Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

asa vpn client problem

 

I have been banging my head against a wall on this one..

 

I setup a ssl vpn asa 6.4 and my remote user connects via cisco anywhere client, but when it connected the user loses internet and cannot ping anything not even on remote side. I did research and i tried nat acl , but i just can figure this out.. below is the error

5 Nov 08 2014 11:31:32 192.168.36.2 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.0.100.1/59436 dst inside:192.168.36.2/53 denied due to NAT reverse path failure

 

below is my config, im sure its n a nat rule or an acl.. thanks for your help.

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.11.08 19:24:48 =~=~=~=~=~=~=~=~=~=~=~=

ASA Version 8.2(5) 
!
hostname ASAfirewall
enable password whammy encrypted
passwd whammy encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
<--- More --->
              
 security-level 100
 ip address 192.168.36.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.248 
!
banner exec Please do not attempt to access this device unless you are authorized- 
banner login Please do not attempt to access this device unless you are authorized- 
banner asdm Please do not attempt to access this device unless you are authorized
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit intra-interface
access-list OPEN1 extended permit ip 192.168.36.0 255.255.255.0 any 
access-list OPEN standard permit any 
access-list OPEN standard permit 192.168.36.0 255.255.255.0 
access-list acl extended permit ip any any 
access-list acl extended permit icmp any any 
access-list inside_nat0_outbound extended permit ip 1.1.1.1 255.255.255.248 interface inside 
access-list no_nat extended permit ip 10.10.100.0 255.255.255.0 10.10.200.0 255.255.255.0 
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool 10.0.0.1-10.0.0.254 mask 255.255.255.0
<--- More --->
              
ip local pool SSLClientPool 10.0.100.1-10.0.100.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 access-list acl
nat (inside) 2 192.168.36.0 255.255.255.0
access-group acl in interface inside
access-group acl in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
http server enable
http 192.168.36.0 255.255.255.0 inside
http 1.1.1.1 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
<--- More --->
              
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ASAfirewall
 crl configure
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.whammy.com
 subject-name CN=sslvpn.whammy.com
 keypair sslvpnkey
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 2c3a4a54
    3082019 72657761 6c6c301e 170d3134 31313038 
    31353033 ce9e51e e1028fd7 
    35e0a075 bbb9b60 05050003 8181004d 
    13417194 c4f1fd84 79201145 75d044db 460e08c7 25a0ad84 d8c55954 a2a53cb7 
    ee68b439 434ff8f4 6906359f 882eab44 19a45043 ecadc354 8bfd5db5 a7e7f99d 
    5b1d2498 34932b37 65a24174 c3afe449 7bb75488 87bcd85f 228bd8e0 48260ee2 
<--- More --->
              
    104e7da6 a1c0f763 176043e9 257473db 2c6a47f8 0025492e 6ba981c1 60c4b4
  quit
crypto ca certificate chain localtrust
 certificate 2d3a4a54
    308201ff 30820168 a0030201 0202042d 3a4a5430 0d06092a 864886f7 0d010105 
    050bbfe 4df9218f 
    0cc54bb5 7afe3354 1912e5fa 877e5526 b80dab44 84e678e2 a2e70c0f caf47e96 
    5275df40 67db1977 7a6021b8 cfab2665 cfebba53 e1a285fe f5f4de98 9bb66204 
    ba6757ec e3716757 ef2b9d88 28ab1a6e f43b114c 731605f9 8a041ecf 8c4fdef5 2e05a0
  quit
telnet timeout 5
ssh scopy enable
ssh 192.168.36.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 20
dhcpd dns 1.1.1.1 1.1.1.1
dhcpd lease 4600
!
<--- More --->
              
dhcpd address 192.168.36.40-192.168.36.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point localtrust outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLClient internal
group-policy SSLClient attributes
 dns-server value 192.168.36.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
 default-domain value whammy
 split-tunnel-all-dns enable
 address-pools value SSLClientPool
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.36.2
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol svc webvpn
username admin password whammy encrypted privilege 15
username skaufman password whammy encrypted privilege 7
username skaufman attributes
 service-type remote-access
<--- More --->
              
username cl password whammy encrypted privilege 15
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
 address-pool SSLClientPool
 default-group-policy SSLClient
 dhcp-server 192.168.36.2
tunnel-group SSLClient webvpn-attributes
 group-alias whammy1 disable
 group-alias whammy enable
!
class-map inspection
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global
policy-map global_policy
 class inspection_default
  inspect icmp 
  inspect icmp error 
!
mount users type cifs
 server 192.168.36.2
 share files
 domain SC
 username administrator
 password whammy
<--- More --->
              
 status enable
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cb0c126961188b226f5acf32ac0c2c23
: end

ASAfirewall#            

CCNA
3 REPLIES
Hall of Fame Super Silver

Your remote access VPN users

Your remote access VPN users will be given an address from the pool:

ip local pool SSLClientPool 10.0.100.1-10.0.100.80 mask 255.255.255.0

The return traffic to them will need to be exempted from NAT. Right now that only happens for:

access-list inside_nat0_outbound extended permit ip 1.1.1.1 255.255.255.248 interface inside

Otherwise they get NATted to the outside interface per the following lines:

access-list acl extended permit ip any any 
access-list acl extended permit icmp any any 

nat (inside) 10 access-list acl

global (outside) 10 interface

You should add the SSL Client Pool as a NAT exemption.

New Member

Marvin,Thanks for the reply.

Marvin,

Thanks for the reply. I thought I did that.. below. If not can you please provide me with the proper command to accomplish this? Thank you so much

 

access-list no_nat extended permit ip 10.10.100.0 255.255.255.0 10.10.200.0 255.255.255.0 
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool 10.0.0.1-10.0.0.254 mask 255.255.255.0
<--- More --->
              
ip local pool SSLClientPool 10.0.100.1-10.0.100.80 mask 255.255.255.0

 

CCNA
Hall of Fame Super Silver

You have two access lists

You have two access lists referring to NAT exemptions but only apply one of them. Add an entry to inside_nat0_outbound to include the networks you mentioned above.

122
Views
0
Helpful
3
Replies
CreatePlease to create content