ASAv configuration not allowing traffic from Outside to Inside interface to access internal host over SSL VPN

JMJr — Fri, 23 Aug 2019 03:41:38 GMT

Good evening,

I am a newbie and I am asking if someone can help me with two problems? I am having a headache trying to connect with the VPN client using the Outside interface and I am trying to access an internal host from the outside over AnyConnect VPN to authenticate using RADIUS.

#1. I have an ASAv in AWS configured with Cisco AnyConnect client. When i use the VPN client to connect to the outside public IP, the client just spins and the ASDM log-viewer shows "Deny tcp src Outside <My IP address> dst management by access-group Outside access in".

I have configured the webvpn for 'enable Outside' but no luck..Can someone please tell me why this is denied and why it cannot connect via the Outside interface?

#2. I want to authenticate to the internal RADIUS server (10.0.4.132) which I cannot ping... but I can ping the inside interface address which is 10.0.4.194. The route table shows everything as local or connected except for the static route of 0.0.0.0 0.0.0.0 via 10.0.2.1(management), which is the GOLR to network 0.0.0.0.

I have posted my config below, can someone tell me what I have misconfigured and what I need to configure to get this to work?

Thanks.

name 173.37.145.8 tools.cisco.com

no mac-address auto

ip local pool VPN-POOL 192.168.20.2-192.168.20.252 mask 255.255.255.0

interface GigabitEthernet0/0

description AWS Eth1 Outside interface

nameif Outside

security-level 0

ip address 15.200.21.205 255.255.255.240

interface GigabitEthernet0/1

description AWS Eth2 Inside interface

nameif Inside

security-level 100

ip address 10.0.4.194 255.255.255.240

interface Management0/0

description AWS Eth0

nameif management

security-level 100

ip address dhcp setroute

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network VPN

subnet 192.168.20.0 255.255.255.0

object network AWS_Inside

subnet 10.0.4.0 255.255.255.0

object network RAD-YUB2

host 10.0.4.132

access-list AnyConnect_Client_Local_Print extended deny ip any4 any4

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

access-list spit-tunnel standard permit 10.0.4.0 255.255.255.0

access-list vpn-acl extended permit tcp any any

access-list vpn-acl extended permit ip 10.0.4.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list RAD-YUB2 standard permit any4

access-list Outside_access_in remark Auth server and Yubi MFA

access-list Outside_access_in extended permit ip any object RAD-YUB2

pager lines 23

mtu Outside 1500

mtu Inside 1500

mtu management 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (Inside,Outside) source static AWS_Inside AWS_Inside destination static VPN VPN no-proxy-arp

object network RAD-YUB2

nat (Inside,Outside) static RAD-YUB2

access-group Outside_access_in in interface Outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

aaa-server RADIUS protocol radius

aaa-server RADIUS (Inside) host 10.0.4.132

timeout 5

key *****

authentication-port 1812

accounting-port 1813

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

http server enable

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

## Crypto omitted for space

telnet timeout 5

ssh stricthostkeycheck

ssh <My IP> 255.255.255.255 management

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 30

ssh version 1 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point self-signed Outside

ssl trust-point self-signed Inside

ssl trust-point self-signed management

webvpn

enable Outside

hsts

enable

max-age 31536000

include-sub-domains

no preload

anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg 1

anyconnect image disk0:/anyconnect-macos-4.6.03049-webdeploy-k9.pkg 2

anyconnect enable

tunnel-group-list enable

cache

disable

error-recovery disable

group-policy GroupPolicy_VPN_users internal

group-policy GroupPolicy_VPN_users attributes

wins-server none

dns-server value 10.0.3.5

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-acl

default-domain value x.com

dynamic-access-policy-record DfltAccessPolicy

username x password x privilege 15

username y password y privilege 15

username x attributes

service-type admin

tunnel-group VPN_users type remote-access

tunnel-group VPN_users general-attributes

address-pool VPN-POOL

authentication-server-group RADIUS

default-group-policy GroupPolicy_VPN_users

tunnel-group VPN_users webvpn-attributes

group-alias VPN_users enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect ip-options

inspect netbios

inspect rtsp

inspect sunrpc

inspect tftp

inspect xdmcp

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

inspect sip

inspect skinny

policy-map type inspect dns migrated_dns_map_2

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

service-policy global_policy global

prompt hostname

call-home reporting anonymous

call-home

profile CiscoTAC-1

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile License

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

: end

M-ASAv2

Re: ASAv configuration not allowing traffic from Outside to Inside interface to access internal host over SSL VPN

Mike.Cifelli — Fri, 23 Aug 2019 15:23:22 GMT

A helpful tool from CLI is the packet tracer tool as it will tell you what is failing (ACL drop/NAT/etc.). An example of using the packet tracer from CLI would be:
#packet-tracer input {INTERFACE} tcp/udp {SRC IP} (src prt (12345)) {DST IP} (dst port())
#packet-tracer input OUTSIDE tcp 1.1.1.1 12345 2.2.2.2 25

I think there may be something wrong with your static NAT: nat (Inside,Outside) static RAD-YUB2
Typically for static nat you need an ACL that will allow the host to initiate connection.
ex: access-list EXAMPLE ext ip host 1.1.1.1 2.2.2.2 255.255.255.0
static (inside, outside) {Mapped IP} access-list EXAMPLE
Good luck & HTH!

Re: ASAv configuration not allowing traffic from Outside to Inside interface to access internal host over SSL VPN

venkat_n7 — Sat, 24 Aug 2019 21:40:53 GMT

That's interesting, you can ping inside interface on firewall but not the inside host. Can you cross verify the host is tagged to inside network subnet.

And "10.0.3.5" is the IP belongs to Management network ?

topic Re: ASAv configuration not allowing traffic from Outside to Inside interface to access internal host over SSL VPN in Network Security

ASAv configuration not allowing traffic from Outside to Inside interface to access internal host over SSL VPN

Re: ASAv configuration not allowing traffic from Outside to Inside interface to access internal host over SSL VPN

Re: ASAv configuration not allowing traffic from Outside to Inside interface to access internal host over SSL VPN