cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
534
Views
0
Helpful
3
Replies

ASA 5512x Anyconnect VPN Failed to connect to inside network 9.1

Raul 123
Level 1
Level 1

Hi,

i'm new to ASA, can i please get some help with this. i manage to connect the vpn via the cisco anyconnect mobility client, however i'm unable to connect to the internet network. the ip address being allocated was 172.16.1.60 and it seems correct, i believed my acl and nat is configured to allow and translate the vpn allocated ip pool but i'm not able to ping anything on the internal side.

can someone share some light...there's gotta be something i'm missing..

below is my sh run

Thanks

Raul

-------------------------------------------------------------------------------

DLSYD-ASA# sh run

: Saved
:
ASA Version 9.1(2) 
!
hostname DLSYD-ASA
domain-name delo.local
enable password UszxwHyGcg.e6o4z encrypted
names
ip local pool DLVPN_Pool 172.16.1.60-172.16.1.70 mask 255.255.255.0
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Ext
 speed 10
 duplex full
 nameif Ext
 security-level 0
 ip address 125.255.160.54 255.255.255.252 
!
interface GigabitEthernet0/3
 description Int
 speed 10
 duplex full
 nameif Int
 security-level 100
 ip address 192.168.255.2 255.255.255.252 
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside
dns domain-lookup Int
dns server-group DefaultDNS
 name-server 192.168.1.90
 name-server 192.168.1.202
 domain-name delo.local
same-security-traffic permit intra-interface
object network dlau40
 host 192.168.1.209
object network dlausyd02
 host 192.168.1.202
object network 192.168.1.42
 host 192.168.1.42
object network dlau-utm
 host 192.168.1.50
object network dlauxa6
 host 192.168.1.62
object network 192.168.1.93
 host 192.168.1.93
object network dlau-ftp01
 host 192.168.1.112
object network dlau-dlau-ftp01
object network dlvpn_network
 subnet 172.16.1.0 255.255.255.0
object-group icmp-type Good-ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list DLVPN_STAcl standard permit 192.168.0.0 255.255.0.0 
access-list DLVPN_STAcl standard permit 196.1.1.0 255.255.255.0 
access-list DLVPN_STAcl standard permit 126.0.0.0 255.255.0.0 
access-list Ext_access_in extended permit icmp any any object-group Good-ICMP 
access-list Ext_access_in extended permit tcp any object dlau-ftp01 eq ftp 
access-list Ext_access_in extended permit tcp any object dlausyd02 eq https 
access-list Ext_access_in extended permit tcp any object dlau-utm eq smtp 
access-list Ext_access_in extended permit tcp any object dlauxa6 eq 444 
access-list Ext_access_in extended permit ip object kobby-home any 
pager lines 24
logging enable
logging asdm informational
mtu Ext 1500
mtu Int 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Int,Ext) source static any any destination static dlvpn_network dlvpn_network no-proxy-arp
!
object network dlausyd02
 nat (Int,Ext) static interface service tcp https https 
object network dlau-utm
 nat (Int,Ext) static interface service tcp smtp smtp 
object network dlauxa6
 nat (Int,Ext) static interface service tcp 444 444 
object network dlau-ftp01
 nat (Int,Ext) static interface service tcp ftp ftp 
access-group Ext_access_in in interface Ext
route Ext 0.0.0.0 0.0.0.0 125.255.160.53 1
route Int 192.168.0.0 255.255.0.0 192.168.255.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
http server enable 44310
http server idle-timeout 30
http 192.168.0.0 255.255.0.0 Int
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 30
ssh 192.168.0.0 255.255.0.0 Int
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 61.8.0.89 source outside prefer
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
 port 44320
 enable outside
 enable Ext
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_DLVPN internal
group-policy GroupPolicy_DLVPN attributes
 wins-server none
 dns-server value 192.168.1.90 192.168.1.202
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DLVPN_STAcl
 default-domain value delonghi.local
 webvpn
  anyconnect keep-installer installed
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect ask none default anyconnect
username vendor_ipfx password pb6/6ZHhaPgDKSHn encrypted
username vendor_pacnet password mIHuYi1jcf9OqVN9 encrypted
username admin password tFU2y7Uo15ahFyt4 encrypted
tunnel-group DLVPN type remote-access
tunnel-group DLVPN general-attributes
 address-pool DLVPN_Pool
 default-group-policy GroupPolicy_DLVPN
tunnel-group DLVPN webvpn-attributes
 group-alias DLVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect ip-options 
  inspect ftp 
  inspect tftp 
!
service-policy global_policy global
smtps
 server 192.168.1.50
 default-group-policy DfltGrpPolicy
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:67aa840d5cfff989bc045172b2d06212
: end
DLSYD-ASA# 

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Just to be sure, add the following configurations related to ICMP traffic

policy-map global_policy
 class inspection_default
   inspect icmp
   inspect icmp error

 

Your NAT0 configurations for the traffic between LAN and VPN users seem fine. Your Split Tunnel ACL seems fine also since it has the 192.168.0.0/16 included. I am not sure what the other ones are.

 

I am wondering if this is a test setup since you dont seem to have a Dynamic PAT configured for your LAN at all. Just some Static PAT configurations and the NAT0 for VPN. If this is a test setup still then have you confirmed that the device behind the ASA in the internal network has a default route pointing towards the ASAs interface and if so is it configured correctly?

 

Can you even ICMP the directly behind the ASA that is the gateway towards the LAN networks?

 

If you want to try ICMP the internal interface of the ASA from the VPN then you can add this command and try ICMP again to the ASA internal interface

 

management-access Int

 

Also the post is a bit confusing in the sense that the topic talks about traffic not working to the internal network while the post mentions traffic to the Internet? I guess you only meant the traffic to the LAN since you are using Split Tunnel VPN which means traffic to the Internet should use the VPN users local Internet connection while traffic towards the networks specified in the Split Tunnel ACL should be forwarded to the VPN.

 

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Just to be sure, add the following configurations related to ICMP traffic

policy-map global_policy
 class inspection_default
   inspect icmp
   inspect icmp error

 

Your NAT0 configurations for the traffic between LAN and VPN users seem fine. Your Split Tunnel ACL seems fine also since it has the 192.168.0.0/16 included. I am not sure what the other ones are.

 

I am wondering if this is a test setup since you dont seem to have a Dynamic PAT configured for your LAN at all. Just some Static PAT configurations and the NAT0 for VPN. If this is a test setup still then have you confirmed that the device behind the ASA in the internal network has a default route pointing towards the ASAs interface and if so is it configured correctly?

 

Can you even ICMP the directly behind the ASA that is the gateway towards the LAN networks?

 

If you want to try ICMP the internal interface of the ASA from the VPN then you can add this command and try ICMP again to the ASA internal interface

 

management-access Int

 

Also the post is a bit confusing in the sense that the topic talks about traffic not working to the internal network while the post mentions traffic to the Internet? I guess you only meant the traffic to the LAN since you are using Split Tunnel VPN which means traffic to the Internet should use the VPN users local Internet connection while traffic towards the networks specified in the Split Tunnel ACL should be forwarded to the VPN.

 

- Jouni

Hi Jouni,

thanks for your tip that reminded me this is a test environment.

therefore while the default route is still going back to the firewall in production, of course i will not received any ping reply back from the internal ip. it is now working after create a static route to go route the traffic to the test ip.

as mentioned i'm new to ASA, i'm not quiet sure what is a Dynamic PAT and you are right that i use a few NAT rules to do my port forward for some network services, are you recommending Dynamic PAT to be used instead of static NAT?

icmp directly between the ASA and the LAN is fine, works no problem, sorry that i confused you, in the post i did a typo, its supposed to be "internal" not internet, my bad.

Thanks,

Raul

Hi,

 

The reason why I mentioned Dynamic PAT is because that is usually the one NAT configuration that is found on any firewall that is in production use with actual users behind them. And the Dynamic PAT configuration is there usually to translate any internal user IP address to a shared public IP address (typically the public IP address configured on the ASAs external interface) so that any internal user can connect to the Internet.

 

At this moment the devices configuration lacks the Dynamic PAT configurations and therefore if any user traffic towards the Internet were to be forwarded to this ASA then the ASA would simply pass that traffic to the Internet without doing NAT to it. This would ofcourse mean that the users would show up with an internal/private IP address to the Internet and connections would fail.

 

But as you said this is a new device and traffic is still forwaded to some other firewall that handles the Internet traffic so in that sense lacking the Dynamic PAT configurations is not suprising.

 

If you wanted to configure a Dynamic PAT that would translate any internal IP address to the public IP address configured on the ASAs external interface when the user was connecting to the Internet then you could use this configuration for example

 

nat (Int,Ext) after-auto source dynamic any interface

 

There are other versions of this configuration depending on what your needs are. You can even use an "object-group" to first define the source networks for which the Dynamic PAT will be performed. You can also use a different public IP address for the Dynamic PAT if you have some available. The above configuration is fine if the main thing is just to get everything working.

 

The Dynamic PAT doesnt really compare with the Static PAT (Port Forward). You will need both as they are used for different purposes. As I said before the Dynamic PAT is typically used in every setup for doing NAT for the internal users when they are connecting to the Internet. The Static PAT you have configured is used to enable connectivity to internal servers. Its typically used when you only have the public IP address configured on the ASA external interface available or you just want to avoid using a different public IP address for every single internal host/server. Then again if you have several public IP addresses available then you can configure Static NAT for the servers. Static NAT and Static PAT differ from eachother in the sense that Static PAT only does translation for certain ports while the Static NAT does a 1:1 translation between the 2 IP addresses and works for most if not all services.

 

If you want to have a look at different NAT configuration examples and some information about the NAT configuration then you can have a look at the document I wrote in 2013. It might not have all the information you need but maybe it might be of some help

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Hope this helps :)

 

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: