topic problems with VPN and NAT in Network Security

problems with VPN and NAT

djxtcsthlm77 — Tue, 12 Mar 2019 02:44:57 GMT

I'm running a ASA 5505 with IOS 8.4

I was trying to setup anyconnect ssl vpn and now it's really strange, i cant get it to work.

I'm able to connect to the VPN service, but no network at all. I cant connect to either local hosts or to the internet when i'm connected to the VPN.

Below is my full config (masking password & public IP).

Anyone have any ideas? Or where i can start troubleshoot?

: Saved

ASA Version 8.4(4)1

hostname vpn

domain-name domain.com

enable password XXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXX encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.240.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address X.Y.Z.Z 255.255.255.224

boot system disk0:/asa844-1-k8.bin

boot system disk0:/asa825-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name domain.com

object network obj-192.168.240.0

subnet 192.168.240.0 255.255.255.0

object-group network NETWORK_OBJ_192.168.241.0_25

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit ip 192.168.240.0 255.255.255.0 any

access-list outside_access_in extended deny ip any any

access-list XXXXXX_VPN_ACL standard permit 192.168.240.0 255.255.255.0

access-list inside_access_in extended permit ip any any log disable

access-list inside_access_in extended deny ip any any

access-list nat-exempt extended permit ip 192.168.240.0 255.255.255.0 192.168.241.0 255.255.255.0

access-list VPN_ACL extended permit ip 192.168.240.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_IP_POOL 192.168.241.50-192.168.241.70 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

object network obj-192.168.240.0

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 DGW_IP 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.240.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=vpn.domain.com

keypair VPN

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 7e2d4352

3082024c 308201b5 a0030201 0202047e 2d435230 0d06092a 864886f7 0d010105

bed6f320 a5047dba 203db5cc b933cd52 25c7822d a525de87 9b521770 78e8ccff

092a8648 86f70d01 01050500 03818100 0d5404b2 20db2566 ccf213d5 d00372a4

e512093a da4f007d 5d7cb409 034dd59b 7df80f4f a9b7b014 4de91eaf beb8f3b4

16a417ba 07c04292 881413fc 18c73894 2ccc3f2a 820c449a 70516774 cf859c3a

f37b5397 4d4efc07 306a1ad2 04239f97 a26f8625 af4f90c5 28b47744 718656d8

e885a641 e3517bff 8f64be2b 21fab9c5

quit

telnet timeout 30

ssh timeout 30

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.240.101-192.168.240.132 inside

dhcpd dns dns1srv dns2srv interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2

anyconnect enable

cache

cache-static-content enable

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value XXXXXX_VPN_ACL

default-domain value domain.com

split-tunnel-all-dns enable

address-pools value VPN_IP_POOL

group-policy AnyConnect internal

group-policy AnyConnect attributes

wins-server none

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ssl-client

default-domain value domain.com

address-pools value VPN_IP_POOL

username admin password XXXXXXXXXXX encrypted

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPN_IP_POOL

default-group-policy AnyConnect

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPN_IP_POOL

default-group-policy AnyConnect

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6b4b05d3f1dd7bd5888890f805018f32

: end

problems with VPN and NAT

djxtcsthlm77 — Sun, 29 Sep 2013 23:43:05 GMT

Tried a packet trace and this is the output:

It fails in the NAT section and then the result is:

(acl-drop) flow is denied by configured rule

Re: problems with VPN and NAT

Karsten Iwen — Mon, 30 Sep 2013 00:05:21 GMT

Are you only testing with PING? If yes, then configure the folowing and also test with other services (http, ftp ...):

policy-map global_policy

class inspection_default

inspect icmp

And for accessing the internet you have to configure either Split-Tunneling or NAT from outside to outside.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

problems with VPN and NAT

djxtcsthlm77 — Mon, 30 Sep 2013 07:16:46 GMT

Right now im concerned about why i even cant access local network resources.

I've tried adding the above commands but it didnt helt out

I do receive these errors in the log:

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.241.51/49484(LOCAL\admin) dst inside:192.168.240.10/5000 denied due to NAT reverse path failure

Where 192..168.241.0 is my VPN IP pool and 192.168.240.0 is my local network.

Re: problems with VPN and NAT

Karsten Iwen — Mon, 30 Sep 2013 07:24:49 GMT

I just see it: You don't have any nat-exemption configured for your VPN-traffic:

object-group network VPN

network-object 192.168.241.0 255.255.255.0

object-group network LAN

network-object 192.168.240.0 255.255.255.0

nat 1 (any,outside) source static LAN LAN destination static VPN VPN no-proxy-arp route-lookup

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

problems with VPN and NAT

djxtcsthlm77 — Mon, 30 Sep 2013 07:46:42 GMT

Thanks, that solved the local network access.I still have problems with internet access now. I've checked my split tunneling but it still doesnt work, do you see anything wrong with split tunneling?

problems with VPN and NAT

Karsten Iwen — Mon, 30 Sep 2013 08:31:47 GMT

Your combination of default- and configured groups is a little bit strange but still should work. I don't remember if the old AnyConnect-client 2.5 had some special behaviour. So I would change that to the newest 3.1 release. If that works you probably have to use a public certificate to get rid of the certificate-warnings.

What do you see under secured routes in the client after you establish the connection?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

problems with VPN and NAT

djxtcsthlm77 — Mon, 30 Sep 2013 09:18:23 GMT

Im actually running version 3.1.01085

Under secured routes i see

192.168.240.0/24