topic Re: No Nat with 9.0(1) in Network Security

No Nat with 9.0(1)

MarcoM — Tue, 12 Mar 2019 02:03:10 GMT

Hi all,

i have a config with access Vpn Client with range 192.168.2.x.

When connect with client i cannot access on local lan 192.168.1.x.

I checked the nat and everything seems ok, what's wrong?

Thanks in advance.

ASA Version 9.0(1)

hostname ASA5505

domain-name admevent

enable password UukPE.RDbYHNqiAf encrypted

passwd UukPE.RDbYHNqiAf encrypted

names

ip local pool PoolVPN 192.168.2.100-192.168.2.110 mask 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.100 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 82.x.x.x 255.255.255.248

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name admevent

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.96_28

subnet 192.168.2.96 255.255.255.240

object network PoolVPN

subnet 192.168.2.0 255.255.255.0

object network LAN

subnet 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit ip any any

access-list VpnOut_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list VpnOut_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list global_access extended permit ip any any

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static PoolVPN PoolVPN destination static LAN LAN no-proxy-arp

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 82.106.194.102 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ASA5505

keypair admevent

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

certificate 8971be51

308201cb 30820134 a0030201 02020489 71be5130 0d06092a 864886f7 0d010105

0500302a 3110300e 06035504 03130741 53413535 30353116 30140609 2a864886

f70d0109 02160741 53413535 3035301e 170d3133 30363236 30373039 33365a17

0d323330 36323430 37303933 365a302a 3110300e 06035504 03130741 53413535

30353116 30140609 2a864886 f70d0109 02160741 53413535 30353081 9f300d06

092a8648 86f70d01 01010500 03818d00 30818902 818100cd c5648707 a99449d5

08733576 d34943a3 675e70a6 c0588998 d3ed6fa8 9461b65e cbde0e0f cf2d5aa0

022104f8 45f25e72 dbcdd310 ebd3ab81 8418ac89 6dd04445 92577695 30c5d421

64d93705 c7cd9aac 4280d6e9 5cb14aa6 c49a6ef9 82792c0c 2b0eaabd 35170c72

b9796e64 d471544a b4bfda46 4eab64dc 76ae87c0 cc130702 03010001 300d0609

2a864886 f70d0101 05050003 818100b4 c920a781 417597c3 74935ec3 d1bc25b0

cf1dd047 0a88a531 57bcc314 5c325273 24783cab 81b4457b 9586052d fbb46b6d

adc9f9b9 e1df1525 e1b2ff31 a555e296 3bca064f 021123a3 4ab53b1c f81e1239

3a5cc719 bcae1111 c245293e 96c688a9 051bdc37 8ea65e85 00af7357 1f448066

4dda9476 94204e5c d5f889f7 ff8aaa

quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

dhcpd address 192.168.1.101-192.168.1.131 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy VpnOut internal

group-policy VpnOut attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VpnOut_splitTunnelAcl

username marco password 0oRy/hK8KJ7YdcD3 encrypted privilege 15

username marco attributes

vpn-group-policy VpnOut

tunnel-group VpnOut type remote-access

tunnel-group VpnOut general-attributes

address-pool PoolVPN

default-group-policy VpnOut

tunnel-group VpnOut ipsec-attributes

ikev1 pre-shared-key *****

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:2c56fd96f150b9e0f91bbc095c12d6b9

Re: No Nat with 9.0(1)

Jouni Forss — Wed, 26 Jun 2013 10:02:27 GMT

Hi,

Your "object" are the wrong way in the NAT configuration

The LAN and VPN pool needs to be switched with each other

- Jouni

Sent from Cisco Technical Support iPad App

No Nat with 9.0(1)

MarcoM — Wed, 26 Jun 2013 10:06:06 GMT

Hi JouniForss,

thank for reply.

From:

nat (inside,outside) source static PoolVPN PoolVPN destination static LAN LAN no-proxy-arp

nat (inside,outside) source static LAN LAN destination static PoolVPN PoolVPN no-proxy-arp

right?

Re: No Nat with 9.0(1)

Jouni Forss — Wed, 26 Jun 2013 10:09:10 GMT

Hi,

Yes, that is correct.

- Jouni

Sent from Cisco Technical Support iPad App

No Nat with 9.0(1)

MarcoM — Wed, 26 Jun 2013 10:11:33 GMT

I tried this configuration, but still does not work.. 😞

Re: No Nat with 9.0(1)

Jouni Forss — Wed, 26 Jun 2013 10:15:51 GMT

Hi,

Just incase it causes problems, remove the VPN pool from the Split Tunnel ACL.

- Jouni

Sent from Cisco Technical Support iPad App

No Nat with 9.0(1)

MarcoM — Wed, 26 Jun 2013 10:20:43 GMT

i removed

access-list VpnOut_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

but does not work from client vpn. (I also disconnected and connected)

No Nat with 9.0(1)

Jouni Forss — Wed, 26 Jun 2013 13:09:41 GMT

Hi,

Starting to sound more of a problem with the actual VPN Client computer or the host on the LAN to which you are trying to connect to.

Has this worked at any point? Or is this a new connection completely?

Have you confirmed if any connections are visible on the ASA that you are attempting from the VPN Client?

Is the service you are trying to reach enabled on the host on the LAN?

If this is ICMP traffic then I would suggest adding the configuration that was on the ASA by default. Something like this

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns

inspect sqlnet

inspect sunrpc

inspect tftp

inspect icmp error

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect skinny

inspect icmp

inspect esmtp

service-policy global_policy global

And mainly in the above we are looking to enable the "inspect icmp"

Though in your case the VPN traffic should be allowed through the ASA by default so I am not sure if the inspect ICMP is required.

Also if its possible I would suggest using the "packet-tracer" command when you have the VPN Client connection active. What you should do is check the IP address you get from the ASA for your VPN Client then use it in the below command while also filling the information for the destination host and port

packet-tracer input outside tcp 192.168.2.x 12345 192.168.1.x

packet-tracer input outside icmp 192.168.2.x 8 0 192.168.1.x

- Jouni

No Nat with 9.0(1)

MarcoM — Wed, 26 Jun 2013 14:23:15 GMT

Thanks angain for reply Jouni.

I deleted and recreated the pool PoolVPN and it worked.

Now i have another issue with access to ASDM via vpn remote access.

I set this permission on config:

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

but does not work. I also tried to set the outside interface (not inside on http) but without success.

How can I fix?

Thanks.

No Nat with 9.0(1)

Jouni Forss — Wed, 26 Jun 2013 14:32:18 GMT

Hi,

Try adding

management-access inside

This should allow you to access the "inside" interface IP address for management purposes through the VPN connection. Otherwise it would only be possible to use the "outside" IP address for management through VPN Client if the "outside" IP address was forwarded to the VPN client connection also. (Either by using Full Tunnel or adding the IP address to the Split Tunnel perhaps)

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

No Nat with 9.0(1)

Jouni Forss — Wed, 26 Jun 2013 14:34:20 GMT

Ah,

You seemed to already have the "management-access" command.

This should allow management connections through VPN also using the "inside" IP address of the ASA.

- Jouni

No Nat with 9.0(1)

MarcoM — Wed, 26 Jun 2013 14:36:38 GMT

Right Jouni already have in config command "management-access inside" but does not works, cannot manage ASDM of ASA.

Re: No Nat with 9.0(1)

Jouni Forss — Wed, 26 Jun 2013 14:42:43 GMT

Hi,

It would seem that you have to change the VPN Client to Full Tunnel for this to work

Here is a quote from the Cisco documentation regarding the command "management-access"

This command allows you to connect to an interface other than the one you entered the ASA from when

using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a

site-to-site IPSec tunnel.

This could be achieved setting the "split-tunnel-policy tunnelall" in the "group-policy"

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

- Jouni

Re: No Nat with 9.0(1)

MarcoM — Wed, 26 Jun 2013 14:54:31 GMT

I have this command in config:

group-policy VpnOut internal

group-policy VpnOut attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VpnOut_splitTunnelAcl

access-list VpnOut_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

Re: No Nat with 9.0(1)

MarcoM — Wed, 26 Jun 2013 15:00:45 GMT

i set also full tunnel but does not works.

No Nat with 9.0(1)

Jouni Forss — Wed, 26 Jun 2013 15:38:35 GMT

Hi,

Can you change the NAT configuration a bit and try

no nat (inside,outside) source static LAN LAN destination static PoolVPN PoolVPN no-proxy-arp

nat (inside,outside) source static LAN LAN destination static PoolVPN PoolVPN no-proxy-arp route-lookup

- Jouni

Re: No Nat with 9.0(1)

MarcoM — Wed, 26 Jun 2013 15:44:56 GMT

Thanks Jouni activating "route-lookup" works fine!!!!!! 🙂

Thanks a lot.