ASA 5505 8.25 Access to VPN client from outside.

j.eustace — Fri, 21 Feb 2020 16:48:35 GMT

I have an ASA5505 running for some time with remote users able to access the central office LAN / servers etc and also able to connect to the internet via the central office connection. For local printing, these VPN (IPSEC) cleints use printers on their local LANs which connected to the VPN.

All of this works just fine.

I now have a VPN user who is running a test web service on his VPN attached machine. This user is given a fixed IP address by the ASA as the VPN client connects (10.100.2.1). Users on his local office LAN (192.168.1.0/24) can connect to this web service, and users from the central office LANs (10.0.0.0/24,10.0.3.0/24, 10.0.4.0/24) can also access the webservice while he is connected to the VPN. However, the web service is not accessible directly from the internet.

In the central office there are a few other servers which are visible to the internet. These are using static PAT on the ASA with a firewall rule allowing the traffic. I have set up one additional static PAT and firewall rule for the test webservice.

This rule works if I translate the external IP address to an address at the central office network so general internet users can access the service. However, no internet users can access the service if I translate the outside address to the VPN client address (10.100.2.1).

With the limited tools available to me, it appears to be a NAT issue (I recall having had trouble getting the VPN users to access the internet initally but that is resolved using the "same-security..." command. )

I can see that the request to connect to the test server does arrive at the ASA outside interface, and I can see the ACL allowing it in (the counter increments).

However as everything else happens in the ASA (the NAT should convert the destination addr, and then it should be routed to the VPN tunnel) I can't see what is going wrong. Any ideas? (And yes, the ASDM tracer says the packet would be delivered.. )

I attach a picture (saves a thousand words !) of the layout, and the bits of the config which matter:

same-security-traffic permit intra-interface

access-list reachServer extended permit tcp any host (external_firewall_address) eq 81
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list stay_local standard permit 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.0.0.0 255.0.0.0
static (inside,outside) tcp interface 81 10.100.2.1 8080 netmask 255.255.255.255
access-group reachServer in interface outside

group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 10.0.3.1
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy excludespecified
split-tunnel-network-list value stay_local
split-tunnel-all-dns enable
username testuser password testpassword privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool testpool
tunnel-group RA_VPN ipsec-attributes
pre-shared-key test123
!

Re: ASA 5505 8.25 Access to VPN client from outside.

j.eustace — Wed, 13 Feb 2019 17:01:36 GMT

Sorted. It was indeed a NAT issue. The static NAT should read:
static (outside,outside) tcp interface 81 10.100.2.1 8080 netmask 255.255.255.255

Notice the source and destination interfaces are both outside (because the VPN client is via the outside interface too).
I'm a lot of years configuring PIX and ASA and never had to do that before !!

topic Re: ASA 5505 8.25 Access to VPN client from outside. in Network Security

ASA 5505 8.25 Access to VPN client from outside.

Re: ASA 5505 8.25 Access to VPN client from outside.