ASA VPN Access to Internal Network

Answered Question
May 19th, 2011

We have ASA5510s and I've configured an SSL VPN using AnyConnect.. The VPN address pool is 10.10.10.0/24 and our internal network is 10.10.20..0/24. After successful login, using LDAP. the client receives a 10.10.10.0/24 address from the pool, but cannot access anything on the internal 10.10.20.0/24 network. I've toyed with access lists and NAT exemption, but to no avail. What do I need to do?

I have this problem too.
0 votes
Correct Answer by kwu2 about 2 years 11 months ago

Good, glad I can help here.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
kwu2 Thu, 05/19/2011 - 12:55

Can you post your configuration?

In general, it is caused by mis-config on NAT or routing.

pootboy69 Thu, 05/19/2011 - 13:01

I'd rather not as this is quite a large configuration and I don't have time to change the publid IP addresses. You have the networks listed above and can use "inside" and "outside" for the interfaces. Can you just give me the "short answer", such as: the access rule should be xxx, the NAT ecemption should be yyy, and the routeing should be zzz. I'd really appreciate that as it would expand my understanding of this product. Thanx!

kwu2 Thu, 05/19/2011 - 13:09

For nat bypass, it should look like the following

access-list nonat permit ip 10.010.20.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

You don't need permit this VPN traffic on outside interface since VPN traffic bypass interface ACL check automatically.

When vpn client is connected to ASA, a static route should be added automatically in routing table. But you need make sure the internal host should forward the traffic to vpn client 10.10.10.x to the ASA.

pootboy69 Thu, 05/19/2011 - 13:53

OK, I understand (and have implemented) the access-list and the nat statements. By "But you need make sure the internal host should forward the traffic to vpn client 10.10.10.x to the ASA", I'm assuming that you mean that the default gateway for internal hosts should be the IP of the inside interface - and it is. I still can't get the VPN client to connect to an internal host, however. Any suggestions? Thanx!

kwu2 Thu, 05/19/2011 - 14:03

Ok, do a packet capture on the inside interface,

access-list capin permit ip host 10.10.10.x host 10.10.20.x

access-list capin permit ip host 10.10.20.x host 10.10.10.x

capture in access-list capin interface inside

then initiate the traffic from client to server, and use "show capture capin" to see if you can see the traffic in both directions.

By the way, is there any FW on your server which might block the access from vpn client?

pootboy69 Fri, 05/20/2011 - 07:15

I set up and looked at the captures and only saw inbound traffic from the client. That will cause the issue, but what do I need to do to allow the VPN address pool access to the internal network? There is no firewall on the client nor on the server.

   1: 09:10:47.606490 10.10.10.1 > 10.10.20.123: icmp: echo request
   2: 09:10:53.053982 10.10.10.1 > 10.10.20.123: icmp: echo request
   3: 09:10:58.543154 10.10.10.1 > 10.10.20.123: icmp: echo request
   4: 09:11:04.045407 10.10.10.1 > 10.10.20.123: icmp: echo request

As I'm working with a test ASA, using a different IP for the inside interface, I will try to configure a device on the inside network with a default gateway of the test ASA to see if that works. If that works, then I can set up the production ASA the same way as all devices use that inside IP as their default gateway.

pootboy69 Fri, 05/20/2011 - 07:28

Eureka! I set up an internal machine with the default gateway of the test ASA and it worked - that was really dumb of me not to remember that the internal devices do not know the test ASA's IP to use as a default gateway! Thanx for all your help - it rerranged my thinking.

   1: 09:23:07.826876 10.10.10.1 > 10.10.20.4: icmp: echo request
   2: 09:23:07.827914 10.20.20.4 > 10.10.10.1: icmp: echo reply
   3: 09:23:08.875687 10.10.10.1 > 10.10.20.4: icmp: echo request
   4: 09:23:08.876663 10.20.20.4 > 10.10.10.1: icmp: echo reply
   5: 09:23:09.850419 10.10.10.1 > 10.10.20.4: icmp: echo request
   6: 09:23:09.851365 10.20.20.4 > 10.10.10.1: icmp: echo reply
   7: 09:23:10.836626 10.10.10.1 > 10.10.20.4: icmp: echo request
   8: 09:23:10.837511 10.20.20.4 > 10.10.10.1: icmp: echo reply

Correct Answer
kwu2 Fri, 05/20/2011 - 07:34

Good, glad I can help here.

Actions

Login or Register to take actions

This Discussion

Posted May 19, 2011 at 12:32 PM
Stats:
Replies:8 Avg. Rating:5
Views:603 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard