topic Re: ASA nat error while setting anyconnect in Network Security

ASA nat error while setting anyconnect

saids3 — Fri, 21 Feb 2020 17:55:15 GMT

Hello -
I have ASA5506 configured as BVI -

I have tried to setup the anyconnect through the ASDM but I’m getting nat error

please see the attached snapshot from ASA,,

i have tried to add nat (inside,outside) 1 source static but still getting the same error.

Re: ASA nat error while setting anyconnect

Muhammad Zahid — Fri, 14 Feb 2020 19:12:05 GMT

You can try through CLI, copy all commands with OK status and execute it through Command Line, secondly your NAT seems to be incorrect, you need to nat your source nat pool with required network that need to be allow for vpn users. Plus tyr nat(inside, any) rather (inside, outside)

Something like:

nat (inside,any) source Remote_VPN_Pool Remote_VPN_Pool destination static Allowed_Network4RemoteVPN Allowed_Network4RemoteVPN

Re: ASA nat error while setting anyconnect

saids3 — Sat, 15 Feb 2020 04:21:18 GMT

Thank you for the reply,

I have done nat (inside, any) and it doesn’t like it, because the main interface or the inside network is set as BVI.

I have tried to follow different tutorials to change the BVI but I lose the connection.

Re: ASA nat error while setting anyconnect

saids3 — Sat, 15 Feb 2020 04:24:58 GMT

Here is my configuration —

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 10.209.111.1 255.255.255.0
!
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
domain-name omsaid.org
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network INSIDE-NET
subnet 10.209.111.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.209.111.0 255.255.255.0 inside_1
http 10.209.111.0 255.255.255.0 inside_2
http 10.209.111.0 255.255.255.0 inside_3
http 10.209.111.0 255.255.255.0 inside_4
http 10.209.111.0 255.255.255.0 inside_5
http 10.209.111.0 255.255.255.0 inside_6
http 10.209.111.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
telnet timeout 5
ssh stricthostkeycheck
ssh 10.209.111.0 255.255.255.0 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd option 3 ip 10.209.111.1
!
dhcpd address 10.209.111.5-10.209.111.254 inside
dhcpd enable inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username alsalms3 password $sha512$5000$JAmH3nmkA06ht3p0TtN7sw==$xS2KI5HJ92hyBb9ja7iM8A== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context

Re: ASA nat error while setting anyconnect

Rob Ingram — Sat, 15 Feb 2020 10:04:23 GMT

HI,

You would need to define the NAT rules for ecah interface, e.g:-

nat (inside_1,outside) source static any any destination NETWORK_OBJ_10.209.167.0 NETWORK_OBJ_10.209.167.0 no-proxy-arp route-lookup
nat (inside_2,outside) source static any any destination NETWORK_OBJ_10.209.167.0 NETWORK_OBJ_10.209.167.0 no-proxy-arp route-lookup

Alternatively instead of defining a NAT rule for each, you could replace the source with "any", this would cover all source inside interfaces.....thus having only 1 nat rule.

nat (any,outside) source static any any destination NETWORK_OBJ_10.209.167.0 NETWORK_OBJ_10.209.167.0 no-proxy-arp route-lookup

HTH

Re: ASA nat error while setting anyconnect

saids3 — Sat, 15 Feb 2020 19:23:55 GMT

Appreciate your support,
Please see my current configuration, still not able to get anyconnect to work!

names
ip local pool AC-POOL 10.209.190.3-10.209.190.50 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 10.206.167.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name omsaid.org
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network INSIDE-NET
subnet 10.206.167.0 255.255.255.0
object network NETWORK_OBJ_10.209.190.0_26
subnet 10.209.190.0 255.255.255.192
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended deny ip any any log
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,outside) source static any any destination static NETWORK_OBJ_10.209.190.0_26 NETWORK_OBJ_10.209.190.0_26 no-proxy-arp route-lookup
nat (any,outside) source dynamic any interface
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
!
nat (any,outside) after-auto source static any any no-proxy-arp route-lookup inactive
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate ‪3:00:00‬
timeout pat-xlate 0:00:30
timeout conn ‪1:00:00‬ half-closed ‪0:10:00‬ udp ‪0:02:00‬ sctp ‪0:02:00‬ icmp 0:00:02
timeout sunrpc ‪0:10:00‬ h323 ‪0:05:00‬ h225 ‪1:00:00‬ mgcp ‪0:05:00‬ mgcp-pat ‪0:05:00‬
timeout sip ‪0:30:00‬ sip_media ‪0:02:00‬ sip-invite ‪0:03:00‬ sip-disconnect ‪0:02:00‬
timeout sip-provisional-media ‪0:02:00‬ uauth ‪0:05:00‬ absolute
timeout tcp-proxy-reassembly ‪0:01:00‬
timeout floating-conn ‪0:00:00‬
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.206.167.0 255.255.255.0 inside_1
http 10.206.167.0 255.255.255.0 inside_2
http 10.206.167.0 255.255.255.0 inside_3
http 10.206.167.0 255.255.255.0 inside_4
http 10.206.167.0 255.255.255.0 inside_5
http 10.206.167.0 255.255.255.0 inside_6
http 10.206.167.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=NM2WCASA1
keypair RSA-ANYCONNECT
crl configure
crypto ca trustpool policy
796d61 7574682e 636f6d2f ‪63707330‬ 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 ‪61302906‬
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e ‪74656350‬
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 ‪30168014‬ 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 ‪82010100‬ 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 ‪21913528‬ f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 ‪25580871‬ 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 ‪87897812‬ 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
‪30526486‬ 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate f53a465e
308202ee 308201d6 a0030201 020204f5 89adc2 606e8af2 8e870d7c d354a811 cd1cb86a 3bd54155 31e688c3
c9f31b7d 2239c8d7 ad70040b 241c61f4 7b7176dc 99e03d16 7d1fb444 7bacbd5e
0018aec0 2e38d195 947a60d9 b07432f2 bba5f52d ca3b35b0 6934276b ee064f8b
ed36bda4 318fd4ee c42f9541 584b357f 8aba556f ec67980e 26d82b61 a84be184
791b75e8 48d31e20 441b854b 2822fc0c 241b6aca 975897a4 b8088caa ac3d96f8
cb3a81a3 5a7cafba 3ce12aa6 6c24a0e4 60cbe534 4bc25d9b ecb9f152 4278cc19
a88a0b1d 8aecb019 8f3a26ac 7cc852f2 e75d4765 d13dd086 bbc5c533 ad2d5b96
453296bd 494b8b9e 2c3af010 7e957f07 2f2ab6fa caec4ccd db020301 0001300d
06092a86 4886f70d 01010b05 00038201 01008af9 b17cbe84 f63e90e2 17c16839
97ebf046 b8382dff 6ab34bc6 d7978b0c f5be5279 9419bea4 07a9403b 98b83bd2
2d897d08 e16e92cd 86cec4b6 d678f4c1 4baf30e0 73ae0f49 0b42df44 ‪81119380‬
‪18202130‬ da4f5c9a c5a4a937 f58a9d59 5591990a 1a967827 c4572a15 8209744d
7008b1e5 2f2833ab 857e56fc fb23f17e f28a5f32 ‪86624513‬ 2181897e 2f836518
f0f595fd 7e7d1234 d32d404c bf651a54 7aaaf20f ‪44593370‬ c3f1ca41 01798d9b

quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh 10.209.19.0 255.255.255.0 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
dhcpd option 3 ip 10.206.167.1
!
dhcpd address 10.206.167.5-10.206.167.254 inside
dhcpd enable inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside_1
ssl trust-point ASDM_TrustPoint0 inside_2
ssl trust-point ASDM_TrustPoint0 inside_3
ssl trust-point ASDM_TrustPoint0 inside_4
ssl trust-point ASDM_TrustPoint0 inside_5
ssl trust-point ASDM_TrustPoint0 inside_6
ssl trust-point ASDM_TrustPoint0 inside_7
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_HOME-VPN internal
group-policy GroupPolicy_HOME-VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client

dynamic-access-policy-record DfltAccessPolicy
tunnel-group HOME-VPN type remote-access
tunnel-group HOME-VPN general-attributes
address-pool AC-POOL
default-group-policy GroupPolicy_HOME-VPN
tunnel-group HOME-VPN webvpn-attributes
group-alias HOME-VPN enable
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
class global-class
sfr fail-open
!
service-policy global_policy global
prompt hostname context
call-home reporting
: end

Re: ASA nat error while setting anyconnect

Rob Ingram — Sat, 15 Feb 2020 19:32:33 GMT

So you obviously entered the command and it appears in the running configuration, so what is the issue exactly?

Re: ASA nat error while setting anyconnect

saids3 — Sat, 15 Feb 2020 19:36:45 GMT

I can’t connect using anyconnect getting error, like wrong or unsupported connection when I put the public IP address

Re: ASA nat error while setting anyconnect

Sheraz.Salim — Sun, 16 Feb 2020 10:58:33 GMT

in your configuration you mentioned you outside next hop is

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

now this 192.168.100.1.1this is a RFC 1918 address range (I am guessing this is the ISP provider ADSL modem/boradband router etc). you need to log into this device and setup a port-forwarding.

that is the reason you are not able to connect to your anyconnect.

Re: ASA nat error while setting anyconnect

saids3 — Sun, 16 Feb 2020 11:06:40 GMT

Thank you for the reply,,,

which port I should forward

TCP/UDP 8443?

Re: ASA nat error while setting anyconnect

Sheraz.Salim — Sun, 16 Feb 2020 11:28:03 GMT

depends its really up to you. if you setup a port 8443 in that case you have to tell you asa to listen 8443.

crypto ikev2 enable outside client-services port 8443

webvpn
port 8443
enable outside
anyconnect-custom-attr DeferredUpdateAllowed description Indicates if the deferred update feature is enabled or not
anyconnect-custom-attr DeferredUpdateDismissTimeout
dtls port 8443

once port-forwarding is done on ISP device/router than when you test/connect anyconnect your url in anyconnect is like this. https://alpha.acime.com:8443