02-07-2016 04:26 AM
I have at network with at kind of special setup – 10.10.20.0/24 the gateway 10.10.20.1 is at router which route traffic for 172.16.137.0/24 to some hosted applications servers, all other traffic goes to our new ASA5506 10.10.20.2 which supply internet access and handles vpn connections – the problem is that when clients connects via VPN and tries to go to 172.16.137.40 (our hosted test server) there is no access – I can ping 172.16.137.40 from the ASA and from computers on 10.10.20.0/network – think I am missing some nat but can’t get my head around it
ASA Version 9.5(1)
!
names
ip local pool VPNPOOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
ip local pool VPNTOOL2 172.16.2.1-172.16.2.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.20.2 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif DMZ
security-level 50
ip address 10.20.20.1 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network BasicIt
host 86.52.128.14
object network KMD
subnet 84.255.64.64 255.255.255.224
object network sql
host 10.10.20.9
object network BitRemote
host 10.10.20.7
object network HTTPSFjern
host 10.10.20.6
object network SMTP
host 10.10.20.6
object network HttpDMZ
host 10.20.20.2
object network NETWORK_OBJ_172.16.1.0_24
subnet 172.16.1.0 255.255.255.0
object network NETWORK_OBJ_172.16.2.0_24
subnet 172.16.2.0 255.255.255.0
object network 10.10.20.0_lan
subnet 10.10.20.0 255.255.255.0
object network test
host 10.10.20.44
object network NETWORK_OBJ_10.10.20.0_24
subnet 10.10.20.0 255.255.255.0
object network http_TSserver
host 10.20.20.2
object network ServerExc
host 10.10.20.6
object network VPN_Pool_tunnel
subnet 172.16.1.0 255.255.255.0
object network remoteservers
subnet 172.16.137.0 255.255.255.0
object network NETWORK_OBJ_10.20.20.0_24
subnet 10.20.20.0 255.255.255.0
access-list outside_access_in extended permit tcp object BasicIt object ServerExc eq 3389
access-list outside_access_in extended permit tcp any object ServerExc eq smtp
access-list outside_access_in extended permit tcp any object HttpDMZ eq www
access-list outside_access_in extended permit tcp any object ServerExc eq https
access-list outside_access_in extended permit tcp any host 10.10.20.9 eq 444
access-list vpn_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 172.16.137.0 255.255.255.0
access-list vpn_splitTunnelAcl standard permit 10.20.20.0 255.255.255.0
access-list VPNtest_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (DMZ,outside) source static NETWORK_OBJ_10.20.20.0_24 NETWORK_OBJ_10.20.20.0_24 destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
nat (DMZ,outside) source static NETWORK_OBJ_10.20.20.0_24 NETWORK_OBJ_10.20.20.0_24 destination static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.10.20.0_24 NETWORK_OBJ_10.10.20.0_24 destination static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.10.20.0_24 NETWORK_OBJ_10.10.20.0_24 destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
!
object network ffktsql
nat (inside,outside) static interface service tcp 444 444
object network BitRemote
nat (inside,outside) static interface service tcp 3389 3389
object network HTTPSFjern
nat (inside,outside) static interface service tcp https https
object network SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network http_TSserver
nat (DMZ,outside) static interface service tcp www www
!
nat (DMZ,outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.4 1
route inside 172.16.137.0 255.255.255.0 10.10.20.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server SHV-dc01 protocol radius
aaa-server SHV-dc01 (inside) host 10.10.20.7
key *****
radius-common-pw *****
user-identity default-domain LOCAL
http server enable 4444
http 0.0.0.0 0.0.0.0 inside
Solved! Go to Solution.
02-07-2016 01:53 PM
Based on the configuration, it looks like your dynamic NAT rules are most likely translating the 172.16.137.0/24 network to the outside interface IP before it attempts to reach your VPN networks.
You could verify it with this command and post the output, if you wanted: packet-tracer input inside tcp 172.16.137.40 3271 172.16.1.1 80
This configuration should solve your problem:
object-group network VPN_Networks
network-object object NETWORK_OBJ_172.16.1.0_24
network-object object NETWORK_OBJ_172.16.2.0_24
nat (inside,outside) source static remoteservers remoteservers destination static VPN_Networks VPN_Networks
02-07-2016 01:53 PM
Based on the configuration, it looks like your dynamic NAT rules are most likely translating the 172.16.137.0/24 network to the outside interface IP before it attempts to reach your VPN networks.
You could verify it with this command and post the output, if you wanted: packet-tracer input inside tcp 172.16.137.40 3271 172.16.1.1 80
This configuration should solve your problem:
object-group network VPN_Networks
network-object object NETWORK_OBJ_172.16.1.0_24
network-object object NETWORK_OBJ_172.16.2.0_24
nat (inside,outside) source static remoteservers remoteservers destination static VPN_Networks VPN_Networks
02-07-2016 11:17 PM
Hi JJohnston
Thank you very much – the nat rule did the trick
Best regards Erik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide