02-09-2012 01:02 AM - edited 03-11-2019 03:26 PM
Hi,
ASA 8.3
Anyconnect users can reach INSIDE, but not DMZ. Dmz host 10.120.1.2 is what I am trying to reach.
Packet-tracer shows it should be possible. Attaching my asa config.
What am I missing?
¨Packet-tracer:
asa-kalasa# packet-tracer input vpn tcp 172.16.32.4 50545 10.120.1.2 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.120.1.0 255.255.255.0 dmz
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface dmz
access-list dmz_access_in extended permit ip any any log disable
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_out out interface vpn
access-list dmz_access_out extended permit ip any any log disable
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 32484740, packet dispatched to next module
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
Solved! Go to Solution.
02-17-2012 08:05 PM
Hello,
On the Nat statements, instead of using the Any Any use the object groups for each network like:
nat (inside,outside) source staticy OFFICE-NET OFFICE-NET destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Same for the DMZ
Regards,
Julio
02-16-2012 11:58 PM
Bumping this thread. Surely, someone must be able to help me debug this further?
02-17-2012 12:17 AM
I have isolated the problem to these two rules:
6 (inside) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool
translate_hits = 4997, untranslate_hits = 34889
5 (dmz) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool
translate_hits = 0, untranslate_hits = 0
Here, anyconnect can reach inside, but not dmz. If I however change the order of the nat rules, then anyconnect can reach dmz but not inside.
5 (dmz) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool
translate_hits = 4997, untranslate_hits = 34889
02-17-2012 08:05 PM
Hello,
On the Nat statements, instead of using the Any Any use the object groups for each network like:
nat (inside,outside) source staticy OFFICE-NET OFFICE-NET destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Same for the DMZ
Regards,
Julio
02-21-2012 12:00 AM
Hi jcarvaja!
That did indeed work. Im not sure why any any wouldn't be as good as a match, as it clearly must differ on what interface the packet comes in on. Anyway, thank you for the answer,
02-21-2012 09:24 AM
Hello 3moloz,
Glad to hear I could help! yeap usually the any any on a nat statement causes a lot of issues do to arp problems.
Regards,
Julio
04-16-2020 08:07 PM - edited 04-16-2020 08:08 PM
I have the same problem in 9.24.
object network inside
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface
object network dmz
subnet 172.16.0.0 255.255.255.0
nat (dmz,outside) dynamic interface
object network vpnpool
subnet 10.0.1.0 255.255.255.0
creat vpnpool for Anyconnect Client Address-Pool
If you only do these, Anyconnect Client only reaches inside the network. So I use twice nat solved it.
nat (inside,outside) source static inside inside destination static vpnpool vpnpool
nat (dmz,outside) source static dmz dmz destination static vpnpool vpnpool
Anyconnect Client any reach Both of Inside&DMZ network
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: