08-12-2014 07:20 AM
Hi I am using a Barracuda NG Firewall for firewalling and I would like to use a Cisco ASA 5505 for the Client VPN Connections. But I have the problem that I can't get a connection from the VPN connected PC to the internal network. But I can reach the VPN connected PC from inside. Here is a diagram of my network:
Here the IP Configuration and the Routing table of the Barracuda Firewall:
I have a route on the Barracuda NG Firewall to the Client VPN Network 10.10.10.0/24 on eth0.
From the LAN 192.168.1.0/24 I can ping the Client comming with Client VPN 10.10.10.11 like it should. But I can't ping or access any Network ressources in the LAN from the AnyConnected Client PC which connected via VPN.
Here is the Cisco ASA config:
: Saved : : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(2) ! hostname leela names ip local pool VPN-Pool 10.10.10.10-10.10.10.200 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 5 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! interface Vlan5 nameif dmz security-level 50 ip address 172.16.0.250 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.1.10 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network VPN-Pool subnet 10.10.10.0 255.255.255.0 description VPN-Pool object network NETWORK_OBJ_10.10.10.0_24 subnet 10.10.10.0 255.255.255.0 access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip object VPN-Pool any access-list dmz_access_in extended permit ip any any access-list global_access extended permit ip any any access-list outside_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,dmz) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup inactive access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz access-group global_access global route dmz 0.0.0.0 0.0.0.0 172.16.0.254 1 route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy server-type microsoft user-identity default-domain LOCAL aaa authentication enable console LDAP_SRV_GRP LOCAL aaa authentication http console LDAP_SRV_GRP LOCAL aaa authentication ssh console LDAP_SRV_GRP LOCAL aaa authentication serial console LOCAL http server enable 444 http 192.168.1.0 255.255.255.0 inside snmp-server location Vienna crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map dmz_map interface dmz crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=leela proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable dmz client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet timeout 5 no ssh stricthostkeycheck ssh 192.168.1.0 255.255.255.0 inside ssh timeout 30 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.254-192.168.1.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-filter updater-client enable dynamic-filter use-database ntp server 192.168.1.10 source inside ssl trust-point ASDM_TrustPoint0 dmz ssl trust-point ASDM_TrustPoint0 inside webvpn enable dmz no anyconnect-essentials anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 1 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.pkg 3 anyconnect image disk0:/anyconnect-linux-64-3.1.05170-k9.pkg 4 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml anyconnect enable tunnel-group-list enable group-policy DfltGrpPolicy attributes default-domain value group-policy GroupPolicy_AnyConnect internal group-policy GroupPolicy_AnyConnect attributes wins-server none dns-server value 192.168.1.10 vpn-tunnel-protocol ikev2 ssl-client webvpn anyconnect profiles value AnyConnect_client_profile type user group-policy portal internal group-policy portal attributes vpn-tunnel-protocol ssl-clientless webvpn url-list none username tunnel-group AnyConnect type remote-access tunnel-group AnyConnect general-attributes address-pool VPN-Pool authentication-server-group LDAP_SRV_GRP default-group-policy GroupPolicy_AnyConnect tunnel-group AnyConnect webvpn-attributes group-alias AnyConnect enable tunnel-group Portal type remote-access tunnel-group Portal general-attributes authentication-server-group LDAP_SRV_GRP default-group-policy portal tunnel-group Portal webvpn-attributes group-alias portal enable! ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 ! prompt hostname context no call-home reporting anonymous hpm topN enable : end no asdm history enable
Can anyone please help me to fix this issue ?
When I tried to troubleshoot this I didn't know which interface should I choose in the Packet Tracer?
The Inside interface or the DMZ interface? With the inside he says it works with the dmz not but the error message didn't help me
Does anyone here know why it is not working?
Solved! Go to Solution.
08-13-2014 10:56 AM
Hi,
Inside LAN is directly connected to VPN firewall right... then i do not think so you need to have the tunneled route.... can you try removing the tunneled route and check.
static route entry for reaching 10.10.10.11 as its showing is correct.....
also tunneled route shows with adminstrative distance of 255. I have never used that in my scenarios.... lets see....
Regards
Karthik
08-12-2014 07:58 AM
Hi,
Do you have split tunnel or tunnel-all option for your anyconnect? when you try from anyconnect client machine to your internal network do you see any hits on your asa dmz interface and in NAT exempt statements.... because i see your nat will have the 1st hit, then it will go to acl's....
Regards
Karthik
08-13-2014 07:28 AM
Hi,
I route the whole traffic through the VPN tunnel.
and I can see the Traffic on the ASA:
6 Aug 13 2014 16:12:01 302021 10.10.10.11 11229 192.168.1.10 0 Teardown ICMP connection for faddr 10.10.10.11/11229(LOCAL\Administrator) gaddr 192.168.1.10/0 laddr 192.168.1.10/0 (Administrator)
I think I found the failure but I can't fix it.
When I checked the routing table:
It showes me the VPN Pool IP 10.10.10.11 and the Gateway for it 172.16.0.254 Interface dmz.
But it should be on the interface: inside and the Gateway IP 192.168.1.254. I added manually a static route from network 10.10.10.0 /24 to the gateway inside and IP 192.168.1.254 but the ASA didn't use this route for the VPN traffic. Where can I setup the right route for it??
08-13-2014 10:56 AM
Hi,
Inside LAN is directly connected to VPN firewall right... then i do not think so you need to have the tunneled route.... can you try removing the tunneled route and check.
static route entry for reaching 10.10.10.11 as its showing is correct.....
also tunneled route shows with adminstrative distance of 255. I have never used that in my scenarios.... lets see....
Regards
Karthik
08-13-2014 11:23 AM
Hi,
Also can you check with all these possible options...
When problems are detected with passing traffic to the private network with an AnyConnect session through the ASA, complete these data gathering steps:
Obtain the output of the show vpn-sessiondb detail svc filter name <username> ASA command from the console. If the output shows Filter Name: XXXXX, then gather the output for show access-list XXXXX. Verify that the access-list XXXXX does not block the intended traffic flow.
Export the AnyConnect statistics from AnyConnect VPN Client > Statistics > Details > Export (AnyConnect-ExportedStats.txt).
Check the ASA configuration file for nat statements. If NAT is enabled, these must exempt data that returns to the client as a result of NAT. For example, to NAT exempt (nat 0) the IP addresses from the AnyConnect pool, use this on the CLI:
access-list in_nat0_out extended permit ip any 10.136.246.0 255.255.255.0 ip local pool IPPool1 10.136.246.1-10.136.246.254 mask 255.252.0.0 nat (inside) 0 access-list in_nat0_out
Determine if the tunneled default gateway needs to be enabled for the setup. The traditional default gateway is the gateway of last resort for non-decrypted traffic.
Example
!--- Route outside 0 0 is an incorrect statement. route outside 0 0 10.145.50.1 route inside 0 0 10.0.4.2 tunneled
For example, if the VPN Client needs to access a resource which is not in the routing table of the VPN Gateway, the packet is routed through the standard default gateway. The VPN gateway does not need the complete internal routing table in order to resolve this. The tunneled keyword can be used in this instance.
Verify if the AnyConnect traffic is being dropped by the inspection policy of the ASA. You could exempt the specific application that is used by AnyConnct client by implementing the Modular Policy Framework of Cisco ASA. For example, you could exempt the skinny protocol from exemption using the following commands.
ASA(config)# policy-map global_policy ASA(config-pmap)# class inspection_default ASA(config-pmap-c)# no inspect skinnyin your case for this you can try exempting icmp... no inspect icmp
Regards
Karthik
08-14-2014 12:33 AM
Hi,
the host route comes automaticaly when connecting via AnyConnect.
Before I connect with anyconnect the routing looks good:
# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 172.16.0.254 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.0.254, dmz S 10.10.10.0 255.255.255.0 [1/0] via 192.168.1.254, inside C 172.16.0.0 255.255.255.0 is directly connected, dmz L 172.16.0.250 255.255.255.255 is directly connected, dmz C 192.168.1.0 255.255.255.0 is directly connected, inside L 192.168.1.250 255.255.255.255 is directly connected, inside S 0.0.0.0 0.0.0.0 [255/0] via 192.168.1.254, dmz tunneled
But as soosn as I connect with anyconnect I get automaticaly the host route which is wrong:
# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 172.16.0.254 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.0.254, dmz S 10.10.10.0 255.255.255.0 [1/0] via 192.168.1.254, inside S 10.10.10.11 255.255.255.255 [1/0] via 172.16.0.254, dmz C 172.16.0.0 255.255.255.0 is directly connected, dmz L 172.16.0.250 255.255.255.255 is directly connected, dmz C 192.168.1.0 255.255.255.0 is directly connected, inside L 192.168.1.250 255.255.255.255 is directly connected, inside S 0.0.0.0 0.0.0.0 [255/0] via 192.168.1.254, dmz tunneled
Can anyoen please let me know where I can change this setting for this automticaly created houste route.
The PC with anyconnect always uses this route and ignores the other routes...
08-14-2014 02:03 AM
Hi,
I have one more suggestion for you. remove the below mentioned NAT statement and try that i suggest.
no nat (inside,dmz) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup inactive
object network obj_locallan
subnet 192.168.1.0 255.255.255.0
!
nat (inside,dmz) source static obj_locallan obj_locallan destination static NETWORK_OBJ_10.10.10.0_24 no-proxy-arp
!
Other than the default route and the tunneled route... please do not have any static routes.... since your lan is directly connected to inside.....
Regards
Karthik
08-14-2014 02:33 AM
Hi,
sorry still without success
But the rule is a little bit different right?
I created it like this:
nat (inside,dmz) 1 source static obj_locallan obj_locallan destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp
08-14-2014 04:06 AM
is it possible for you to arrnage a remote sessionn for your device?
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide