09-18-2016 08:13 PM
I have a Cisco ASA 5505 with AnyConnect Essentials and Mobile licenses. I want to use it as a VPN server behind my firewall/router in a one-armed configuration.
Here's what I have that's not working. I can ping internal IPs but connections are closed and I can access the outside world without any problems.
External IPs (examples, not actual) are 10.10.10.18 through .22.
Internal network is 192.168.1.0/24.
VPN network is 192.168.50.0/24
I have 10.10.10.20 port 443 NATed to 192.168.1.244. I have 192.168.1.244 as the outside IP on the ASA 5505. I don't have an inside interface configured.
I think I'm missing something but everything I've tried just makes it worse. I can post the config I have if that helps but I figure I'm just missing something simple.
09-19-2016 01:00 AM
Hello,
If I understand the issue correct, Anyconnect VPN-session establishes fine, but remote clients are not able to access the internal resources.
Let's assume, remote client has IP 192.168.50.5. He is trying to ping inside host 192.168.1.5. The ICPM echo goes through the tunnel and reach the destination 192.168.1.5 (also, be sure, that same-security-traffic permit intra-interface is configured to allow traffic, entering outside interface, leave the same outside interface). The main question: does the internal host 192.168.1.5 know where to send reply packets ICMP echo-replies? Does the internal host 192.168.1.5 know the route to 192.168.50.5? May be it uses default gateway (another router/firewall). If so, does this another router/firewall have the route to 192.168.50.0/24 over ASA's outside interface (192.168.1.244)?
09-19-2016 01:41 AM
Apologies [@dittman@dittman.net], I've only just spotted CSCO11467249's response. He is along the right lines, follow as per.
All the best,
Luke
11-03-2016 10:07 PM
Any ideas?
09-28-2016 12:44 PM
The internal default route is 192.168.1.1 has a route to 192.168.50.0/24 via 192.168.1.244.
10-05-2016 09:07 PM
I've been poking around and still haven't figured out why this isn't working.
09-19-2016 01:39 AM
09-20-2016 09:18 PM
Thanks for the responses. I've attached the sanitized config.
To clarify, I can ping the internal network (192.168.1.0/24).
I can ping 10.10.10.18 and .19 but not .20 (10.10.10.20 is the external IP that has port 443 forwarded to 192.168.1.244).
I can access services on the outside world but not on the LAN.
11-06-2016 11:06 PM
Hello, sorry, I don't see attached config...
11-12-2016 09:52 PM
11-13-2016 11:22 PM
Hello, I looked through the config briefly, and didn't find any issue. The only doubt, if it is really neccessary to have the NAT Exception in your case?
nat (outside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.50.0 obj-192.168.50.0 no-proxy-arp
If I am not mistaking, when you try to access the internal resouces from Anyconnect, the packets falls under dynamic NAT translation to ASA's interface address. So the return packets goto the IP address of ASA's interface, where are successfully unnated.
I advise you to check by packet capture on ASA's outside interface, if the return packets come back to ASA's outside interface when you try to reach LAN services from Anyconnect.
Please, perform the following capture:
capture TEST interface outside match ip any 192.168.1.0 255.255.255.0
while you test the access to LAN servers from anyconnect connection.
After that, post the output of show capture TEST, please.
11-14-2016 09:50 AM
That was in there as I used to use the 5505 as my firewall as well and I had to have that NAT exception to get the VPN to work. So maybe it isn't necessary.
I'll run the tests tonight and post the output.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide