07-15-2014 07:19 AM - edited 02-21-2020 07:43 PM
Hi,
i'm new to ASA, can i please get some help with this. i manage to connect the vpn via the cisco anyconnect mobility client, however i'm unable to connect to the internet network. the ip address being allocated was 172.16.1.60 and it seems correct, i believed my acl and nat is configured to allow and translate the vpn allocated ip pool but i'm not able to ping anything on the internal side.
can someone share some light...there's gotta be something i'm missing..
below is my sh run
Thanks
Raul
-------------------------------------------------------------------------------
DLSYD-ASA# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname DLSYD-ASA
domain-name delo.local
enable password UszxwHyGcg.e6o4z encrypted
names
ip local pool DLVPN_Pool 172.16.1.60-172.16.1.70 mask 255.255.255.0
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Ext
speed 10
duplex full
nameif Ext
security-level 0
ip address 125.255.160.54 255.255.255.252
!
interface GigabitEthernet0/3
description Int
speed 10
duplex full
nameif Int
security-level 100
ip address 192.168.255.2 255.255.255.252
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside
dns domain-lookup Int
dns server-group DefaultDNS
name-server 192.168.1.90
name-server 192.168.1.202
domain-name delo.local
same-security-traffic permit intra-interface
object network dlau40
host 192.168.1.209
object network dlausyd02
host 192.168.1.202
object network 192.168.1.42
host 192.168.1.42
object network dlau-utm
host 192.168.1.50
object network dlauxa6
host 192.168.1.62
object network 192.168.1.93
host 192.168.1.93
object network dlau-ftp01
host 192.168.1.112
object network dlau-dlau-ftp01
object network dlvpn_network
subnet 172.16.1.0 255.255.255.0
object-group icmp-type Good-ICMP
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
access-list DLVPN_STAcl standard permit 192.168.0.0 255.255.0.0
access-list DLVPN_STAcl standard permit 196.1.1.0 255.255.255.0
access-list DLVPN_STAcl standard permit 126.0.0.0 255.255.0.0
access-list Ext_access_in extended permit icmp any any object-group Good-ICMP
access-list Ext_access_in extended permit tcp any object dlau-ftp01 eq ftp
access-list Ext_access_in extended permit tcp any object dlausyd02 eq https
access-list Ext_access_in extended permit tcp any object dlau-utm eq smtp
access-list Ext_access_in extended permit tcp any object dlauxa6 eq 444
access-list Ext_access_in extended permit ip object kobby-home any
pager lines 24
logging enable
logging asdm informational
mtu Ext 1500
mtu Int 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Int,Ext) source static any any destination static dlvpn_network dlvpn_network no-proxy-arp
!
object network dlausyd02
nat (Int,Ext) static interface service tcp https https
object network dlau-utm
nat (Int,Ext) static interface service tcp smtp smtp
object network dlauxa6
nat (Int,Ext) static interface service tcp 444 444
object network dlau-ftp01
nat (Int,Ext) static interface service tcp ftp ftp
access-group Ext_access_in in interface Ext
route Ext 0.0.0.0 0.0.0.0 125.255.160.53 1
route Int 192.168.0.0 255.255.0.0 192.168.255.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable 44310
http server idle-timeout 30
http 192.168.0.0 255.255.0.0 Int
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 30
ssh 192.168.0.0 255.255.0.0 Int
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 61.8.0.89 source outside prefer
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
port 44320
enable outside
enable Ext
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_DLVPN internal
group-policy GroupPolicy_DLVPN attributes
wins-server none
dns-server value 192.168.1.90 192.168.1.202
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DLVPN_STAcl
default-domain value delonghi.local
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username vendor_ipfx password pb6/6ZHhaPgDKSHn encrypted
username vendor_pacnet password mIHuYi1jcf9OqVN9 encrypted
username admin password tFU2y7Uo15ahFyt4 encrypted
tunnel-group DLVPN type remote-access
tunnel-group DLVPN general-attributes
address-pool DLVPN_Pool
default-group-policy GroupPolicy_DLVPN
tunnel-group DLVPN webvpn-attributes
group-alias DLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect ip-options
inspect ftp
inspect tftp
!
service-policy global_policy global
smtps
server 192.168.1.50
default-group-policy DfltGrpPolicy
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:67aa840d5cfff989bc045172b2d06212
: end
DLSYD-ASA#
Solved! Go to Solution.
07-15-2014 07:31 AM
Hi,
Just to be sure, add the following configurations related to ICMP traffic
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Your NAT0 configurations for the traffic between LAN and VPN users seem fine. Your Split Tunnel ACL seems fine also since it has the 192.168.0.0/16 included. I am not sure what the other ones are.
I am wondering if this is a test setup since you dont seem to have a Dynamic PAT configured for your LAN at all. Just some Static PAT configurations and the NAT0 for VPN. If this is a test setup still then have you confirmed that the device behind the ASA in the internal network has a default route pointing towards the ASAs interface and if so is it configured correctly?
Can you even ICMP the directly behind the ASA that is the gateway towards the LAN networks?
If you want to try ICMP the internal interface of the ASA from the VPN then you can add this command and try ICMP again to the ASA internal interface
management-access Int
Also the post is a bit confusing in the sense that the topic talks about traffic not working to the internal network while the post mentions traffic to the Internet? I guess you only meant the traffic to the LAN since you are using Split Tunnel VPN which means traffic to the Internet should use the VPN users local Internet connection while traffic towards the networks specified in the Split Tunnel ACL should be forwarded to the VPN.
- Jouni
07-15-2014 07:31 AM
Hi,
Just to be sure, add the following configurations related to ICMP traffic
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Your NAT0 configurations for the traffic between LAN and VPN users seem fine. Your Split Tunnel ACL seems fine also since it has the 192.168.0.0/16 included. I am not sure what the other ones are.
I am wondering if this is a test setup since you dont seem to have a Dynamic PAT configured for your LAN at all. Just some Static PAT configurations and the NAT0 for VPN. If this is a test setup still then have you confirmed that the device behind the ASA in the internal network has a default route pointing towards the ASAs interface and if so is it configured correctly?
Can you even ICMP the directly behind the ASA that is the gateway towards the LAN networks?
If you want to try ICMP the internal interface of the ASA from the VPN then you can add this command and try ICMP again to the ASA internal interface
management-access Int
Also the post is a bit confusing in the sense that the topic talks about traffic not working to the internal network while the post mentions traffic to the Internet? I guess you only meant the traffic to the LAN since you are using Split Tunnel VPN which means traffic to the Internet should use the VPN users local Internet connection while traffic towards the networks specified in the Split Tunnel ACL should be forwarded to the VPN.
- Jouni
07-15-2014 05:08 PM
Hi Jouni,
thanks for your tip that reminded me this is a test environment.
therefore while the default route is still going back to the firewall in production, of course i will not received any ping reply back from the internal ip. it is now working after create a static route to go route the traffic to the test ip.
as mentioned i'm new to ASA, i'm not quiet sure what is a Dynamic PAT and you are right that i use a few NAT rules to do my port forward for some network services, are you recommending Dynamic PAT to be used instead of static NAT?
icmp directly between the ASA and the LAN is fine, works no problem, sorry that i confused you, in the post i did a typo, its supposed to be "internal" not internet, my bad.
Thanks,
Raul
07-16-2014 12:55 AM
Hi,
The reason why I mentioned Dynamic PAT is because that is usually the one NAT configuration that is found on any firewall that is in production use with actual users behind them. And the Dynamic PAT configuration is there usually to translate any internal user IP address to a shared public IP address (typically the public IP address configured on the ASAs external interface) so that any internal user can connect to the Internet.
At this moment the devices configuration lacks the Dynamic PAT configurations and therefore if any user traffic towards the Internet were to be forwarded to this ASA then the ASA would simply pass that traffic to the Internet without doing NAT to it. This would ofcourse mean that the users would show up with an internal/private IP address to the Internet and connections would fail.
But as you said this is a new device and traffic is still forwaded to some other firewall that handles the Internet traffic so in that sense lacking the Dynamic PAT configurations is not suprising.
If you wanted to configure a Dynamic PAT that would translate any internal IP address to the public IP address configured on the ASAs external interface when the user was connecting to the Internet then you could use this configuration for example
nat (Int,Ext) after-auto source dynamic any interface
There are other versions of this configuration depending on what your needs are. You can even use an "object-group" to first define the source networks for which the Dynamic PAT will be performed. You can also use a different public IP address for the Dynamic PAT if you have some available. The above configuration is fine if the main thing is just to get everything working.
The Dynamic PAT doesnt really compare with the Static PAT (Port Forward). You will need both as they are used for different purposes. As I said before the Dynamic PAT is typically used in every setup for doing NAT for the internal users when they are connecting to the Internet. The Static PAT you have configured is used to enable connectivity to internal servers. Its typically used when you only have the public IP address configured on the ASA external interface available or you just want to avoid using a different public IP address for every single internal host/server. Then again if you have several public IP addresses available then you can configure Static NAT for the servers. Static NAT and Static PAT differ from eachother in the sense that Static PAT only does translation for certain ports while the Static NAT does a 1:1 translation between the 2 IP addresses and works for most if not all services.
If you want to have a look at different NAT configuration examples and some information about the NAT configuration then you can have a look at the document I wrote in 2013. It might not have all the information you need but maybe it might be of some help
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: