Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
2
Replies

ASAv configuration not allowing traffic from Outside to Inside interface to access internal host over SSL VPN

JMJr
Level 1
Level 1

‎08-22-2019 08:41 PM

Good evening,

 

I am a newbie and I am asking if someone can help me with two problems? I am having a headache trying to connect with the VPN client using the Outside interface and I am trying to access an internal host from the outside over AnyConnect VPN to authenticate using RADIUS.

 

#1. I have an ASAv in AWS configured with Cisco AnyConnect client. When i use the VPN client to connect to the outside public IP, the client just spins and the ASDM log-viewer shows "Deny tcp src Outside <My IP address> dst management by access-group Outside access in".

I have configured the webvpn for 'enable Outside' but no luck..Can someone please tell me why this is denied and why it cannot connect via the Outside interface?

 

#2. I want to authenticate to the internal RADIUS server (10.0.4.132) which I cannot ping... but I can ping the inside interface address which is 10.0.4.194. The route table shows everything as local or connected except for the static route of 0.0.0.0 0.0.0.0 via 10.0.2.1(management), which is the GOLR to network 0.0.0.0.

 

I have posted my config below, can someone tell me what I have misconfigured and what I need to configure to get this to work? 

 

Thanks.

 

 

name 173.37.145.8 tools.cisco.com

no mac-address auto

ip local pool VPN-POOL 192.168.20.2-192.168.20.252 mask 255.255.255.0

!

interface GigabitEthernet0/0

description AWS Eth1 Outside interface

nameif Outside

security-level 0

ip address 15.200.21.205 255.255.255.240

!

interface GigabitEthernet0/1

description AWS Eth2 Inside interface

nameif Inside

security-level 100

ip address 10.0.4.194 255.255.255.240

!

interface Management0/0

description AWS Eth0

nameif management

security-level 100

ip address dhcp setroute

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

object network VPN

subnet 192.168.20.0 255.255.255.0

object network AWS_Inside

subnet 10.0.4.0 255.255.255.0

object network RAD-YUB2

host 10.0.4.132

access-list AnyConnect_Client_Local_Print extended deny ip any4 any4

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

access-list spit-tunnel standard permit 10.0.4.0 255.255.255.0

access-list vpn-acl extended permit tcp any any

access-list vpn-acl extended permit ip 10.0.4.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list RAD-YUB2 standard permit any4

access-list Outside_access_in remark Auth server and Yubi MFA

access-list Outside_access_in extended permit ip any object RAD-YUB2

pager lines 23

 

mtu Outside 1500

mtu Inside 1500

mtu management 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (Inside,Outside) source static AWS_Inside AWS_Inside destination static VPN VPN no-proxy-arp

!

object network RAD-YUB2

nat (Inside,Outside) static RAD-YUB2

access-group Outside_access_in in interface Outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

aaa-server RADIUS protocol radius

aaa-server RADIUS (Inside) host 10.0.4.132

timeout 5

key *****

authentication-port 1812

accounting-port 1813

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

http server enable

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

 

## Crypto omitted for space

 

telnet timeout 5

ssh stricthostkeycheck

ssh <My IP>  255.255.255.255 management

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 30

ssh version 1 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point self-signed Outside

ssl trust-point self-signed Inside

ssl trust-point self-signed management

webvpn

enable Outside

hsts

  enable

  max-age 31536000

  include-sub-domains

  no preload

anyconnect image disk0:/anyconnect-win-4.3.05017-k9.pkg 1

anyconnect image disk0:/anyconnect-macos-4.6.03049-webdeploy-k9.pkg 2

anyconnect enable

tunnel-group-list enable

cache

  disable

error-recovery disable

group-policy GroupPolicy_VPN_users internal

group-policy GroupPolicy_VPN_users attributes

wins-server none

dns-server value 10.0.3.5

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-acl

default-domain value x.com

dynamic-access-policy-record DfltAccessPolicy

username x password x privilege 15

username y password y privilege 15

username x attributes

service-type admin

tunnel-group VPN_users type remote-access

tunnel-group VPN_users general-attributes

address-pool VPN-POOL

authentication-server-group RADIUS

default-group-policy GroupPolicy_VPN_users

tunnel-group VPN_users webvpn-attributes

group-alias VPN_users enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect ip-options

  inspect netbios

  inspect rtsp

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect sip 

  inspect skinny 

policy-map type inspect dns migrated_dns_map_2

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

!

service-policy global_policy global

prompt hostname

call-home reporting anonymous

call-home

profile CiscoTAC-1

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

profile License

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination transport-method http

: end

M-ASAv2

 

 

Labels:
0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-23-2019 08:23 AM

A helpful tool from CLI is the packet tracer tool as it will tell you what is failing (ACL drop/NAT/etc.). An example of using the packet tracer from CLI would be:
#packet-tracer input {INTERFACE} tcp/udp {SRC IP} (src prt (12345)) {DST IP} (dst port())
#packet-tracer input OUTSIDE tcp 1.1.1.1 12345 2.2.2.2 25

I think there may be something wrong with your static NAT: nat (Inside,Outside) static RAD-YUB2
Typically for static nat you need an ACL that will allow the host to initiate connection.
ex: access-list EXAMPLE ext ip host 1.1.1.1 2.2.2.2 255.255.255.0
static (inside, outside) {Mapped IP} access-list EXAMPLE
Good luck & HTH!
0 Helpful

venkat_n7
Level 1
Level 1

‎08-24-2019 02:40 PM

That's interesting, you can ping inside interface on firewall but not the inside host. Can you cross verify the host is tagged to inside network subnet.

And "10.0.3.5" is the IP belongs to Management network ?

 

 

Please rate comments and support
with regards,
Venkat
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card