49850 dst inside:192.168.1.10/445
/Måns Tånneryd
03-19-2010 02:35 AM
You are missing the following:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nonat
03-19-2010 02:40 AM
Thanks! I'll try that as soon as I'm back at the office.
/Måns
03-19-2010 06:07 AM
Well, I got rid of the "no translation group" messages but I'm still not getting thru. Trying to access files on 192.168.1 from 192.168.10 results in lots of log messages like:
Built inbound UDP connection 273 for outside:192.168.10.1/137 (192.168.10.1/137) to inside:192.168.1.12/137 (192.168.1.12/137) (mtanneryd)
Teardown TCP connection 286 for outside:192.168.10.1/49215 to inside:192.168.1.12/80 duration 0:00:00 bytes 148 TCP FINs (mtanneryd)
Running a packet tracer shows me that the firewall is dropping the packets because the first implict rule (permit any - any less secure) appears not to match the traffic and the second is the default any-any deny rule.
/Måns
03-19-2010 06:14 AM
Do you have "sysopt connection permit-vpn" configured?
03-19-2010 06:20 AM
have now, made no difference though
03-19-2010 03:19 PM
Can you add the following and see if you can ping to your internal network:
policy-map global_policy
class inspection_default
inspect icmp
From the logs, it seems to have built the connection (as you can see the FIN packet).
Can you try to telnet on port 80 to see if you have connectivity (telnet 192.168.1.12 80)
03-19-2010 02:43 AM
by default every connection needs to pass a NAT command. If you do not use nat use the following command in global configuration mode:
no nat-control
In this case you don't need to configure an nat-excemption
regards
03-19-2010 02:45 AM
well, there is already a nat statement configured, so I assume that nat is required, hence the need to configure nat exemption.
03-19-2010 02:50 AM
Ok, my suggestion was not precise enough.
nat-control just enforces that every connection goes through an nat rule. This may lead to use nat-excemption rules.
If you disable nat-control then nat is optional. So with nat-control disabled you're still able to configure nat rules. But for those connections not needed to be natted you don't have to use nat-excemption rules.
regards
03-19-2010 02:54 AM
Unfortunately after you disable "nat-control" and you have a nat configuration, that turns on "nat-control" automatically, therefore you still need to configure nat exemption.
For example:
no nat-control
nat (inside) 1 0 0 <--- this statement turns the nat-control back on.
Therefore, you need to configure nat exemption:
nat (inside) 0 access-list nonat
03-19-2010 03:04 AM
Ok, that's nice to know, because it's not the way I learned it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: