Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
0
Helpful
7
Replies

problems with VPN and NAT

djxtcsthlm77
Level 1
Level 1

‎09-29-2013 04:39 PM - edited ‎03-11-2019 07:44 PM

I'm running a ASA 5505 with IOS 8.4

I was trying to setup anyconnect ssl vpn and now it's really strange, i cant get it to work.

I'm able to connect to the VPN service, but no network at all. I cant connect to either local hosts or to the internet when i'm connected to the VPN.

Below is my full config (masking password & public IP).

Anyone have any ideas? Or where i can start troubleshoot?

: Saved

:

ASA Version 8.4(4)1

!

hostname vpn

domain-name domain.com

enable password XXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXX encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.240.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.Y.Z.Z 255.255.255.224

!

boot system disk0:/asa844-1-k8.bin

boot system disk0:/asa825-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name domain.com

object network obj-192.168.240.0

subnet 192.168.240.0 255.255.255.0

object-group network NETWORK_OBJ_192.168.241.0_25

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit ip 192.168.240.0 255.255.255.0 any

access-list outside_access_in extended deny ip any any

access-list XXXXXX_VPN_ACL standard permit 192.168.240.0 255.255.255.0

access-list inside_access_in extended permit ip any any log disable

access-list inside_access_in extended deny ip any any

access-list nat-exempt extended permit ip 192.168.240.0 255.255.255.0 192.168.241.0 255.255.255.0

access-list VPN_ACL extended permit ip 192.168.240.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_IP_POOL 192.168.241.50-192.168.241.70 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

!

object network obj-192.168.240.0

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 DGW_IP 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.240.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=vpn.domain.com

keypair VPN

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 7e2d4352

    3082024c 308201b5 a0030201 0202047e 2d435230 0d06092a 864886f7 0d010105

    bed6f320 a5047dba 203db5cc b933cd52 25c7822d a525de87 9b521770 78e8ccff

    092a8648 86f70d01 01050500 03818100 0d5404b2 20db2566 ccf213d5 d00372a4

    e512093a da4f007d 5d7cb409 034dd59b 7df80f4f a9b7b014 4de91eaf beb8f3b4

    16a417ba 07c04292 881413fc 18c73894 2ccc3f2a 820c449a 70516774 cf859c3a

    f37b5397 4d4efc07 306a1ad2 04239f97 a26f8625 af4f90c5 28b47744 718656d8

    e885a641 e3517bff 8f64be2b 21fab9c5

  quit

telnet timeout 30

ssh timeout 30

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.240.101-192.168.240.132 inside

dhcpd dns dns1srv dns2srv interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2

anyconnect enable

cache

  cache-static-content enable

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value XXXXXX_VPN_ACL

default-domain value domain.com

split-tunnel-all-dns enable

address-pools value VPN_IP_POOL

group-policy AnyConnect internal

group-policy AnyConnect attributes

wins-server none

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ssl-client

default-domain value domain.com

address-pools value VPN_IP_POOL

username admin password XXXXXXXXXXX encrypted

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPN_IP_POOL

default-group-policy AnyConnect

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPN_IP_POOL

default-group-policy AnyConnect

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6b4b05d3f1dd7bd5888890f805018f32

: end

Labels:
0 Helpful
7 Replies 7

djxtcsthlm77
Level 1
Level 1

‎09-29-2013 04:43 PM

Tried a packet trace and this is the output:

It fails in the NAT section and then the result is:

(acl-drop) flow is denied by configured rule

0 Helpful

Karsten Iwen
VIP
VIP
In response to djxtcsthlm77

‎09-29-2013 05:05 PM

Are you only testing with PING? If yes, then configure the folowing and also test with other services (http, ftp ...):

policy-map global_policy

class inspection_default

  inspect icmp

And for accessing the internet you have to configure either Split-Tunneling or NAT from outside to outside.

-- 

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

djxtcsthlm77
Level 1
Level 1
In response to Karsten Iwen

‎09-30-2013 12:16 AM

Right now im concerned about why i even cant access local network resources.

I've tried adding the above commands but it didnt helt out

I do receive these errors in the log:

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.241.51/49484(LOCAL\admin) dst inside:192.168.240.10/5000 denied due to NAT reverse path failure

Where 192..168.241.0 is my VPN IP pool and 192.168.240.0 is my local network.

0 Helpful

Karsten Iwen
VIP
VIP
In response to djxtcsthlm77

‎09-30-2013 12:24 AM

I just see it: You don't have any nat-exemption configured for your VPN-traffic:

object-group network VPN

  network-object 192.168.241.0 255.255.255.0

!

object-group network LAN

  network-object 192.168.240.0 255.255.255.0

!

nat  1 (any,outside) source static LAN LAN destination static VPN VPN no-proxy-arp route-lookup

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

djxtcsthlm77
Level 1
Level 1
In response to Karsten Iwen

‎09-30-2013 12:46 AM

Thanks, that solved the local network access.I still have problems with internet access now. I've checked my split tunneling but it still doesnt work, do you see anything wrong with split tunneling?

0 Helpful

Karsten Iwen
VIP
VIP
In response to djxtcsthlm77

‎09-30-2013 01:31 AM

Your combination of default- and configured groups is a little bit strange but still should work. I don't remember if the old AnyConnect-client 2.5 had some special behaviour. So I would change that to the newest 3.1 release. If that works you probably have to use a public certificate to get rid of the certificate-warnings.

What do you see under secured routes in the client after you establish the connection?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

djxtcsthlm77
Level 1
Level 1
In response to Karsten Iwen

‎09-30-2013 02:18 AM

Im actually running version 3.1.01085

Under secured routes i see

192.168.240.0/24

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card