Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote VPN can't access LAN devices or internet

So I have a server and a computer on the inside I can access through a ASA 5505 with ASA 9.2(1) and ASDM 7.2(1)

The computer on 192.168.1.110 through port 8080 can show me a demo website.

The server on 192.168.1.222 got my DNS, FTP, HTTP, mail and more on it.

On the outside I got a computer (by outside I mean from the firewall and cable directly into the computer) on 192.168.20.2 and the firewall's outside being 192.168.20.1

 

From the outside I can access the 8080 without problems (and I assume aswell with the server, but it's on another default gateway and cannot be accessed right now). However - when I connect through my VPN I'm assigned 192.168.30.5 but cannot connect to the inside computer through 192.168.1.110:8080.

This will throw the error: Asymmetric NAT rules matched for forward and reverse flow; Connection for udp src outside: 192.168.30.5/49608(...) dst inside: 192.168.1.222/53 denied due to NAT reverse path failure.

 

Somewhere I got a conflict or a non-created access rule. Anyone willing to take a shot?

 

I marked some with bold for what I thought could be the cause.

 

ciscoasa(config)# sh running-config 
: Saved
:
ASA Version 9.2(1) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool IP-Pool 192.168.30.5-192.168.30.200 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.20.1 255.255.255.0 
!
boot system disk0:/asa921-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network testServer-8080
 host 192.168.1.110
 description The test server
object network Server-21
 host 192.168.1.222
 description The test server
object network Server-25
 host 192.168.1.222
 description The test server
object network Server-53
 host 192.168.1.222
 description The test server
object network Server-80
 host 192.168.1.222
 description The test server
object network Server-443
 host 192.168.1.222
 description The test server
object network Server-2525
 host 192.168.1.222
 description The test server
object network Server-993
 host 192.168.1.222
 description The test server
object network Server-6001
 host 192.168.1.222
 description The test server
object network Server-6002
 host 192.168.1.222
 description The test server
object network Server-6003
 host 192.168.1.222
 description The test server
object network Server-6004
 host 192.168.1.222
 description The test server
object network VPN-HOSTS
 subnet 192.168.30.0 255.255.255.0
object network inside
 host 192.168.1.0
object network Server-vpn
 host 192.168.1.222
access-list outside_access_in extended permit tcp any object testServer-8080 eq 8080 
access-list outside_access_in extended permit tcp any object Server-21 eq ftp 
access-list outside_access_in extended permit tcp any object Server-25 eq smtp 
access-list outside_access_in extended permit tcp any object Server-2525 eq 2525 
access-list outside_access_in extended permit udp any object Server-53 eq domain inactive 
access-list outside_access_in extended permit tcp any object Server-80 eq www 
access-list outside_access_in extended permit tcp any object Server-443 eq https 
access-list outside_access_in extended permit tcp any object Server-993 eq 993 
access-list outside_access_in extended permit tcp any object Server-6001 eq 6001 
access-list outside_access_in extended permit tcp any object Server-6002 eq 6002 
access-list outside_access_in extended permit tcp any object Server-6003 eq 6003 
access-list outside_access_in extended permit tcp any object Server-6004 eq 6004 
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic VPN-HOSTS inside destination static Server-vpn Server-vpn
!
object network obj_any
 nat (inside,outside) dynamic interface
object network testServer-8080
 nat (inside,outside) static interface service tcp 8080 8080 
object network Server-21
 nat (inside,inside) static interface service tcp ftp ftp 
object network Server-25
 nat (inside,outside) static interface service tcp smtp smtp 
object network Server-53
 nat (inside,inside) static interface service tcp domain domain 
object network Server-80
 nat (inside,outside) static interface service tcp www www 
object network Server-443
 nat (inside,outside) static interface service tcp https https 
object network Server-2525
 nat (inside,outside) static interface service tcp 2525 2525 
object network Server-993
 nat (inside,outside) static interface service tcp 993 993 
object network Server-6001
 nat (inside,outside) static interface service tcp 6001 6001 
object network Server-6002
 nat (inside,outside) static interface service tcp 6002 6002 
object network Server-6003
 nat (inside,outside) static interface service tcp 6003 6003 
object network Server-6004
 nat (inside,outside) static interface service tcp 6004 6004 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HSS-auth-server protocol radius
 authorize-only
aaa-server HSS-auth-server (inside) host 192.168.1.222
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy HSSvpn internal
group-policy HSSvpn attributes
 dns-server value 192.168.1.222
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value outside_access_in ! this value had it's own name earlier
 default-domain value hss.dk
tunnel-group HSSvpn type remote-access
tunnel-group HSSvpn general-attributes
 address-pool IP-Pool
 authentication-server-group HSS-auth-server
 default-group-policy HSSvpn
 password-management
tunnel-group HSSvpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group HSSvpn ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:9859258e11364180cf9b3e21173b3f2f
: end

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, The bolded "nat"

Hi,

 

The bolded "nat" configuration is incorrect as you suspected.

 

Replace it with something like this

 

object network LAN
 subnet 192.168.1.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static VPN-HOSTS VPN-HOSTS

 

I would also suggest using a separate "standard" access-list for the Split Tunnel ACL.

For example

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

You would naturally have to switch the above ACL to the "group-policy" used.

 

Additionally, if you want to control the connections incoming from VPN users in the "outside_access_in" ACL then you could change one of the default settings on the ASA by issuing the command

no sysopt connection permit-vpn

If you need to revert it back then just issue it without the "no" in front. Then its back to its default setting. This doesnt show in the running configuration by the way.

With this setting any connections coming from VPN connections have to be allowed on the interface ACL of the interface that terminates the VPN connection. So in your case that would be the ACL attached to the "outside" interface.

 

Hope this helps :)

 

- Jouni

22 REPLIES
Super Bronze

Hi, The bolded "nat"

Hi,

 

The bolded "nat" configuration is incorrect as you suspected.

 

Replace it with something like this

 

object network LAN
 subnet 192.168.1.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static VPN-HOSTS VPN-HOSTS

 

I would also suggest using a separate "standard" access-list for the Split Tunnel ACL.

For example

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

You would naturally have to switch the above ACL to the "group-policy" used.

 

Additionally, if you want to control the connections incoming from VPN users in the "outside_access_in" ACL then you could change one of the default settings on the ASA by issuing the command

no sysopt connection permit-vpn

If you need to revert it back then just issue it without the "no" in front. Then its back to its default setting. This doesnt show in the running configuration by the way.

With this setting any connections coming from VPN connections have to be allowed on the interface ACL of the interface that terminates the VPN connection. So in your case that would be the ACL attached to the "outside" interface.

 

Hope this helps :)

 

- Jouni

New Member

That took care of it - very

That took care of it - very nice. Thank you

 

What exactly should I write for the standard lists?

I try with just  access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0 but then get the message:

ERROR: Cannot mix different types of access lists
ERROR: <Split-Tunnel-ACL> cannot be created

Cisco Employee

Hi , Firstly configure "clear

Hi ,

 

Firstly configure "clear configure access-list Split-Tunnel-ACL" , and then run the command again "access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0".
Seems like there is already some extended entry created for this access-list.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

New Member

It didn't work quite as good.

It didn't work quite as good. The asymmetric message is gone (thank you) but I can't access my server, 192.168.1.222 through the VPN-tunnel.

I changed the access-list name and the Group-policy for Split-tunnel, but still no luck.

Also - When I connect through the vpn and tries to access the internet, it's not through the firewall (but this is what's called split-tunneling, right?).

 

My latest setup, marked with "suspicious" lines:

 

: Saved
ASA Version 9.2(1) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool IP-Pool 192.168.30.5-192.168.30.200 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
boot system disk0:/asa921-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Server-25
 host 192.168.1.222
 description The test server
object network Server-80
 host 192.168.1.222
 description The test server
object network Server-443
 host 192.168.1.222
 description The test server
object network Server-2525
 host 192.168.1.222
 description The test server
object network Server-993
 host 192.168.1.222
 description The test server
object network Server-6001
 host 192.168.1.222
 description The test server
object network Server-6002
 host 192.168.1.222
 description The test server
object network Server-6003
 host 192.168.1.222
 description The test server
object network Server-6004
 host 192.168.1.222
 description The test server
object network VPN-HOSTS
 subnet 192.168.30.0 255.255.255.0
object network inside-net
 host 192.168.1.0
object network VPN-Server
 host 192.168.1.222
access-list outside_access_in extended permit tcp any object Server-25 eq smtp 
access-list outside_access_in extended permit tcp any object Server-2525 eq 2525 
access-list outside_access_in extended permit tcp any object Server-80 eq www 
access-list outside_access_in extended permit tcp any object Server-443 eq https 
access-list outside_access_in extended permit tcp any object Server-993 eq 993 
access-list outside_access_in extended permit tcp any object Server-6001 eq 6001 
access-list outside_access_in extended permit tcp any object Server-6002 eq 6002 
access-list outside_access_in extended permit tcp any object Server-6003 eq 6003 
access-list outside_access_in extended permit tcp any object Server-6004 eq 6004 
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0 

no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-net inside-net destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source static VPN-Server VPN-Server destination static VPN-HOSTS VPN-HOSTS

!
object network obj_any
 nat (inside,outside) dynamic interface
object network Server-25
 nat (inside,outside) static interface service tcp smtp smtp 
object network Server-80
 nat (inside,outside) static interface service tcp www www 
object network Server-443
 nat (inside,outside) static interface service tcp https https 
object network Server-2525
 nat (inside,outside) static interface service tcp 2525 2525 
object network Server-993
 nat (inside,outside) static interface service tcp 993 993 
object network Server-6001
 nat (inside,outside) static interface service tcp 6001 6001 
object network Server-6002
 nat (inside,outside) static interface service tcp 6002 6002 
object network Server-6003
 nat (inside,outside) static interface service tcp 6003 6003 
object network Server-6004
 nat (inside,outside) static interface service tcp 6004 6004 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HSS-auth-server protocol radius
 authorize-only
aaa-server HSS-auth-server (inside) host 192.168.1.222
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy HSSvpn internal
group-policy HSSvpn attributes
 wins-server value 192.168.1.222
 dns-server value 192.168.1.222
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel-ACL
 default-domain value hss.dk
tunnel-group HSSvpn type remote-access
tunnel-group HSSvpn general-attributes
 address-pool IP-Pool
 authentication-server-group HSS-auth-server
 default-group-policy HSSvpn
 password-management
tunnel-group HSSvpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group HSSvpn ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:74e93a19385822503dbd9f3a72c202c2
: end

ciscoasa(config)# 

Cisco Employee

Add "access-list Split-Tunnel

Add "access-list Split-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0 " to the configuration and this should help.

Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.

New Member

I can connect to the server

I can connect to the server :D You are the master of ASA!

Then it turned out that I have misunderstood what I needed. I fell over this nice post with nice diagrams: http://blog.soundtraining.net/2013/03/how-to-configure-split-tunneling-on.html

So I take I need to do a "no split-tunnel-policy". Do I need more?

Cisco Employee

Hi ,Here are the commands:

Hi ,

Here are the commands:-

group-policy test internal
group-policy test attributes
split-tunnel-policy tunnelall-------------(allows all the traffic to go through VPN tunnel)

nat (outside,outside) 1 source dynamic VPN-HOSTS VPN-HOSTS interface

------(Allows VPN users to get Patted to external ASA IP for internet access)

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

New Member

nat throws me an error:

nat throws me an error:

"Subnet can not be used as mapped source in dynamic NAT policy"

Perhaps it not good with the object... should it be modified?

object network VPN-HOSTS

  subnet 192.168.30.0 255.255.255 0

Cisco Employee

Can you please try removing

Can you please try removing previous static nat for inside to outside interface.
Also, try these commands:-

object-group network VPC-HOSTS
network 192.168.30.0 255.255.255.0
exit
nat (outside,outside) 1 source dynamic VPC-HOSTS interface

 

Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.

 

New Member

slightly confused here:there

slightly confused here:

there's no 'network' under object-group network. You have the following:

group-object

network-object.

I'm gonna go with the last and nat it and see what happens.

Cisco Employee

I meant "network-object"  :

I meant "network-object"  :)

Regards,
Dinesh Moudgil

New Member

object-group network VPC

object-group network VPC-HOSTS
    network-object 192.168.30.0 2255.255.255.0
    exit
nat (outside,outside) 1 source dynamic VPC-HOSTS interface

 

Now I have no internet and not server connection

Cisco Employee

I see that you have got

I see that you have got
"object network obj_any
 nat (inside,outside) dynamic interface"
in place and this should allow you to access internet.

Can you please share the output of this command
"packet-tracer input inside icmp <internal host ip> 8 0 4.2.2.2 detailed"

Regards,
Dinesh Moudgil

New Member

ciscoasa(config)# $icmp 192

ciscoasa(config)# $icmp 192.168.1.0 8 0 4.2.2.2 detailed packet-tracer input inside icmp 192.168.1.0 8 0 4.2.2.2 detailed$
 
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc7b8c18, priority=1, domain=permit, deny=false
hits=744126, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
 
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 78.143.76.193, outside
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
Cisco Employee

Is this "192.168.1.0 " a

Is this "192.168.1.0 " a valid IP , seems like a network address for the subnet.
Morevoer,  for the testing , you can try removing the natting pertaining to VPN and this should isolate whether the issue is related to any vpn specific problem .

Regards,
Dinesh Moudgil

New Member

Okay - I removed 2 nats:

Okay - I removed 2 nats:

(inside) to (outside) source stativ inside-net inside-net destination static VPN-HOSTS VPN-HOSTS
(inside) to (outside) source static VPN-Server VPN-Server destination static VPN-HOSTS VPN-HOSTS

Then I added the following:

object-group network VPC-HOSTS
    network-object object VPN-HOSTS
    exit
nat (outside,outside) 1 source dynamic VPC-HOSTS interface

But now I can't connect to my server either.

So I have the following now:

ciscoasa(config)# sh nat

Manual NAT Policies (Section 1)
1 (outside) to (outside) source dynamic VPC-HOSTS interface  
    translate_hits = 15, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Server-25 interface   service tcp smtp smtp 
    translate_hits = 0, untranslate_hits = 141
2 (inside) to (outside) source static Server-2525 interface   service tcp 2525 2525 
    translate_hits = 0, untranslate_hits = 2
3 (inside) to (outside) source static Server-443 interface   service tcp https https 
    translate_hits = 0, untranslate_hits = 382
4 (inside) to (outside) source static Server-6001 interface   service tcp 6001 6001 
    translate_hits = 0, untranslate_hits = 1
5 (inside) to (outside) source static Server-6002 interface   service tcp 6002 6002 
    translate_hits = 0, untranslate_hits = 1
6 (inside) to (outside) source static Server-6003 interface   service tcp 6003 6003 
    translate_hits = 0, untranslate_hits = 1
7 (inside) to (outside) source static Server-6004 interface   service tcp 6004 6004 
    translate_hits = 0, untranslate_hits = 1
8 (inside) to (outside) source static Server-80 interface   service tcp www www 
    translate_hits = 0, untranslate_hits = 41
9 (inside) to (outside) source static Server-993 interface   service tcp 993 993 
    translate_hits = 0, untranslate_hits = 4
10 (inside) to (outside) source dynamic obj_any interface  
    translate_hits = 15971, untranslate_hits = 1734

ciscoasa(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_access_in; 10 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any object Server-25 eq smtp (hitcnt=138) 0x8279bd15 
  access-list outside_access_in line 1 extended permit tcp any host 192.168.1.222 eq smtp (hitcnt=138) 0x8279bd15 
access-list outside_access_in line 2 extended permit tcp any object Server-2525 eq 2525 (hitcnt=2) 0x7a12d27c 
  access-list outside_access_in line 2 extended permit tcp any host 192.168.1.222 eq 2525 (hitcnt=2) 0x7a12d27c 
access-list outside_access_in line 3 extended permit tcp any object Server-80 eq www (hitcnt=34) 0xc27074e8 
  access-list outside_access_in line 3 extended permit tcp any host 192.168.1.222 eq www (hitcnt=34) 0xc27074e8 
access-list outside_access_in line 4 extended permit tcp any object Server-443 eq https (hitcnt=382) 0xd56cd96f 
  access-list outside_access_in line 4 extended permit tcp any host 192.168.1.222 eq https (hitcnt=382) 0xd56cd96f 
access-list outside_access_in line 5 extended permit tcp any object Server-993 eq 993 (hitcnt=4) 0x9aad06e1 
  access-list outside_access_in line 5 extended permit tcp any host 192.168.1.222 eq 993 (hitcnt=4) 0x9aad06e1 
access-list outside_access_in line 6 extended permit tcp any object Server-6001 eq 6001 (hitcnt=1) 0xf111c67c 
  access-list outside_access_in line 6 extended permit tcp any host 192.168.1.222 eq 6001 (hitcnt=1) 0xf111c67c 
access-list outside_access_in line 7 extended permit tcp any object Server-6002 eq 6002 (hitcnt=1) 0x04d9343c 
  access-list outside_access_in line 7 extended permit tcp any host 192.168.1.222 eq 6002 (hitcnt=1) 0x04d9343c 
access-list outside_access_in line 8 extended permit tcp any object Server-6003 eq 6003 (hitcnt=1) 0x1e4fc03f 
  access-list outside_access_in line 8 extended permit tcp any host 192.168.1.222 eq 6003 (hitcnt=1) 0x1e4fc03f 
access-list outside_access_in line 9 extended permit tcp any object Server-6004 eq 6004 (hitcnt=1) 0xf592047a 
  access-list outside_access_in line 9 extended permit tcp any host 192.168.1.222 eq 6004 (hitcnt=1) 0xf592047a 
access-list outside_access_in line 10 extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0 (hitcnt=0) 0x48c21174 
access-list Split-Tunnel-ACL; 2 elements; name hash: 0xb6366fb1
access-list Split-Tunnel-ACL line 1 standard permit 192.168.30.0 255.255.255.0 (hitcnt=0) 0x73386a19 
access-list Split-Tunnel-ACL line 2 standard permit 192.168.1.0 255.255.255.0 (hitcnt=0) 0xb74dbf27 

ciscoasa(config)# 

Cisco Employee

You will need those nats for

You will need those nats for internal access and the outside to outside nat for accessing internet and they should work in parallel as well.

Regards,
Dinesh Moudgil

New Member

I added them again - still no

I added them again - still no access to server or internet.

Would you like to see the sh running-config?

Cisco Employee

Please send the running

Please send the running configuration.

Regards,
Dinesh Moudgil

New Member

=~=~=~=~=~=~=~=~=~=~=~= PuTTY

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.07.11 16:11:21 =~=~=~=~=~=~=~=~=~=~=~=

: Saved

ASA Version 9.2(1) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool IP-Pool 192.168.30.5-192.168.30.200 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
boot system disk0:/asa921-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Server-25
 host 192.168.1.222
 description The test server
object network Server-80
 host 192.168.1.222
 description The test server
object network Server-443
 host 192.168.1.222
 description The test server
object network Server-2525
 host 192.168.1.222
 description The test server
object network Server-993
 host 192.168.1.222
 description The test server
object network Server-6001
 host 192.168.1.222
 description The test server
object network Server-6002
 host 192.168.1.222
 description The test server
object network Server-6003
 host 192.168.1.222
 description The test server
object network Server-6004
 host 192.168.1.222
 description The test server
object network VPN-HOSTS
 subnet 192.168.30.0 255.255.255.0
object network inside-net
 host 192.168.1.0
object network VPN-Server
 host 192.168.1.222
object-group network VPC-HOSTS
 network-object 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit tcp any object Server-25 eq smtp 
access-list outside_access_in extended permit tcp any object Server-2525 eq 2525 
access-list outside_access_in extended permit tcp any object Server-80 eq www 
access-list outside_access_in extended permit tcp any object Server-443 eq https 
access-list outside_access_in extended permit tcp any object Server-993 eq 993 
access-list outside_access_in extended permit tcp any object Server-6001 eq 6001 
access-list outside_access_in extended permit tcp any object Server-6002 eq 6002 
access-list outside_access_in extended permit tcp any object Server-6003 eq 6003 
access-list outside_access_in extended permit tcp any object Server-6004 eq 6004 
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0 
access-list Split-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0 
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,outside) source dynamic VPC-HOSTS interface
nat (inside,outside) source static inside-net inside-net destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source static VPN-HOSTS VPN-HOSTS destination static VPN-HOSTS VPN-HOSTS
!
object network obj_any
 nat (inside,outside) dynamic interface
object network Server-25
 nat (inside,outside) static interface service tcp smtp smtp 
object network Server-80
 nat (inside,outside) static interface service tcp www www 
object network Server-443
 nat (inside,outside) static interface service tcp https https 
object network Server-2525
 nat (inside,outside) static interface service tcp 2525 2525 
object network Server-993
 nat (inside,outside) static interface service tcp 993 993 
object network Server-6001
 nat (inside,outside) static interface service tcp 6001 6001 
object network Server-6002
 nat (inside,outside) static interface service tcp 6002 6002 
object network Server-6003
 nat (inside,outside) static interface service tcp 6003 6003 
object network Server-6004
 nat (inside,outside) static interface service tcp 6004 6004 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HSS-auth-server protocol radius
 authorize-only
aaa-server HSS-auth-server (inside) host 192.168.1.222
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy HSSvpn internal
group-policy HSSvpn attributes
 wins-server value 192.168.1.222
 dns-server value 192.168.1.222
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelall
 split-tunnel-network-list value Split-Tunnel-ACL
 default-domain value hss.dk
tunnel-group HSSvpn type remote-access
tunnel-group HSSvpn general-attributes
 address-pool IP-Pool
 authentication-server-group HSS-auth-server
 default-group-policy HSSvpn
 password-management
tunnel-group HSSvpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group HSSvpn ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:3b2c6d693fa00697df7345ce5c8dbe0f
: end

New Member

And here I mean through the

And here I mean through the vpn-port. Inside can connect just fine to both of them.

Cisco Employee

Hi ,As confirmed by Jouni ,

Hi ,


As confirmed by Jouni , configured nat is causing the issue .
Looking at your configuration , adding this should take care of the natting issues:-

nat (inside,outside) source static testServer-8080 testServer-8080  inside destination static VPN-HOSTS VPN-HOSTS no-proxy-arp route-lookup

Regards,
Dinesh Moudgil

668
Views
26
Helpful
22
Replies
CreatePlease login to create content