Solved: vpn acl and nat

Haim Zohar · ‎07-28-2014

Hello

I have asa 5512-x

asa version 9.1(2)

asdm version 7.2(1)

Im not really good with cisco syntax, so I use asdm

I created a split tunnel remote ipsec vpn with cisco vpn client

the purpose is to allow traffic from vpn to local lan

and to allow traffic from vpn to a public specific website

so I defined both objects, and added them to the split tunnel exempt (object names: "LAN" , "Rackspace")

access to lan is ok, access to a certain website is not working

I guess I have some nat/acl missing,

can someone please explain me in the most simple way how to achieve this?

Thank you very much

Jouni Forss · ‎07-29-2014

Hi,

What is this subnet

object network NETWORK_OBJ_172.18.0.0_26
subnet 172.18.0.0 255.255.255.192

Also this "nat" configuration seems strange

nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

When we see that the source interface for the "nat" is "LAN" and the source networks are those configured under "VPN-Tunnel" it seems to suggest that this NAT configuration forwards traffic destined to "LAN" and "rackspace" towards the "LAN" interface. This is naturally fine for the subnet configured under "LAN" but the "rackspace" to my understanding is located behind some external interface of the ASA correct? Though I guess I would really need to know what the subnet I mentioned at the start of the post is (that is used in this NAT configuration also)

What is the interface to which the VPN users connect to? DSL or WAN1? Though the following command would list to which interface the Crypto Map is attached

show run crypto map

Can you also list the output of the following command

show run ip local pool

- Jouni

View solution in original post

Jouni Forss · ‎07-29-2014

Hi,

I guess in this case I would suggest you do the following configurations on the ASA and then test the VPN connectivity to the LAN network and to the public server.

object network VPN-POOL
subnet 172.18.0.0 255.255.255.192

nat (LAN,WAN1) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

The above configurations first create a new "object" to hold the VPN Pool subnet. We when use the existing "object network LAN" and the new "object network VPN-POOL" in the "nat" configuration that will tell the ASA to exempt the traffic between this networks from NAT (usually referred to NAT0 or NAT Exempt)

no nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

In the above command we remove the existing "nat" configuration as it should not be needed anymore after adding the "nat" command I mentioned before. The above "nat" configuration handled the NAT0/NAT Exempt for the VPN <-> LAN traffic but it would also possinly cause problems for the traffic from VPN -> Public Web server

object network VPN-POOL-PAT
subnet 172.18.0.0 255.255.255.192
nat (WAN1,WAN1) dynamic interface

In the above we create a new "object" for the purpose of configuring the NAT for the VPN users that connect to the public Web server.

Then you should also check the output of the command

show run same-security-traffic

It should contain the command "same-security-traffic permit intra-interface". If not then add the command.

Hope this helps :)

- Jouni

View solution in original post

Jouni Forss · ‎07-28-2014

Hi,

We can only give you general advice on what might be missing since you have not shared any configurations.

So the only thing that is not currently working is the connection which is supposed to use the VPN Client connection to reach a public IP address through the ASA?

I would presume that either of the below (or both) 2 might be reason for your connection not working towards the public IP address.

You connection from VPN Client host is first coming to the ASA through the "outside" interface and I presume that the public website is found also behind the "outside" interface from ASAs perspective? By default the ASA does not allow traffic to enter and leave through the same interface which would be in this case be "outside". (or perhaps you have named it otherwise)

You need the following command to allow such traffic

same-security-traffic permit intra-interface

You can check if you have this setting already with the command

show run same-security-traffic

The first command listed should enable traffic to flow in/out through the same interface.

In addition to the above situation you might also be missing a Dynamic PAT configuration for your VPN Clients since their connections need to be translated to a public IP address just like any LAN users accessing a public website.

The basic configuration format to achieve this while using the ASAs external interfaces public IP address would be the following

object network VPN-CLIENT-PAT
subnet <vpn pool subnet> <mask>
nat (outside,outside) dynamic interface

The above presumes that your external ASA interface is named "outside".

Other than the above I would confirm that your VPN Client shows the public website IP address in its routing section so you can be sure that connection towards it are forwarded to the VPN Connection and to the ASA.

For more specific help we would need to see some configurations.

Hope this helps :)

- Jouni

Haim Zohar · ‎07-28-2014

Thank you very much for the detailed answer Jouni

Can you please explain what were you referring to at "VPN-CLIENT-PAT"

is it a new object I should create?

or is it the "Rackspace" object?

the vpn pool subnet is the same as my local lan subnet, is it ok?

I was told that the vpn pool needs to be on a the same subnet as my lan.

Jouni Forss · ‎07-28-2014

Hi,

The "object" mentioned above for the VPN PAT is only meant to be used as an "object" that contains the "nat" configuration. The NAT configuration that translates the VPN users VPN Pool IP address to a public IP address when connecting to the Internet.

I would personally create a new "object" just for this Dynamic PAT translation and not really use it in any ACL or other configuration.

Though I presume that the "rackspace" object you mention holds the remote public IP address of the server? If so then it doesnt really have anything to do with this "object" I mentioned as this contains the VPN Pool for which we are doing a NAT configuration.

With regards to what the VPN Pool should be I would typically say the exact opposite. I rather have the VPN Pool and LAN networks be 2 completely different networks as every now and then you run into problem just because you are using addresses from the same subnet in the LAN and in the VPN Pool even though the hosts are not directly in the same L2 network.

- Jouni

Haim Zohar · ‎07-28-2014

Hi Jouni,

Once again your detailed answers are highly appreciated

So If I understand you correctly I should do it like this?

object network Rackspace
subnet <vpn pool subnet> <mask>
nat (outside,outside) dynamic interface

?

Now as to the the different networks,

If I created the remote ip sec vpn with a different network,

Is there any specific acl/nat rule I need to add in order for this to communicate with my local "LAN" or would the wizard take care of this step?

Thank you.

Jouni Forss · ‎07-28-2014

Hi,

As I said before you should create a new "object" since this is only used for the VPN users NAT/PAT towards the Internet. You mentioned in your original post that you already had an "object" named "Rackspace" so you should not use the same name.

If you changed the VPN Pool subnet then you would likely have to configure a new NAT0 configuration which purpose is to exempt the traffic between LAN and VPN subnets from NAT.

I don't personally really use the ASDM to configure our ASAs. I am not sure if the Wizard is really appropriate for such changes to an existing connection. Its used for configuring new VPN connections rather than modifying existing ones to my understanding.

I can not really tell what configurations you need since I have not seen the current CLI format configuration of the ASA.

- Jouni

Haim Zohar · ‎07-28-2014

Hi Jouni,

The entire running config or something in specific?

I apologize again for now knowing how a proper help request should be :)

Jouni Forss · ‎07-28-2014

Hi,

You can use the command "show run" on the CLI to view the full configuration. Though usually its good to change any of your public IP address from the configuration to something else to avoid giving any sentive information publicly.

In your case if we were to look at the configurations related to this issue I would assume that the output of the following commands would already tell much

show run nat

show run access-list

show run group-policy

show run tunnel-group

They should list the NAT configurations, access-list configurations, Group Policies and Tunnel Groups. It might also require the output of the following commands to list the contents of the different objects you are using in the NAT configurations and/or the ACLs

show run object network

show run object-group

However if your configuration on the ASA if very simple it might be easier to modify any public IP addresses belonging to your from the configuration and share it as it is.

- Jouni

Haim Zohar · ‎07-29-2014

sh run nat

ciscoasa(config)# sh run nat
nat (LAN,DSL) source dynamic LAN interface
nat (LAN,WAN1) source dynamic LAN interface
nat (DSL,any) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static interface Asterisk
nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

sh run access-list

ciscoasa(config)# sh run access-list
access-list vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit host 74.220.57.80
access-list DSL_access_out extended permit ip object LAN any
access-list DSL_access_out extended permit ip object Voip object-group DM_INLINE_NETWORK_3
access-list WAN1_access_out extended permit ip object LAN any
access-list WAN1_access_out extended permit ip object Voip object-group DM_INLINE_NETWORK_1
access-list vpn_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list vpn_splitTunnelAcl_1 standard permit host 74.205.97.180
access-list WAN1_access_in extended permit ip object-group DM_INLINE_NETWORK_4 object Voip
access-list DSL_access_in extended permit ip object-group DM_INLINE_NETWORK_2 object Voip

sh run group-policy

ciscoasa(config)# sh run group-policy
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1.200 192.168.1.202
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
default-domain value name.local

sh run tunnel-group

ciscoasa(config)# sh run tunnel-group
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnpool
authentication-server-group LDAP
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key *****

sh run object network

ciscoasa(config)# sh run object network
object network LAN
subnet 192.168.1.0 255.255.255.0
object network Asterisk
host 192.168.1.190
object network rackspace
host 74.220.57.80

object network NETWORK_OBJ_172.18.0.0_26
subnet 172.18.0.0 255.255.255.192

sh run object-group

ciscoasa(config)# sh run object-group
object-group network VPN-Tunnel
network-object object LAN
network-object object rackspace

I Hope that's good, thanks again

Jouni Forss · ‎07-29-2014

Hi,

What is this subnet

object network NETWORK_OBJ_172.18.0.0_26
subnet 172.18.0.0 255.255.255.192

Also this "nat" configuration seems strange

nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

When we see that the source interface for the "nat" is "LAN" and the source networks are those configured under "VPN-Tunnel" it seems to suggest that this NAT configuration forwards traffic destined to "LAN" and "rackspace" towards the "LAN" interface. This is naturally fine for the subnet configured under "LAN" but the "rackspace" to my understanding is located behind some external interface of the ASA correct? Though I guess I would really need to know what the subnet I mentioned at the start of the post is (that is used in this NAT configuration also)

What is the interface to which the VPN users connect to? DSL or WAN1? Though the following command would list to which interface the Crypto Map is attached

show run crypto map

Can you also list the output of the following command

show run ip local pool

- Jouni

Haim Zohar · ‎07-29-2014

Thanks for the reply Jouni,

This subnet is supposed to be the VPN pool subnet,

the traffic for the VPN should be via WAN1

this nat rule was created via the vpn wizard,

and yes, "rackspace" is located behind the external interface of the asa.

sh run crypto map

ciscoasa(config)# sh run crypto map
crypto map WAN1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN1_map interface WAN1

sh run ip local pool

ciscoasa(config)# sh run ip local pool
ip local pool vpnpool 172.18.0.1-172.18.0.50 mask 255.255.255.0

Jouni Forss · ‎07-29-2014

Hi,

I guess in this case I would suggest you do the following configurations on the ASA and then test the VPN connectivity to the LAN network and to the public server.

object network VPN-POOL
subnet 172.18.0.0 255.255.255.192

nat (LAN,WAN1) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

The above configurations first create a new "object" to hold the VPN Pool subnet. We when use the existing "object network LAN" and the new "object network VPN-POOL" in the "nat" configuration that will tell the ASA to exempt the traffic between this networks from NAT (usually referred to NAT0 or NAT Exempt)

no nat (LAN,WAN1) source static VPN-Tunnel VPN-Tunnel destination static NETWORK_OBJ_172.18.0.0_26 NETWORK_OBJ_172.18.0.0_26 no-proxy-arp route-lookup

In the above command we remove the existing "nat" configuration as it should not be needed anymore after adding the "nat" command I mentioned before. The above "nat" configuration handled the NAT0/NAT Exempt for the VPN <-> LAN traffic but it would also possinly cause problems for the traffic from VPN -> Public Web server

object network VPN-POOL-PAT
subnet 172.18.0.0 255.255.255.192
nat (WAN1,WAN1) dynamic interface

In the above we create a new "object" for the purpose of configuring the NAT for the VPN users that connect to the public Web server.

Then you should also check the output of the command

show run same-security-traffic

It should contain the command "same-security-traffic permit intra-interface". If not then add the command.

Hope this helps :)

- Jouni

Haim Zohar · ‎07-29-2014

Hi Jouni,

I've done as mentioned,

but one thing I'm missing, how do I limit the traffic to outside via the vpn to be just for "rackspace", I don't want to carry through the vpn tunnel the entire internet traffic of the remote user.

Jouni Forss · ‎07-29-2014

Hi,

According to your configurations you have already done so. Only traffic to the single public IP and your LAN network should be forwarded to the VPN connection at the moment. Rest of the traffic should be forwarded through the VPN users local Internet connection (where ever that might be located)

In your configurations you have these things that tell that it should be fine already.

tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
default-group-policy vpn

The above configuration is the Tunnel Group for your VPN Client connection. It states that the Group Policy named "vpn" is used for this VPN connection.

group-policy vpn internal
group-policy vpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl

When we look at the Group Policy named "vpn" we can see that its configured so that only specific networks/hosts should be tunneled since it has the "split-tunnel-policy tunnelspecified". It further requires the command "split-tunnel-network-list value <acl name>" which tells the Group Policy which ACLs tells the VPN which networks/hosts should be included in the VPN.

The term "tunnel" in this case simply refers to which networks/hosts are found behind the VPN connection or in other words destination networks/host for which traffic should be forwarded to the VPN connection when its active.

access-list vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit host 74.220.57.80

Finally we have a look at the above ACL that lists the networks/hosts to which traffic from the VPN Client should be forwarded through the VPN Connection. So as you can see you have configured the LAN network and a single public IP address there. So only traffic destined to the mentioned addresses are forwarded through the VPN connection.

You did not mention yet if the connections work? Did the changed configurations correct the situation?

Please do remember to mark any correct answers and rate helpfull answers.

Feel free to ask more

- Jouni

Haim Zohar · ‎07-29-2014

Jouni,

Your patience and help is simply outstanding,

Thank you very much for all of you assistance and well explained details even in a way that I can understand!

I really can't thank you enough

:)