Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3137
Views
0
Helpful
6
Replies

NAT problem, anyconnect clients cant reach dmz?

Go to solution
3moloz123
Level 1
Level 1

‎02-09-2012 01:02 AM - edited ‎03-11-2019 03:26 PM

Hi,

ASA 8.3

Anyconnect users can reach INSIDE, but not DMZ. Dmz host 10.120.1.2 is what I am trying to reach.

Packet-tracer shows it should be possible. Attaching my asa config.

What am I missing?

¨Packet-tracer:

asa-kalasa# packet-tracer input vpn tcp 172.16.32.4 50545 10.120.1.2 22    

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.120.1.0      255.255.255.0   dmz

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz_access_in in interface dmz

access-list dmz_access_in extended permit ip any any log disable

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4     

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz_access_out out interface vpn

access-list dmz_access_out extended permit ip any any log disable

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 32484740, packet dispatched to next module

Result:      

input-interface: dmz

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

Labels:
122690-asa.conf.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to 3moloz123

‎02-17-2012 08:05 PM

Hello,

On the Nat statements, instead of using the Any Any use the object groups for each network like:

nat (inside,outside) source staticy OFFICE-NET  OFFICE-NET  destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

Same for the DMZ

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
3moloz123
Level 1
Level 1

‎02-16-2012 11:58 PM

Bumping this thread. Surely, someone must be able to help me debug this further?

0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to 3moloz123

‎02-17-2012 12:17 AM

I have isolated the problem to these two rules:

6 (inside) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 4997, untranslate_hits = 34889

5 (dmz) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 0, untranslate_hits = 0

Here, anyconnect can reach inside, but not dmz. If I however change the order of the nat rules, then anyconnect can reach dmz but not inside.

5 (dmz) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 0, untranslate_hits = 0

6 (inside) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 4997, untranslate_hits = 34889

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to 3moloz123

‎02-17-2012 08:05 PM

Hello,

On the Nat statements, instead of using the Any Any use the object groups for each network like:

nat (inside,outside) source staticy OFFICE-NET  OFFICE-NET  destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

Same for the DMZ

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to Julio Carvajal

‎02-21-2012 12:00 AM

Hi jcarvaja!

That did indeed work. Im not sure why any any wouldn't be as good as a match, as it clearly must differ on what interface the packet comes in on. Anyway, thank you for the answer,

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to 3moloz123

‎02-21-2012 09:24 AM

Hello 3moloz,

Glad to hear I could help! yeap usually the any any on a nat statement causes a lot of issues do to arp problems.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
TianXia
Level 1
Level 1

‎04-16-2020 08:07 PM - edited ‎04-16-2020 08:08 PM

Spoiler
 

I have the same problem in 9.24. 

 

object network inside

 subnet 10.0.0.0 255.255.255.0

 nat (inside,outside) dynamic interface

object network dmz

 subnet 172.16.0.0 255.255.255.0

 nat (dmz,outside) dynamic interface

 

object network vpnpool 
subnet 10.0.1.0 255.255.255.0

creat vpnpool for Anyconnect Client Address-Pool

 

If you only do these, Anyconnect Client only reaches inside the network. So I use twice nat solved it.

 

nat (inside,outside) source static inside inside destination static vpnpool vpnpool
nat (dmz,outside) source static dmz dmz destination static vpnpool vpnpool

 

Anyconnect Client any reach Both of Inside&DMZ network

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card