topic Anyconnect client can't reach inside network; webvpn-svc implicit deny... in Network Security

Anyconnect client can't reach inside network; webvpn-svc implicit deny...

pheller10 — Mon, 11 Mar 2019 22:09:42 GMT

So, I've set up Anyconnect client access to an ASA-5510.

I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients. I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.

fw1# show nameif

Interface Name Security

Ethernet0/0.205 SECURE 90

Ethernet0/3.666 INTERNET 0

fw1# show int ip br

Interface IP-Address OK? Method Status Protocol

Ethernet0/0.205 10.1.24.1 YES CONFIG up up

Ethernet0/3.666 x.x.x.x YES CONFIG up up

In all cases, my anyconnect session is via the named interface "INTERNET", security-level 0.

From my client, I cannot reach 10.1.24.10. Incidentially, the host filters out ICMP, and is only open on tcp/80.

Can anyone suggest where I should apply an access-list permitting this traffic? I've already applied an inbound access-list to the INTERNET interface permitting all traffic from the pool assigned to the anyconnect clients. (Phase 3)

Or perhaps I've misunderstood entirely!

Any suggestions are appreciated. packet-tracer output below...

Regards,

Phil

fw1# packet-tracer input INTERNET tcp 10.1.6.1 5000 10.1.24.10 80 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.24.0 255.255.252.0 SECURE

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INTERNET_access_in in interface INTERNET

access-list INTERNET_access_in extended permit ip object-group SITEVPNCLIENT any

object-group network SITEVPNCLIENT

network-object 10.1.6.0 255.255.255.128

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd56823f8, priority=12, domain=permit, deny=false

hits=384, user_data=0xd554ac08, cs_id=0x0, flags=0x0, protocol=0

src ip=10.1.6.0, mask=255.255.255.128, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection decrement-ttl

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd61a0308, priority=7, domain=conn-set, deny=false

hits=1359, user_data=0xd619d118, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd55fdfe0, priority=0, domain=permit-ip-option, deny=true

hits=203456, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd616b8c0, priority=79, domain=punt, deny=true

hits=21, user_data=0xd4e82e08, cs_id=0x0, flags=0x0, protocol=0

src ip=10.1.6.1, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd51eac48, priority=70, domain=svc-ib-tunnel-flow, deny=false

hits=83, user_data=0x5000, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.1.6.1, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: INTERNET

input-status: up

input-line-status: up

output-interface: SECURE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Anyconnect client can't reach inside network; webvpn-svc imp

Julio Carvajal — Wed, 04 Jan 2012 03:47:42 GMT

Hello ,

Can you post the ASA configuration.

Just to let you know as soon as the ASA has configured the sysopt connection permit-vpn you do not need an ACL to allow inbound connections from a tunnel.

Julio

Re: Anyconnect client can't reach inside network; webvpn-svc imp

pheller10 — Wed, 04 Jan 2012 04:31:19 GMT

It's no problem for me to share smaller pieces of the configuration, but to post the whole thing, I'll need to get some approval.

In the mean time, is there anything else I might look for, or any smaller parts of the configuration that might help?

Regards,

--phil

Re: Anyconnect client can't reach inside network; webvpn-svc imp

Julio Carvajal — Wed, 04 Jan 2012 06:10:16 GMT

Hello,

I would like to see the nat for the vpn traffic, the tunnel group , connection profile and webvpn configuration??

Hope to hear from you soon...

Julio

Anyconnect client can't reach inside network; webvpn-svc implici

pheller10 — Wed, 11 Jan 2012 23:11:17 GMT

Alright, I've got authorization to share the config. Pleaes find it below. Thanks so much for your assistance.

Regards,

--phil

fw1# show run

: Saved

ASA Version 8.0(3)6

hostname fw1

enable password REDACTED encrypted

passwd REDACTED encrypted

names

name x.x.x.x ISP-PUBLIC-ALLOCATION

interface Ethernet0/0

no nameif

no security-level

no ip address

interface Ethernet0/0.200

vlan 200

nameif CORP

security-level 80

ip address 10.1.4.1 255.255.254.0

interface Ethernet0/0.201

vlan 201

nameif BMS

security-level 100

ip address 10.1.8.1 255.255.252.0

interface Ethernet0/0.202

vlan 202

nameif SEC

security-level 100

ip address 10.1.12.1 255.255.252.0

interface Ethernet0/0.203

vlan 203

nameif VOIP

security-level 80

ip address 10.1.16.1 255.255.252.0

interface Ethernet0/0.204

vlan 204

nameif GUEST

security-level 10

ip address 10.1.20.1 255.255.255.0

interface Ethernet0/0.205

vlan 205

nameif SECURE

security-level 90

ip address 10.1.24.1 255.255.252.0

interface Ethernet0/0.206

vlan 206

nameif MGMT

security-level 90

ip address 10.1.0.1 255.255.252.0

interface Ethernet0/0.207

vlan 207

nameif SERVER

security-level 85

ip address 10.1.7.1 255.255.255.128

interface Ethernet0/0.600

vlan 600

nameif CUSTOMER

security-level 20

ip address 10.1.21.1 255.255.255.0

interface Ethernet0/1

no nameif

no security-level

no ip address

interface Ethernet0/1.311

vlan 311

nameif MOD1BMS

security-level 100

ip address 10.1.144.1 255.255.252.0

interface Ethernet0/1.312

vlan 312

nameif MOD1SEC

security-level 100

ip address 10.1.148.1 255.255.252.0

interface Ethernet0/2

shutdown

no nameif

security-level 0

no ip address

interface Ethernet0/3

no nameif

no security-level

no ip address

interface Ethernet0/3.666

vlan 666

nameif INTERNET

security-level 0

ip address y.y.y.y 255.255.255.248

interface Ethernet0/3.667

vlan 667

nameif PUBDMZ

security-level 5

ip address x.x.x.x 255.255.255.0

interface Management0/0

shutdown

no nameif

no security-level

no ip address

ftp mode passive

same-security-traffic permit intra-interface

object-group network CORP

network-object 10.1.4.0 255.255.254.0

object-group network MOD1BMS

network-object 10.1.144.0 255.255.252.0

object-group network VPNCLIENT

network-object 10.1.6.0 255.255.255.128

object-group network SITE

network-object 10.1.0.0 255.255.0.0

object-group network SERVER

network-object 10.1.7.0 255.255.255.128

object-group network PUBDMZ

network-object ISP-PUBLIC-ALLOCATION 255.255.255.0

object-group network SEC

network-object 10.1.12.0 255.255.252.0

object-group service TAP

service-object tcp-udp range 161 162

service-object tcp-udp range 10161 10162

service-object tcp eq www

service-object tcp eq https

object-group network TAP_ACCESS

network-object host zz.zz.zz.zz

object-group network SECURE

network-object 10.1.24.0 255.255.252.0

access-list CORP_access_in extended permit ip any any

access-list vpn-split-tunnel standard permit 10.1.0.0 255.255.0.0

access-list nat-exclude_CORP extended permit ip object-group CORP object-group VPNCLIENT

access-list nat-exclude_CORP extended permit ip object-group VPNCLIENT object-group CORP

access-list SERVER_access_out extended permit icmp object-group CORP object-group SERVER

access-list SERVER_access_out extended permit tcp object-group CORP object-group SERVER eq https

access-list SERVER_access_out extended permit ip object-group CORP object-group SERVER

access-list MOD1BMS_out extended permit icmp object-group CORP object-group MOD1BMS

access-list MOD1BMS_out extended permit tcp object-group CORP object-group MOD1BMS eq www

access-list MOD1BMS_out extended permit tcp object-group CORP object-group MOD1BMS eq 1911

access-list INTERNET_access_in extended permit ip object-group TAP_ACCESS host x.x.x.x

access-list INTERNET_access_in extended permit ip object-group VPNCLIENT any

access-list ANY_IP extended permit ip any any

access-list SEC_access_out extended permit tcp object-group CORP object-group SEC eq 3389

access-list nat-execlude_SEC extended permit ip object-group SEC object-group CORP

pager lines 24

logging enable

logging timestamp

logging monitor informational

logging buffered informational

mtu CORP 1500

mtu BMS 1500

mtu SEC 1500

mtu VOIP 1500

mtu GUEST 1500

mtu SECURE 1500

mtu MGMT 1500

mtu SERVER 1500

mtu CUSTOMER 1500

mtu MOD1BMS 1500

mtu MOD1SEC 1500

mtu INTERNET 1500

mtu PUBDMZ 1500

ip local pool ssl-vpn 10.1.6.1-10.1.6.127 mask 255.255.255.128

icmp unreachable rate-limit 10 burst-size 5

icmp permit any MOD1BMS

icmp permit any INTERNET

icmp permit any PUBDMZ

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (INTERNET) 1 interface

nat (CORP) 0 access-list nat-exclude_CORP

nat (CORP) 1 0.0.0.0 0.0.0.0

nat (SEC) 0 access-list nat-execlude_SEC

nat (VOIP) 1 0.0.0.0 0.0.0.0

nat (GUEST) 1 0.0.0.0 0.0.0.0

nat (CUSTOMER) 1 0.0.0.0 0.0.0.0

static (SECURE,INTERNET) x.x.x.x 10.1.24.10 netmask 255.255.255.255

static (CORP,INTERNET) x.x.x.x 10.1.4.10 netmask 255.255.255.255

access-group CORP_access_in in interface CORP

access-group SEC_access_out out interface SEC

access-group SERVER_access_out out interface SERVER

access-group MOD1BMS_out out interface MOD1BMS

access-group INTERNET_access_in in interface INTERNET

route INTERNET 0.0.0.0 0.0.0.0 y.y.y.y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.1.6.0 255.255.255.0 MGMT

http 10.1.4.0 255.255.255.0 CORP

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.1.0.0 255.255.252.0 MGMT

telnet timeout 5

ssh 10.1.4.0 255.255.252.0 CORP

ssh 10.1.6.0 255.255.255.0 MGMT

ssh x.x.x.x 255.255.255.255 INTERNET

ssh timeout 5

console timeout 0

management-access MGMT

dhcpd address 10.1.4.10-10.1.4.254 CORP

dhcpd dns z.z.z.z interface CORP

dhcpd enable CORP

dhcpd address 10.1.16.10-10.1.16.254 VOIP

dhcpd dns z.z.z.z interface VOIP

dhcpd enable VOIP

dhcpd address 10.1.20.10-10.1.20.254 GUEST

dhcpd dns z.z.z.z interface GUEST

dhcpd enable GUEST

dhcpd address 10.1.21.10-10.1.21.254 CUSTOMER

dhcpd dns z.z.z.z interface CUSTOMER

dhcpd enable CUSTOMER

threat-detection basic-threat

threat-detection statistics access-list

webvpn

enable INTERNET

svc image disk0:/anyconnect-macosx-i386-2.3.0185-k9.pkg 2

svc image disk0:/anyconnect-win-2.3.0185-k9.pkg 3

svc enable

tunnel-group-list enable

group-policy ssl-vpn internal

group-policy ssl-vpn attributes

dns-server value z.z.z.z

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-split-tunnel

address-pools value ssl-vpn

username user1 password REDACTED encrypted

username user1 attributes

service-type admin

username user2 password REDACTED encrypted

username user2 attributes

vpn-group-policy ssl-vpn

vpn-idle-timeout 60

vpn-session-timeout 1440

username user3 password REDACTED encrypted

username user3 attributes

vpn-group-policy ssl-vpn

vpn-idle-timeout 60

vpn-session-timeout 1440

username user4 password REDACTED encrypted

username user4 attributes

vpn-group-policy ssl-vpn

vpn-idle-timeout 60

vpn-session-timeout 1440

tunnel-group ssl-vpn type remote-access

tunnel-group ssl-vpn general-attributes

default-group-policy ssl-vpn

tunnel-group ssl-vpn webvpn-attributes

group-alias ssl-vpn enable

class-map ANY_IP

match access-list ANY_IP

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect xdmcp

inspect icmp error

class class-default

set connection decrement-ttl

policy-map 2_MBPS_BIDIRECTIONAL

class ANY_IP

police output 2000000

police input 2000000

service-policy global_policy global

service-policy 2_MBPS_BIDIRECTIONAL interface GUEST

prompt hostname context

Anyconnect client can't reach inside network; webvpn-svc implici

Julio Carvajal — Thu, 12 Jan 2012 00:00:29 GMT

Hello Pheller,

Can you try the following:

object-group network Local_4_VPN

network-object 10.1.0.0 255.255.255.0

clear configure access-list nat-exclude_CORP

no access-list nat-exclude_CORP extended permit ip object-group CORP object-group VPNCLIENT

no access-list nat-exclude_CORP extended permit ip object-group VPNCLIENT object-group CORP

access-list nat-exclude_Local_4_vpn permit ip object-group Local-4-VPN object-group VPNCLIENT

nat (CORP) 0 access-list nat-exclude_local_4_vpn

And try it again, are you able to connect with the VPN anyconnect client?

Where does the connection stops?

Regards,

Julio

Anyconnect client can't reach inside network; webvpn-svc implici

pheller10 — Mon, 16 Jan 2012 01:41:17 GMT

Ok, so the problem was accessing 10.1.24.10 (nameif SECURE) from 10.1.6.* (Anyconnect client coming inbound from nameif INTERNET).

Your suggestion, while not applicable to the right named interface, definitely put me on the right track.

I configured a nat exclusion for the right named interface, as follows:

object-group network SECURE

network-object 10.1.24.0 255.255.255.0

access-list nat-exclude_SECURE extended permit ip object-group SECURE object-group VPNCLIENT

nat (SECURE) 0 access-list nat-exclude_SECURE

I had previously configured "no nat-control", which I understood to mean that nat rules were not needed when simply configuring access between networks? I've obviously mis-understood. Now I'm not exctly sure what "no nat-control" is supposed to do.

Anyconnect client can't reach inside network; webvpn-svc implici

Julio Carvajal — Mon, 16 Jan 2012 07:00:07 GMT

Hello,

Great I could help!

Regarding nat control: this is going to make the ASA to only accept connections that have a translation rule configured, so in order for a packet to traverse a ASA interface it needs to hit a nat rule on your configuration.

With no nat control you do not need a nat statement for a packet to traverse the ASA.

Regards,

Please mark question as answered if there is nothing else we cant do otherwise just let me know 😃

Julio