topic Hi Pulkit,I have done that in Network Security

Cisco ASA 5505 cant grant inside devices outside access (ie intenet access)

cliveschneider — Tue, 12 Mar 2019 06:17:25 GMT

I have an ASA 5505 providing remote users VPN access to the inside network.

I need to provide a server internet access from the inside. I have set its gateway to the ASA inside address and tinkered endlessly with Access Rules and NAT Rules but cant even ping the modem on the outside. The ASA can reach the modem and the internet without any problems. The packet tracer tool passes every time.

The basic architecture is as follows:

server---(inside)-ASA-(outside)---modem---www---[vpn remote user]

inside network: 192.168.255.0/24

ASA inside: 192.168.255.254

ASA outside: 10.0.1.254

modem: 10.0.1.1

VPN network: 10.0.2.0/24

I have attached a copy of my ASA config.

Hi,As per your description,

Pulkit Saxena — Sun, 19 Jul 2015 05:07:36 GMT

Hi,

As per your description, it seems we need to allow internet access for a server present on inside interface. It seems that your modem only allows access to internet for 10.x.x.x subnet.

Apply a dynamic NAT.

The statement that should make it work is :

nat (inside) 1 192.168.255.0 255.255.255.0

We already have a matching global.

Regards,

Pulkit Saxena

Pulkit, that worked, thank

cliveschneider — Sun, 19 Jul 2015 07:32:53 GMT

Pulkit, that worked, thank you very much!

I can now ping the modem and internet IP addresses from my inside server but DNS doesn't seem to be working (eg cant ping google.com).

I have DNS Lookup configured on inside and outside:

dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 139.130.4.4
 name-server 203.50.2.71

Hi,Please try changing the

Pulkit Saxena — Mon, 20 Jul 2015 06:45:59 GMT

Hi,

Please try changing the DNS servers to global DNS servers.

You can use 4.2.2.2 or 8.8.8.8.

Regards,

Pulkit Saxena

Hi Pulkit,I have done that

cliveschneider — Tue, 21 Jul 2015 01:38:50 GMT

Hi Pulkit,

I have done that already and it works, I just thought the ASA could behave as a DNS proxy.

New problem that I didnt pick up on earlier, the NAT rule added:

nat (inside) 1 192.168.255.0 255.255.255.0

prevents the remote access devices in the VPN address pool (10.0.2.0/24) from reaching the internal network.

Is there another NAT rule I can add to override this?

Hi,We can either specify this

Pulkit Saxena — Tue, 21 Jul 2015 08:56:59 GMT

Hi,

We can either specify this NAT statement itself. You can allow outbound access to only one server if required.

Can you provide ip address and traffic flow specifications, which is not working after the NAT statement.

Regards,

Pulkit Saxena

Hi Pulkit,The 'VPN network',

cliveschneider — Tue, 21 Jul 2015 21:05:00 GMT

Hi Pulkit,

The 'VPN network', 10.0.2.0/24, which is assigned to any AnyConnect or IPsec VPN remote access device, needs access to the entire internal network 192.168.255.0/24.

Regards,

Clive

Clive,I do feel that our NAT

Pulkit Saxena — Wed, 22 Jul 2015 06:13:22 GMT

Clive,

I do feel that our NAT statement should not affect the inbound access.

Since our NAT statement is allowing outbound access. Can you try making the NAT statement specific only allowing access to the server ?

Regards,

Pulkit Saxena

Hi Pulkit,The NAT statement

cliveschneider — Wed, 22 Jul 2015 08:11:17 GMT

Hi Pulkit,

The NAT statement needs to apply to the entire inside network.

The only changes I can see between the old and new config is the following entry seems to have been removed:

nat (inside) 0 access-list inside_nat0_outbound

When I try and add it again I get an error unless I remove the new entry. inside_nat0_outbound corresponds to:

access-list inside_nat0_outbound extended permit ip any vpn-network 255.255.255.0

Clive,Can you share the

Pulkit Saxena — Wed, 22 Jul 2015 09:20:43 GMT

Clive,

Can you share the current running configuration.

Our NAT statement is certainly not the reason and the vpn will start working once this "nat 0" command is taken.

Provide me the configuration, let me have a look at it and see if we need remove a command and then reapply it.

Regards,

Pulkit Saxena

I have attached the running

cliveschneider — Fri, 24 Jul 2015 06:50:37 GMT

I have attached the running config file. With the two NAT rules, the VPN network dowesnt have access to the inside network. When I remove the rule:

nat (inside) 1 192.168.255.0 255.255.255.0

connectivity is restored but the inside network no longer has internet access.

I have also attached a screenshot of the 2 NAT rules on the ASDM.

Clive,

Pulkit Saxena — Fri, 24 Jul 2015 15:20:41 GMT

Clive,

I personally do not have much expertise over the VPN stuff.

However after looking at the configuration, it seems that this access rule is causing the issue :

access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_7 192.168.255.0 255.255.255.0 any

Please remove the nat 0 command and then remove this access rule and then again apply the nat 0 statement.

I think this should make both things works.

Ideally to get outbound access, all we required was a dynamic PAT which we applied.

Regards,

Pulkit Saxena

Thanks Pulkit, that worked

cliveschneider — Thu, 06 Aug 2015 01:41:05 GMT

Thanks Pulkit, that worked.

That access rule gets automatically generated when I configure my NAT rules the way I had. After removing all NAT rules and corresponding access rules and adding them again, it seems to have worked.