Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA client VPN partly connection to internal resources

Hi,
I just configured Cisco Ayconnect. I can connect via Client VPN. 
My setup is a little bit differently (check the first picture of the setup).
I am using a other Firewall in front of the Cisco ASA. The ASA is only using the inside interface and is only used for Client VPN. See the first picture which illustrates the setup.
The Client VPN ip pool ist 10.10.10.10 - 10.10.10.50
The Firewall has the IP 192.168.1.254 and is the Gateway of the network.
My test VPN Client has the IP 10.10.10.14 and can ping the 192.168.1.254 and google 8.8.8.8.
But I can't ping the other internal Servers like 192.168.1.40 or 192.168.1.10.
I am pinging 192.168.1.254, 192.168.1.40 and 192.168.1.10 at the same time.
But on the Firewall I can only see 192.168.1.254 traffic:

 

# tcpdump src net 10.10.10.0/24 and dst net 192.168.1.0/24 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:06:10.315471 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40671, length 40
16:06:11.090489 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40675, length 40
16:06:12.150490 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40678, length 40
16:06:13.651232 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40680, length 40
16:06:14.156077 IP 10.10.10.14 > 192.168.1.254: ICMP echo request, id 1, seq 40682, length 40

 

I added also the screenshots of the Packet Tracer

and here is the Configuration:

 

Can anyone please help me how to get the traffic to the other hosts?

  • yes it would be possible to change the VPN Pool Addresses to 192.168.1.0
  • or create a NAT that the VPN Pool Addresses are translated to 192.168.10

But is there any other solution for this issue without one of this workarounds? 

 

show running-config 

: Saved

:

ASA Version 8.4(2) 

!

hostname asa

domain-name test.lab

enable password XejxZFfyt2wxqfff encrypted

passwd XejxZFfyt2wxqfff encrypted

names

dns-guard

!

interface GigabitEthernet0

 nameif outside

 security-level 0

 ip address  

!

interface GigabitEthernet1

 nameif inside

 security-level 100

 ip address 192.168.1.230 255.255.255.0 

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.1.10

 domain-name planet-express.internal

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network VPN-Address-Pool

 description VPN-Address-Pool

object network inside-network

 subnet 192.168.1.0 255.255.255.0

 description inside-network

object network VPN-Pool

 subnet 10.10.10.0 255.255.255.0

object network AnyConnect-VPN-Pool

object network LAN

 subnet 192.168.1.0 255.255.255.0

object network asa

 host 192.168.1.230

access-list inside_access_in extended permit ip any any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPN-Address-Pool 10.10.10.10-10.10.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715-100.bin

no asdm history enable

arp timeout 14400

nat (any,inside) source dynamic VPN-Pool interface inactive

access-group inside_access_in in interface inside

route inside 0.0.0.0 0.0.0.0 192.168.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server planet-express protocol nt

aaa-server planet-express (inside) host farnsworth.planet-express.internal

 nt-auth-domain-controller 192.168.1.10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL 

aaa authentication http console LOCAL 

http server enable 444

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 subject-name CN=test

 keypair key-2048

 crl configure

crypto ca certificate chain ASDM_TrustPoint0

 certificate 2ee76b53

      quit

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 enable inside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 60

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 inside

webvpn

 enable inside

 anyconnect image disk0:/anyconnect-win-3.1.05160-k9.pkg 1

 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2

 anyconnect image disk0:/anyconnect-linux-64-3.1.05160-k9.pkg 3

 anyconnect image disk0:/anyconnect-linux-3.1.05160-k9.pkg 4

 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml

 anyconnect enable

 tunnel-group-list enable

group-policy GroupPolicy_AnyConnect internal

group-policy GroupPolicy_AnyConnect attributes

 wins-server none

 dns-server value 192.168.1.10

 vpn-tunnel-protocol ikev2 ssl-client 

 default-domain value test.lab

 webvpn

  anyconnect profiles value AnyConnect_client_profile type user

group-policy Portal-Group-Policy internal

group-policy Portal-Group-Policy attributes

 wins-server none

 dns-server value 192.168.1.10

 vpn-tunnel-protocol ssl-clientless

 default-domain value test.lab

 webvpn

  url-list value Administrator

username admin password Cisco encrypted privilege 15

tunnel-group Portal type remote-access

tunnel-group Portal general-attributes

 address-pool VPN-Address-Pool

 default-group-policy Portal-Group-Policy

tunnel-group Portal webvpn-attributes

 group-alias Portal enable

 group-alias portal disable

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

 address-pool VPN-Address-Pool

 default-group-policy GroupPolicy_AnyConnect

tunnel-group AnyConnect webvpn-attributes

 group-alias AnyConnect enable

!

class-map global-class

 match default-inspection-traffic

!

!             

policy-map global-policy

 class global-class

  inspect dns 

  inspect ftp 

  inspect http 

  inspect icmp 

  inspect icmp error 

!

service-policy global-policy global

prompt hostname context 

no call-home reporting anonymous

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:

: end

 

 

 

Everyone's tags (1)
1 REPLY
New Member

Hi,when you try ping '192.168

Hi,

when you try ping '192.168.1.10' or '192.168.1.40' from remote client(10.10.10.14), ASA will forward those icmp packets directly to the destination after decryption. So it is impossible to observe them on firewall. so those icmp packets should reach their destination.

ICMP reply will direct to the default GW(192.168.1.254) as the 2 servers have no route entry to 10.10.10.14, default GW found the next-hop to '10.10.10.14' is 192.168.1.240, it will discard those icmp packets and send ICMP redirect message( type 5 ) to the 2 servers, which means ASA is closer to the 10.10.10.14, however the 2 servers ignore this redirect message. so you can not ping the 2 servers.

Solution: enable the 2 servers accept ICMP redirect message.

Regards,

David

553
Views
0
Helpful
1
Replies
CreatePlease login to create content