Solved: SSL Anyconnect client can't ping internal network

sam saeed · ‎01-31-2014

I can authenticate through anyconnect and grab the ip address that I set in the vpn pool but I cannot ping any internal host.

Internal is 192.168.2.0

VPN network is 192.168.5.0

I looked at the asa log viewer and it says

Asymmetic NAT rules matched for forward and reverse flows; connection for udp src outside: 192.168.5.0/137 denied to NAT reverse path failure

I'm guessing my nat exempt rule has to be incorrect or something. I'm all out of ideas I could use some help. To be safe I created a vlan for the vpn network on the connected 3750 switch and a subinterface on the default gateway which is a 2811 router to allow intervlan communication. I also configured a route from the asa to the 2811 router but still nothing. Honestly I'm not even sure if I was even required to do the steps I just mentioned.

This is the ASA configuration

ciscoasa# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name work.local

enable password qs4KxKxaDPGaY6hx encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.2.0 INSIDE

name 192.168.5.0 VPN-NETWORK

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description LAN

nameif inside

security-level 100

ip address 192.168.2.251 255.255.255.0

!

interface Vlan2

description WAN

nameif outside

security-level 0

ip address 30.20.30.40 255.255.255.0

!

ftp mode passive

access-list 100 extended permit icmp any any

access-list inside_nat0_outbound extended permit ip INSIDE 255.255.255.0 VPN-NETWORK 255.255.255.0

access-list SPLIT-TUNNEL standard permit VPN-NETWORK 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-POOL 192.168.5.50-192.168.5.55 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 30.20.30.1

route inside 10.10.10.0 255.255.255.0 192.168.2.1 1

route inside 192.168.3.0 255.255.255.0 192.168.2.1 1

route inside VPN-NETWORK 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http INSIDE 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint localtrust

enrollment self

fqdn sslvpn.work.com

subject-name CN=sslvpn.workl.com

keypair sslvpnkey

crl configure

crypto ca trustpoint LOCAL-CA-SERVER

crl configure

crypto ca server

shutdown

crypto ca certificate chain localtrust

certificate 9712ed51

308201f3 3082015c a0030201 02020497 12ed5130 0d06092a 864886f7 0d010105

0500303e 311a3018 06035504 03131173 736c7670 6e2e7061 6e61746c 2e636f6d

3120301e 06092a86 4886f70d 01090216 1173736c 76706e2e 70616e61 746c2e63

6f6d301e 170d3133 31303130 30383139 32365a17 0d323331 30303830 38313932

365a303e 311a3018 06035504 03131173 736c7670 6e2e7061 6e61746c 2e636f6d

3120301e 06092a86 4886f70d 01090216 1173736c 76706e2e 70616e61 746c2e63

6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a7

ac561300 66c0bd79 bf50bbfe a654f45b 0241d3d7 dbe84150 c5f0c273 2eb79abc

02a5309b 5f70be68 a9f81a43 28782c9c af71593d b6d973aa e9b9de8c 1cac25d8

eeca6ddd 786c2794 a0e6657c 0f91c9ed 5ea4688d 669a7f9e 9b4d901a d0d9ec05

b083cf50 0697939a 04252125 88fc0e35 470d30f1 bfa1dc5e 57bfc4b2 53a5d702

03010001 300d0609 2a864886 f70d0101 05050003 8181000e e6d713aa bf5aa97e

37c41539 613e3da6 8137b741 bf17816b 1de80c1d 553dd639 e411bf5c ffe727f2

aa082f91 f0fed21b 9521c2ac 4f830ce3 6da0d6f6 8142c83f 1ed5b3f8 6c0cd703

9138249c eddd180a bbb145bc 8019dff6 4e3d9d37 3b15a67e 72635365 dd0a898d

795ccef2 f582eecd ceb9329a d0c8dcc6 1ea57a0d 0cc231

quit

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

30820219 30820182 a0030201 02020101 300d0609 2a864886 f70d0101 05050030

20311e30 1c060355 04031315 63697363 6f617361 2e70616e 61746c2e 6c6f6361

6c301e17 0d313430 31323730 39323635 315a170d 31373031 32363039 32363531

5a302031 1e301c06 03550403 13156369 73636f61 73612e70 616e6174 6c2e6c6f

63616c30 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100

e7a4eac6 cebe5985 10041101 99a8d4ed 4daa9982 8a25e005 f9ed5217 ace5178e

231ff9be 8e6b1ce1 b943f988 17e5a38c 6ef729ba a02aa908 654df078 b8c20b69

7e4b0f62 685a4898 92142bb1 8ce14c3c 756245de c5004e6d 936b3000 da652594

2d004480 610c265d f389bbe0 f3ea0b9e 78c17bc0 6cbdc7f1 dc46e378 f99d4ed9

02030100 01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d

0f0101ff 04040302 0186301f 0603551d 23041830 1680141d f0130d73 2edbdb98

811209c2 56d25f7a 5c430430 1d060355 1d0e0416 04141df0 130d732e dbdb9881

1209c256 d25f7a5c 4304300d 06092a86 4886f70d 01010505 00038181 00dfdf3c

9ddc14d2 c628024d 12e7564c ad39a3d2 74ecab60 0b7f359d cdbb95a1 888d6c8d

7b756d05 42ccd2d0 9cd48530 87dd5d45 39bb9f7d 1e389760 efc41051 4b9922dd

b533d69f 24267b29 ee62bce7 53e36813 c9bc59c6 dd86cd52 d66963ae 7f91d3d8

2b3dbbbb 364cda0c ed680947 7e149a27 fb7513fe 1b897f9a 53f42019 86

quit

telnet INSIDE 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.10.10.0 255.255.255.0

threat-detection scanning-threat shun except ip-address INSIDE 255.255.255.0

threat-detection scanning-threat shun except ip-address VPN-NETWORK 255.255.255.0

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

port 52100

enable outside

svc image disk0:/anyconnect-win-3.1.04066-k9_3.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 209.244.0.3 209.244.0.4

default-domain value work.local

group-policy AnyC_vpn_users internal

group-policy AnyC_vpn_users attributes

wins-server none

dns-server value 192.168.2.250

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

default-domain value work.local

address-pools value VPN-POOL

username Admin password 50kW205ESdwCv6Hv encrypted privilege 15

username User013 password LoQiMJe/l0JC8MX1 encrypted privilege 15

tunnel-group AnyC-Test-VPN type remote-access

tunnel-group AnyC-Test-VPN general-attributes

address-pool VPN-POOL

default-group-policy AnyC_vpn_users

tunnel-group AnyC-Test-VPN webvpn-attributes

group-alias AnyC-Test-VPN enable

tunnel-group telecommuters type remote-access

tunnel-group telecommuters webvpn-attributes

group-alias vpn_department enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f4089ec09306af333efd0ac46206c85c

Jouni Forss · ‎01-31-2014

Hi,

NAT0 configurations seems to be in order.

I am not sure what you have created in the other devices. If you have configured the VPN Pool network somewhere else in the network I would suggest removing those configurations. Also remove the "route" command for the VPN network from the ASA.

The problem with your VPN configuration is the Split Tunnel ACL. You have configured the VPN network in the ACL even though should mention the LAN network.

The Split Tunnel ACL tells the VPN Client which networks are found through the VPN connection and in this case its naturally the LAN network.

Do these changes

access-list SPLIT-TUNNEL standard permit 192.168.2.0 255.255.255.0

no access-list SPLIT-TUNNEL standard permit VPN-NETWORK 255.255.255.0

And as I said check that you dont have not configured the VPN Pool network in the LAN.

- Jouni

View solution in original post

Jouni Forss · ‎01-31-2014

Hi,

Try adding the command

management-access inside

This should allow connection to the "inside" interface through the VPN connection. This is not otherwise allowed since you are connection from behind another interface (other than the destination interface)

- Jouni

View solution in original post

Jouni Forss · ‎01-31-2014

Hi,

NAT0 configurations seems to be in order.

I am not sure what you have created in the other devices. If you have configured the VPN Pool network somewhere else in the network I would suggest removing those configurations. Also remove the "route" command for the VPN network from the ASA.

The problem with your VPN configuration is the Split Tunnel ACL. You have configured the VPN network in the ACL even though should mention the LAN network.

The Split Tunnel ACL tells the VPN Client which networks are found through the VPN connection and in this case its naturally the LAN network.

Do these changes

access-list SPLIT-TUNNEL standard permit 192.168.2.0 255.255.255.0

no access-list SPLIT-TUNNEL standard permit VPN-NETWORK 255.255.255.0

And as I said check that you dont have not configured the VPN Pool network in the LAN.

- Jouni

sam saeed · ‎01-31-2014

Ok great it worked! Creating the subinterfaces in the router with the 192.168.5.0 network was killing everything so I removed that and made the changes to the split tunnel. I can ping everything except for the ASA I would like to be able to telnet into the ASA. I can telnet into everything else router/switch wise. What do I need to enable telnet on the ASA?

I added this command:

telnet VPN-NETWORK 255.255.255.255 inside

But I know if I can't ping it then I probably can't telnet into it.

Jouni Forss · ‎01-31-2014

Hi,

Try adding the command

management-access inside

This should allow connection to the "inside" interface through the VPN connection. This is not otherwise allowed since you are connection from behind another interface (other than the destination interface)

- Jouni

sam saeed · ‎01-31-2014

Cool everything works. Once last thing I have 2 access servers for lab purposes I can't ping those through the vpn. On each one I added the command ip default-gateway 192.168.2.1 --> the 2811 which handles the routing. I checked the real time log viewer and the pings are passing through the firewall. I'm not sure why I can't ping it from the vpn. I can ping internally to those ip addresses just fine. The ip address for the access servers are:

192.168.2.152

192.168.2.153

This is the configuration for the one the 2nd one is configured the same exact way so no need to paste that one as well. If I can't figure it then I can still telnet into the 2811 and telnet from there into the access server but I'd rather be able to do it directly.

LAB_AccesServer#sh run

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname LAB_AccesServer

!

enable password password

!

username Dmart014 privilege 15 password 0 asdfeF231$21

ip subnet-zero

ip host r1 2001 2.1.1.1

ip host r2 2002 2.1.1.1

ip host r3 2003 2.1.1.1

ip host r4 2004 2.1.1.1

ip host r5 2005 2.1.1.1

ip host r6 2006 2.1.1.1

ip host r7 2007 2.1.1.1

ip host r8 2008 2.1.1.1

!

interface Loopback0

ip address 2.1.1.1 255.0.0.0

no ip directed-broadcast

!

interface Ethernet0

ip address 192.168.2.153 255.255.255.0

no ip directed-broadcast

!

interface Serial0

no ip address

no ip directed-broadcast

shutdown

!

ip default-gateway 192.168.2.1

ip classless

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

transport preferred telnet

transport input none

line 1 8

session-timeout 35000

no exec

exec-timeout 0 0

privilege level 15

logging synchronous

transport preferred telnet

transport input all

line aux 0

transport input all

line vty 0 4

exec-timeout 5041 0

privilege level 15

login local

transport input telnet

!

end

sam saeed · ‎01-31-2014

Am I supposed to be able to ping anyconnect vpn users from the ASA or internal pc's because I currently can't.