Solved: Hi,I route the whole traffic

mmiersebach · ‎08-12-2014

Hi I am using a Barracuda NG Firewall for firewalling and I would like to use a Cisco ASA 5505 for the Client VPN Connections. But I have the problem that I can't get a connection from the VPN connected PC to the internal network. But I can reach the VPN connected PC from inside. Here is a diagram of my network:

Here the IP Configuration and the Routing table of the Barracuda Firewall:

I have a route on the Barracuda NG Firewall to the Client VPN Network 10.10.10.0/24 on eth0.

From the LAN 192.168.1.0/24 I can ping the Client comming with Client VPN 10.10.10.11 like it should. But I can't ping or access any Network ressources in the LAN from the AnyConnected Client PC which connected via VPN.

Here is the Cisco ASA config:




: Saved
: 
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(2) 
!
hostname leela

names
ip local pool VPN-Pool 10.10.10.10-10.10.10.200 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 5
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.250 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 172.16.0.250 255.255.255.0 
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.10

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network VPN-Pool
 subnet 10.10.10.0 255.255.255.0
 description VPN-Pool
object network NETWORK_OBJ_10.10.10.0_24
 subnet 10.10.10.0 255.255.255.0
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip object VPN-Pool any 
access-list dmz_access_in extended permit ip any any 
access-list global_access extended permit ip any any 
access-list outside_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,dmz) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup inactive
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group global_access global
route dmz 0.0.0.0 0.0.0.0 172.16.0.254 1
route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LDAP_SRV_GRP LOCAL
aaa authentication http console LDAP_SRV_GRP LOCAL
aaa authentication ssh console LDAP_SRV_GRP LOCAL
aaa authentication serial console LOCAL 
http server enable 444
http 192.168.1.0 255.255.255.0 inside
snmp-server location Vienna

crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=leela
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal

 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable dmz client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.254-192.168.1.254 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
ntp server 192.168.1.10 source inside
ssl trust-point ASDM_TrustPoint0 dmz
ssl trust-point ASDM_TrustPoint0 inside
webvpn
 enable dmz
 no anyconnect-essentials
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.pkg 3
 anyconnect image disk0:/anyconnect-linux-64-3.1.05170-k9.pkg 4
 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 default-domain value
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
 wins-server none
 dns-server value 192.168.1.10
 vpn-tunnel-protocol ikev2 ssl-client 
 webvpn
  anyconnect profiles value AnyConnect_client_profile type user
group-policy portal internal
group-policy portal attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list none
username 
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool VPN-Pool
 authentication-server-group LDAP_SRV_GRP
 default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
 group-alias AnyConnect enable
tunnel-group Portal type remote-access
tunnel-group Portal general-attributes
 authentication-server-group LDAP_SRV_GRP
 default-group-policy portal
tunnel-group Portal webvpn-attributes
 group-alias portal enable!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
!
prompt hostname context 
no call-home reporting anonymous
hpm topN enable

: end
no asdm history enable

Can anyone please help me to fix this issue ?

When I tried to troubleshoot this I didn't know which interface should I choose in the Packet Tracer?

The Inside interface or the DMZ interface? With the inside he says it works with the dmz not but the error message didn't help me

Does anyone here know why it is not working?

nkarthikeyan · ‎08-13-2014

Hi,

Inside LAN is directly connected to VPN firewall right... then i do not think so you need to have the tunneled route.... can you try removing the tunneled route and check.

static route entry for reaching 10.10.10.11 as its showing is correct.....

also tunneled route shows with adminstrative distance of 255. I have never used that in my scenarios.... lets see....

Regards

Karthik

View solution in original post

nkarthikeyan · ‎08-12-2014

Hi,

Do you have split tunnel or tunnel-all option for your anyconnect? when you try from anyconnect client machine to your internal network do you see any hits on your asa dmz interface and in NAT exempt statements.... because i see your nat will have the 1st hit, then it will go to acl's....

Regards

Karthik

mmiersebach · ‎08-13-2014

Hi,
I route the whole traffic through the VPN tunnel.
and I can see the Traffic on the ASA:

6    Aug 13 2014    16:12:01    302021    10.10.10.11    11229    192.168.1.10    0    Teardown ICMP connection for faddr 10.10.10.11/11229(LOCAL\Administrator) gaddr 192.168.1.10/0 laddr 192.168.1.10/0 (Administrator)

I think I found the failure but I can't fix it.

When I checked the routing table:

It showes me the VPN Pool IP 10.10.10.11 and the Gateway for it 172.16.0.254 Interface dmz.

But it should be on the interface: inside and the Gateway IP 192.168.1.254. I added manually a static route from network 10.10.10.0 /24 to the gateway inside and IP 192.168.1.254 but the ASA didn't use this route for the VPN traffic. Where can I setup the right route for it??

nkarthikeyan · ‎08-13-2014

Hi,

Inside LAN is directly connected to VPN firewall right... then i do not think so you need to have the tunneled route.... can you try removing the tunneled route and check.

static route entry for reaching 10.10.10.11 as its showing is correct.....

also tunneled route shows with adminstrative distance of 255. I have never used that in my scenarios.... lets see....

Regards

Karthik

nkarthikeyan · ‎08-13-2014

Hi,

Also can you check with all these possible options...

Problems with Passing Traffic

When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data gathering steps:

Obtain the output of the show vpn-sessiondb detail svc filter name <username> ASA command from the console. If the output shows Filter Name: XXXXX, then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.
Export the AnyConnect statistics from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
Check the ASA configuration file for nat statements. If NAT is enabled, these must exempt data that returns to the client as a result of NAT. For example, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:
```
access-list in_nat0_out extended permit ip any 10.136.246.0 255.255.255.0
ip local pool IPPool1 10.136.246.1-10.136.246.254 mask 255.252.0.0
nat (inside) 0 access-list in_nat0_out
```
Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of last resort for non-decrypted traffic.

Example
```
!--- Route outside 0 0 is an incorrect statement.

route outside 0 0 10.145.50.1
route inside 0 0 10.0.4.2 tunneled
```
For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.
Verify if the AnyConnect traffic is being dropped by the inspection policy of the ASA. You could exempt the specific application that is used by AnyConnct client by implementing the Modular Policy Framework of Cisco ASA. For example, you could exempt the skinny protocol from exemption using the following commands.
```
ASA(config)# policy-map global_policy
ASA(config-pmap)#  class inspection_default
ASA(config-pmap-c)# no inspect skinny
```
in your case for this you can try exempting icmp... no inspect icmp
Regards
Karthik

mmiersebach · ‎08-14-2014

Hi,

the host route comes automaticaly when connecting via AnyConnect.

Before I connect with anyconnect the routing looks good:

# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 172.16.0.254 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 172.16.0.254, dmz
S        10.10.10.0 255.255.255.0 [1/0] via 192.168.1.254, inside
C        172.16.0.0 255.255.255.0 is directly connected, dmz
L        172.16.0.250 255.255.255.255 is directly connected, dmz
C        192.168.1.0 255.255.255.0 is directly connected, inside
L        192.168.1.250 255.255.255.255 is directly connected, inside
S    0.0.0.0 0.0.0.0 [255/0] via 192.168.1.254, dmz tunneled

But as soosn as I connect with anyconnect I get automaticaly the host route which is wrong:


# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 172.16.0.254 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 172.16.0.254, dmz
S        10.10.10.0 255.255.255.0 [1/0] via 192.168.1.254, inside
S        10.10.10.11 255.255.255.255 [1/0] via 172.16.0.254, dmz
C        172.16.0.0 255.255.255.0 is directly connected, dmz
L        172.16.0.250 255.255.255.255 is directly connected, dmz
C        192.168.1.0 255.255.255.0 is directly connected, inside
L        192.168.1.250 255.255.255.255 is directly connected, inside
S    0.0.0.0 0.0.0.0 [255/0] via 192.168.1.254, dmz tunneled

Can anyoen please let me know where I can change this setting for this automticaly created houste route.

The PC with anyconnect always uses this route and ignores the other routes...

nkarthikeyan · ‎08-14-2014

Hi,

I have one more suggestion for you. remove the below mentioned NAT statement and try that i suggest.

no nat (inside,dmz) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup inactive

object network obj_locallan

subnet 192.168.1.0 255.255.255.0

!

nat (inside,dmz) source static obj_locallan obj_locallan destination static NETWORK_OBJ_10.10.10.0_24 no-proxy-arp

!

Other than the default route and the tunneled route... please do not have any static routes.... since your lan is directly connected to inside.....

Regards

Karthik

mmiersebach · ‎08-14-2014

Hi,

sorry still without success

But the rule is a little bit different right?

I created it like this:

nat (inside,dmz) 1 source static obj_locallan obj_locallan destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp

nkarthikeyan · ‎08-14-2014

is it possible for you to arrnage a remote sessionn for your device?

Regards

Karthik

Cisco ASA Client VPN routing issue

Problems with Passing Traffic