04-02-2012 01:56 PM
So I found a thread which shows how to allow VPN users to use the intenet via the VPN instead of an unsecure split tunnel. This article seems to be written for the pre 8.3 days.
https://supportforums.cisco.com/thread/2016000
The key points seem to be:
I have tried(without success):
After implementing it, I am not able to reach any resource inside mynetwork, or outside my network.
--------------------------------
Current Config Follows:
currently:
I would like help to change this to allow me to:
ASA Version 8.4(2) ! hostname DANS-FW domain-name coffee.local enable password blah encrypted passwd blah encrypted ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 description \\LAN Connection to Switch\\ nameif inside security-level 100 ip address ASA_INSIDE 255.255.255.0 ipv6 address autoconfig ipv6 enable ! interface Vlan2 description //OUT TO FIOS/// nameif outside security-level 0 ip address dhcp setroute ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS domain-name coffee.local same-security-traffic permit intra-interface object network INSIDE_LAN subnet 192.168.0.0 255.255.255.0 object network CAFFEINE-ICECAST host 192.168.0.11 object network CAFFEINE-MPD host 192.168.0.11 object network CAFFEINE-MPDroid-Stream host 192.168.0.11 object network CAFFEINE-TWONKY host 192.168.0.11 object network obj-192.168.0.2 host 192.168.0.2 object network CAFFEINE-SSH host 192.168.0.11 object network ASA_INSIDE host 192.168.0.1 object network CAFFEINE-RTORRENT host 192.168.0.11 object network ASA-ASDM_SSLVPN host 192.168.0.1 object network HE_Tunnel_Broker host 216.66.22.2 description HE IP object network 6shots host 192.168.0.66 object network AnyConnect_VPN_USERS description Anyconnet VPN Range object network ANYCONNECT_VPN_USERS object network ANYCONNECT_VPN_POOL object network ANYCONNECT_VPN subnet 192.168.0.200 255.255.255.248 object network APACHE-SSL host 192.168.0.11 object network NETWORK_OBJ_192.168.0.200_29 subnet 192.168.0.200 255.255.255.248 object network MSF host 192.168.0.11 object network CAFFEINE-NESSUS host 192.168.0.11 object network EXCHANGE_SMTP(SSL) host 192.168.0.4 object network Dans-Desktop host 192.168.0.10 object network EXCHANGE_OWA host 192.168.0.4 object network EXCHANGE_ACTIVESYNC host 192.168.0.4 object network ASDM host 192.168.0.1 object network EXCHANGE_IMAP host 192.168.0.4 object network EXCHANGE_SMTP host 192.168.0.4 object network ESX_5_SERVER host 192.168.0.5 description ESX5 Server object network MEDIA_2K8 host 192.168.0.6 description MEDIA SERVER object network RRAS host 192.168.0.4 object-group network obj-192.168.0.0 object-group protocol IPv6inIPv4 protocol-object 41 object-group service Icecast tcp port-object eq 8000 object-group service rtorrent-webUI tcp port-object eq 8011 object-group service metasploit_range tcp port-object range 4444 4454 object-group service L2TP_over_IPSec udp port-object eq 1701 port-object eq 4500 port-object eq isakmp access-list outside_access_in extended permit tcp any object CAFFEINE-RTORRENT object-group rtorrent-webUI access-list outside_access_in extended permit tcp any object CAFFEINE-SSH eq ssh access-list outside_access_in extended permit tcp any object CAFFEINE-ICECAST object-group Icecast access-list outside_access_in extended permit tcp any object ASDM eq 8080 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list split-tunnel standard permit host 192.168.0.200 access-list split-tunnel standard permit 192.168.0.0 255.255.255.0 access-list PERMIT_IPV6 extended permit ip 192.168.0.0 255.255.255.0 object ANYCONNECT_VPN access-list outside_access_in_1 extended permit ip any any access-list outside_access_in_1 extended permit 41 any any access-list inside_access_in_1 extended permit 41 any any access-list inside_access_in_1 extended permit ip any any access-list global_access extended permit icmp any any echo access-list global_access extended permit icmp any any echo-reply access-list global_access extended deny ip object ESX_5_SERVER any access-list global_access extended permit ip 192.168.0.0 255.255.255.0 any access-list global_access extended permit tcp any object MSF object-group metasploit_range access-list global_access extended permit tcp any object MEDIA_2K8 eq 64620 access-list global_access extended permit tcp any object EXCHANGE_ACTIVESYNC eq www access-list global_access extended permit tcp any object EXCHANGE_OWA eq https access-list global_access extended permit tcp any object EXCHANGE_SMTP(SSL) eq 587 access-list global_access extended permit tcp any object CAFFEINE-RTORRENT object-group rtorrent-webUI access-list global_access extended permit tcp any object CAFFEINE-SSH eq ssh access-list global_access extended permit tcp any object APACHE-SSL eq 8443 access-list global_access extended permit tcp any object ASA-ASDM_SSLVPN eq www access-list global_access extended permit tcp any object CAFFEINE-NESSUS eq 8834 access-list global_access extended permit tcp any object EXCHANGE_IMAP eq 993 access-list global_access extended permit tcp any object EXCHANGE_SMTP eq smtp access-list global_access extended permit tcp any object RRAS eq pptp access-list global_access extended permit udp any object RRAS object-group L2TP_over_IPSec access-list global_access extended permit gre any object RRAS pager lines 24 logging enable logging console debugging logging buffered debugging logging asdm informational logging from-address asa@coffee.no-ip.info mtu inside 1500 mtu outside 1500 ip local pool VPN 192.168.0.200-192.168.0.205 mask 255.255.255.0 ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo ipv6 access-list outside_access_ipv6_in permit icmp6 interface outside interface inside echo-reply ipv6 access-list global_access_ipv6 permit tcp any any eq ssh inactive ipv6 access-list global_access_ipv6 permit tcp any any eq https inactive icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-641.bin no asdm history enable arp timeout 14400 nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static ANYCONNECT_VPN ANYCONNECT_VPN nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.200_29 NETWORK_OBJ_192.168.0.200_29 ! object network INSIDE_LAN nat (inside,outside) dynamic interface object network CAFFEINE-SSH nat (inside,outside) static interface service tcp ssh ssh object network CAFFEINE-RTORRENT nat (inside,outside) static interface service tcp 8011 8011 object network APACHE-SSL nat (inside,outside) static interface service tcp 8443 8443 object network MSF nat (inside,outside) static interface service tcp 4444 4444 object network CAFFEINE-NESSUS nat (inside,outside) static interface service tcp 8834 8834 object network EXCHANGE_SMTP(SSL) nat (inside,outside) static interface service tcp 587 587 object network EXCHANGE_OWA nat (inside,outside) static interface service tcp https https object network EXCHANGE_ACTIVESYNC nat (inside,outside) static interface service tcp www www object network EXCHANGE_IMAP nat (inside,outside) static interface service tcp 993 993 object network EXCHANGE_SMTP nat (inside,outside) static interface service tcp smtp smtp object network MEDIA_2K8 nat (inside,outside) static interface service tcp 64620 64620 object network RRAS nat (inside,outside) static interface service tcp pptp pptp access-group PERMIT_IPV6 in interface outside access-group outside_access_ipv6_in in interface outside access-group global_access global access-group global_access_ipv6 global timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable 8080 http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self fqdn DANS-FW subject-name CN=DANS-FW keypair sslvpnkey no client-types crl configure crypto ca certificate chain ASDM_TrustPoint0 certificate 184b464e 308201cb 30820134 a0030201 02020418 4b464e30 0d06092a 864886f7 0d010104 0500302a 3110300e 06035504 03130744 414e532d 46573116 30140609 2a864886 f70d0109 02160744 414e532d 4657301e 170d3131 30383133 30393539 35325a17 0d323130 38313030 39353935 325a302a 3110300e 06035504 03130744 414e532d 46573116 30140609 2a864886 f70d0109 02160744 414e532d 46573081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100ae 53e7e59e add0bfc1 10013a1f 9d15be8e 3f5c63dd fa0c4ff7 87b19e5d 2180d901 9a637859 9d275561 c0f0a362 a6347ae8 593d3d40 1be35bd7 95534670 f25ed53f ee877752 28074c86 fa5457dd f0db3518 fdfa0155 28422e37 1d4d8d6b 496f8b78 f3bc97d7 5a7e87b5 73627862 57e6b22c 5fdf437f f388eeee 1aca4991 b2d7a702 03010001 300d0609 2a864886 f70d0101 04050003 81810096 baa4e96e ba0991bb 65550537 777cf341 74f7b17b 4a446fc0 11e0c9a7 b235b2a2 ad6749fa d43a2329 4cecd850 6d3000e5 d41c5e0f a2a12efe b77d373e 51ed8c76 6d0fb7da 0b72d714 1b6692ee 7f3dcfb7 43f70596 af7e1139 7f8725a0 18a64a69 a49122fa 6fc85c0e 3a3fb658 7146aa09 93b731ea 047ab713 74de300f c68599 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd auto_config outside ! dhcpd dns 129.250.35.250 129.250.35.251 interface inside ! threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ssl trust-point ASDM_TrustPoint0 inside ssl trust-point ASDM_TrustPoint0 outside webvpn port 8080 enable outside anyconnect image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1 anyconnect profiles coffee_anyconnect_client_profile disk0:/coffee_anyconnect_client_profile.xml anyconnect enable tunnel-group-list enable group-policy DefaultRAGroup internal group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless group-policy GroupPolicy_coffee_anyconnect internal group-policy GroupPolicy_coffee_anyconnect attributes wins-server none dns-server value 192.168.0.25 4.2.2.2 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value securesub webvpn anyconnect ssl rekey time 30 anyconnect ssl rekey method ssl anyconnect profiles value coffee_anyconnect_client_profile type user group-policy coffee_clientless internal group-policy coffee_clientless attributes vpn-tunnel-protocol ssl-clientless webvpn url-list value dans anyconnect ask none default anyconnect username dano password blah encrypted privilege 15 tunnel-group coffee_anyconnect type remote-access tunnel-group coffee_anyconnect general-attributes address-pool VPN default-group-policy GroupPolicy_coffee_anyconnect tunnel-group coffee_anyconnect webvpn-attributes group-alias coffee_anyconnect disable group-alias securesub enable tunnel-group coffee_clientless type remote-access tunnel-group coffee_clientless general-attributes default-group-policy coffee_clientless ! class-map global-class match default-inspection-traffic class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map FTPPOLICY class inspection_default inspect ftp policy-map global-policy class global-class inspect esmtp inspect pptp ! service-policy global-policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily hpm topN enable Cryptochecksum:72515fc971787d2e0a9ddc7356843515
04-02-2012 02:19 PM
Hi,
So your current situation is that you are using AnyConnect with Split-tunneling? So you can access the LAN through VPN and Internet through the users local Internet connection?
I wonder if the problem with Full-Tunnel + Internet traffic is due to problem with NATing the traffic from VPN Client pool to the "outside" interface IP?
I think that NAT could be done by the following configuration
object network VPN-POOL
subnet 192.168.0.200 255.255.255.248
nat (outside,outside) after-auto source dynamic VPN-POOL interface
EDIT: The "after-auto" should take the rule at the bottom of the NAT rules, but I'm still thinking should it interfere with the configurations even if it didnt have the parameter.
I've only done this in software 8.2 and below, where it was
global (outside) 1 x.x.x.x
nat (inside) 1 10.10.10.0 255.255.255.0
nat (outside) 1 192.168.0.200 255.255.255.248
But as I said I havent done this with the new software. I can probably test this tomorrow at work though.
- Jouni
EDIT2:
I'm not 100% sure but is the following NAT statement even needed at the current configuration?
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.200_29 NETWORK_OBJ_192.168.0.200_29
EDIT3:
I also usually use a totally different network for the VPN-pool. Your current LAN seems to be 192.168.0.0/24 and the VPN pool is 192.168.0.200/29. Maybe the top NAT statements are causing problems with the VPN Client Internet traffic.
What I would try to do is change the VPN Client pool to some different network, do the NAT0 between LAN and POOL like you have in the current configuration (just with new VPN Pool) and use the PAT configuration mentioned earlier. Leave out the NAT statement in the "EDIT2" in this post.
Sorry this is alot of guessing from my part before I get to test it myself with a lab ASA.
04-02-2012 02:30 PM
I would like to try your suggestion. I was curious to why you chose "subnet 192.168.0.200 255.255.255.248" my VPN pool is:
ip local pool VPN 192.168.0.200-192.168.0.205 mask 255.255.255.0
Maybe I should change my VPN pool to a unique subnet. I wouldnt mind having all VPNs be: 192.168.200.0/24 Im just not sure how to route that properly. Also, Will I need to go back into group policy settings and tell it to tunnel all traffic instead of the traffic identified by split-tunnel ACL?
access-list split-tunnel standard permit host 192.168.0.200 access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel
04-02-2012 02:34 PM
Hi,
Edited my original post as I was thinking about the situation.
Still alot of guessing on my part before I can confirm it on a lab setup, which I might do tomorrow even.
04-02-2012 02:37 PM
I would be very greatfull if you decided to load it up in your lab.
04-02-2012 02:35 PM
I've had a lot of people helpme with my ASA over this years. I am sure i have some residual commands in there which I no longer need. Im just not sure which ones they are. I dont think I need that line you mentioned. Looks a bit like the VPN wizzard syntax.
04-02-2012 02:48 PM
I have an ASA at home also but don't have any VPN configurations on it. Could maybe do that from work tomorrow and test it from the work computer.
I tried a couple of NAT configurations and it seemed the following NAT statement overran the VPN Client pool Internet PAT configuration
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.200_29 NETWORK_OBJ_192.168.0.200_29
I guess the source fields "any any" causes the problem. I think it forwards all the VPN clients connections to your inside interface because of the "(inside,outside)" and "any any" in the statement.
Even though I have used the new software for 6-12 months I still havent really gotten used to the new NAT.
Still want to test this with an actual VPN Client connection.
- Jouni
04-02-2012 03:07 PM
Thanks!, Its a Success,
Adding the following commands to the ^config made it tunnel all internet traffic through the VPN
object network VPN-POOL
subnet 192.168.0.200 255.255.255.248
nat (outside,outside) after-auto source dynamic VPN-POOL interface
group-policy GroupPolicy_coffee_anyconnect attributes
no split-tunnel-network-list
no nat 2
I would still like your help with my other goals if your willing. If i wanted to switch my VPN over to its own subnet, all I would have to do is something like:
Create a new pool:
ip local pool SECURESUB_VPN_USERS 192.168.200.2-192.168.200.254 mask 255.255.255.0
Modify the tunnel attributes:
tunnel-group coffee_anyconnect general-attributes
address-pool SECURESUB_VPN_USERS
And setup Routing somehow:
route inside 192.168.200.0 255.255.255.255 192.168.200.1 1
????? command to create a 192.168.200.1 interface on vlan1?
04-02-2012 03:16 PM
Hi,
Usually when you configure either L2L VPN with remote sites/networks OR VPN Client with remote Pool the VPN creates a route to your ASAs routing table. So when theres a VPN connected the ASA can see the new pool in its routing table already.
If it for some reason doesnt show even when VPN Client is connected, you can use a command to insert the route to your routing table
Command format is something along the lines:
"crypto map
This will inject a route to your routing table according to your VPN configurations.
When you have a client connection check the ASAs routing table with "show route" and you should see your VPN pool pointing towards outside interface.
If you have router on the LAN, just make sure it has a return route to the VPN pool network. But I assume you already have a default route pointing towards ASA inside interface, so that should be taken care of already
Please rate if any of this has been helpfull
Over 1 at night here so I'm gonna go sleep now. I look into this tomorrow at work or after work at home (if theres need).
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide