ASA 5505 behind a router/firewall acting just as a VPN server

dittman · ‎09-18-2016

I have a Cisco ASA 5505 with AnyConnect Essentials and Mobile licenses. I want to use it as a VPN server behind my firewall/router in a one-armed configuration.

Here's what I have that's not working. I can ping internal IPs but connections are closed and I can access the outside world without any problems.

External IPs (examples, not actual) are 10.10.10.18 through .22.

Internal network is 192.168.1.0/24.

VPN network is 192.168.50.0/24

I have 10.10.10.20 port 443 NATed to 192.168.1.244. I have 192.168.1.244 as the outside IP on the ASA 5505. I don't have an inside interface configured.

I think I'm missing something but everything I've tried just makes it worse. I can post the config I have if that helps but I figure I'm just missing something simple.

Boris Uskov · ‎09-19-2016

Hello,

If I understand the issue correct, Anyconnect VPN-session establishes fine, but remote clients are not able to access the internal resources.

Let's assume, remote client has IP 192.168.50.5. He is trying to ping inside host 192.168.1.5. The ICPM echo goes through the tunnel and reach the destination 192.168.1.5 (also, be sure, that same-security-traffic permit intra-interface is configured to allow traffic, entering outside interface, leave the same outside interface). The main question: does the internal host 192.168.1.5 know where to send reply packets ICMP echo-replies? Does the internal host 192.168.1.5 know the route to 192.168.50.5? May be it uses default gateway (another router/firewall). If so, does this another router/firewall have the route to 192.168.50.0/24 over ASA's outside interface (192.168.1.244)?

Luke Oxley · ‎09-19-2016

Apologies [@dittman@dittman.net], I've only just spotted CSCO11467249's response. He is along the right lines, follow as per.

All the best,

Luke

dittman · ‎11-03-2016

Any ideas?

dittman · ‎09-28-2016

The internal default route is 192.168.1.1 has a route to 192.168.50.0/24 via 192.168.1.244.

dittman · ‎10-05-2016

I've been poking around and still haven't figured out why this isn't working.

Luke Oxley · ‎09-19-2016

[@dittman@dittman.net],

Thanks for your post. It sounds like you've made a good start, however it is very unclear as to what the issue is. Are you saying that you can connect to the VPN successfully but cannot access the 192.168.1.0/24 network from the VPN subnet (192.168.50.0/24)?

Please elaborate and post a sanitised configuration. We will get this sorted for you.

Kind regards,

Luke

Please rate helpful posts and mark correct answers.

dittman · ‎09-20-2016

Thanks for the responses. I've attached the sanitized config.

To clarify, I can ping the internal network (192.168.1.0/24).

I can ping 10.10.10.18 and .19 but not .20 (10.10.10.20 is the external IP that has port 443 forwarded to 192.168.1.244).

I can access services on the outside world but not on the LAN.

Boris Uskov · ‎11-06-2016

Hello, sorry, I don't see attached config...

dittman · ‎11-12-2016

Strange, I had uploaded one. Let me try again.

Okay, I didn't notice it failed to upload because of the file extension the last time.

Boris Uskov · ‎11-13-2016

Hello, I looked through the config briefly, and didn't find any issue. The only doubt, if it is really neccessary to have the NAT Exception in your case?

nat (outside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.50.0 obj-192.168.50.0 no-proxy-arp

If I am not mistaking, when you try to access the internal resouces from Anyconnect, the packets falls under dynamic NAT translation to ASA's interface address. So the return packets goto the IP address of ASA's interface, where are successfully unnated.

I advise you to check by packet capture on ASA's outside interface, if the return packets come back to ASA's outside interface when you try to reach LAN services from Anyconnect.

Please, perform the following capture:

capture TEST interface outside match ip any 192.168.1.0 255.255.255.0

while you test the access to LAN servers from anyconnect connection.

After that, post the output of show capture TEST, please.

dittman · ‎11-14-2016

That was in there as I used to use the 5505 as my firewall as well and I had to have that NAT exception to get the VPN to work. So maybe it isn't necessary.

I'll run the tests tonight and post the output.