Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT problem, anyconnect clients cant reach dmz?

Hi,

ASA 8.3

Anyconnect users can reach INSIDE, but not DMZ. Dmz host 10.120.1.2 is what I am trying to reach.

Packet-tracer shows it should be possible. Attaching my asa config.

What am I missing?

¨Packet-tracer:

asa-kalasa# packet-tracer input vpn tcp 172.16.32.4 50545 10.120.1.2 22    

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.120.1.0      255.255.255.0   dmz

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz_access_in in interface dmz

access-list dmz_access_in extended permit ip any any log disable

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4     

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz_access_out out interface vpn

access-list dmz_access_out extended permit ip any any log disable

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 32484740, packet dispatched to next module

Result:      

input-interface: dmz

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

anyconnect clients cant reach dmz?

Hello,

On the Nat statements, instead of using the Any Any use the object groups for each network like:

nat (inside,outside) source staticy OFFICE-NET  OFFICE-NET  destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

Same for the DMZ

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5 REPLIES
Community Member

anyconnect clients cant reach dmz?

Bumping this thread. Surely, someone must be able to help me debug this further?

Community Member

anyconnect clients cant reach dmz?

I have isolated the problem to these two rules:

6 (inside) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 4997, untranslate_hits = 34889

5 (dmz) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 0, untranslate_hits = 0

Here, anyconnect can reach inside, but not dmz. If I however change the order of the nat rules, then anyconnect can reach dmz but not inside.

5 (dmz) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 0, untranslate_hits = 0

6 (inside) to (outside) source static any any destination static ipsecvpnpool ipsecvpnpool

    translate_hits = 4997, untranslate_hits = 34889

anyconnect clients cant reach dmz?

Hello,

On the Nat statements, instead of using the Any Any use the object groups for each network like:

nat (inside,outside) source staticy OFFICE-NET  OFFICE-NET  destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

Same for the DMZ

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

anyconnect clients cant reach dmz?

Hi jcarvaja!

That did indeed work. Im not sure why any any wouldn't be as good as a match, as it clearly must differ on what interface the packet comes in on. Anyway, thank you for the answer,

anyconnect clients cant reach dmz?

Hello 3moloz,

Glad to hear I could help! yeap usually the any any on a nat statement causes a lot of issues do to arp problems.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1441
Views
0
Helpful
5
Replies
CreatePlease to create content