04-29-2020 06:52 PM
Hello, I use CISCO ASA 5585 VPN and I faced some issue about NAT or Firewall. Please help me T_T
Devices get an IP from VPN ip local pool (20.20.20.0/24) and they should ping with specific server as follows.
from specific server(20.20.20.50) to device(20.20.20.246~)side ping is successful but, opposite side is failed with issue as follows.
1) Device(20.20.20.246~254) <----- (20.20.20.1) VPN <--------- (20.20.20.50) specific server : success
2) Device(20.20.20.246~254) -----> (20.20.20.1) VPN
: failed with "Failed to locate egress interface for ICMP from outside 20.20.20.246/103 to 20.20.20.1/0"
3) Device(20.20.20.246~254) -----> (20.20.20.1) VPN ---------> (20.20.20.50) specific server :
: I tried to ping to 20.20.20.50 but there is no packet in ASDM.
Following running configuration is set in my VPN.
ip local pool for_fd 20.20.20.246-20.20.20.254 mask 255.255.255.0
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
igmp forward interface AWS
!
interface GigabitEthernet0/1
nameif AWS
security-level 100
ip address 20.20.20.1 255.255.255.0
!
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (AWS,outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup
nat (AWS,outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_10.10.0.214 NETWORK_OBJ_10.10.0.214 no-proxy-arp route-lookup
!
nat (any,outside) after-auto source dynamic DM_INLINE_NETWORK_3 interface
nat (AWS,outside) after-auto source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup
nat (AWS,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
nat (AWS,outside) after-auto source static 20.20.20.0 20.20.20.0 destination static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 no-proxy-arp route-lookup
nat (AWS,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_24 NETWORK_OBJ_20.20.20.0_24 no-proxy-arp route-lookup
nat (ipv6test,outside) after-auto source static any any destination static NETWORK_OBJ_192.168.2.128_25 NETWORK_OBJ_192.168.2.128_25 no-proxy-arp route-lookup
nat (inside,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
nat (jiotrial,outside) after-auto source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
access-group AWS_access_in in interface AWS
access-group AWS_access_out_1 out interface AWS
route S8_LL 10.9.100.0 255.255.255.0 172.20.62.251 1
route jiotrial 10.100.1.0 255.255.255.0 165.213.198.184 1
route S8_LL 33.33.33.0 255.255.255.248 172.20.62.253 1
route CIOT 69.0.0.0 255.240.0.0 167.1.1.1 1
route inside2 77.77.77.0 255.255.255.0 200.200.0.10 1
route inside2 100.3.0.0 255.255.0.0 200.200.0.10 1
route inside 132.132.0.0 255.255.0.0 20.4.1.108 1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_15
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 218.36.252.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_cryptomap_4
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 13.126.140.63
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 13.126.140.63
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 4 match address outside_cryptomap_1
crypto map outside_map 4 set peer 13.126.140.63
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 5 match address outside_cryptomap_3
crypto map outside_map 5 set peer 205.172.229.252
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 6 match address outside_cryptomap_7
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer 13.125.76.33
crypto map outside_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 6 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 13.126.68.155
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 8 match address outside_cryptomap_5
crypto map outside_map 8 set peer 203.244.197.254
crypto map outside_map 8 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 8 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 9 match address outside_cryptomap_8
crypto map outside_map 9 set peer 70.50.191.60
crypto map outside_map 9 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 9 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 10 match address outside_cryptomap_9
crypto map outside_map 10 set peer 59.13.32.21
crypto map outside_map 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 11 match address outside_cryptomap_10
crypto map outside_map 11 set peer 12.207.252.67
crypto map outside_map 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 11 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 11 set security-association lifetime seconds 345600
crypto map outside_map 12 match address outside_cryptomap_11
crypto map outside_map 12 set pfs
crypto map outside_map 12 set peer 13.124.171.223
crypto map outside_map 12 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 12 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 13 match address outside_cryptomap_13
crypto map outside_map 13 set peer 52.141.4.217
crypto map outside_map 14 match address outside_cryptomap_14
crypto map outside_map 14 set peer 34.85.120.241
crypto map outside_map 15 match address outside_cryptomap_12
crypto map outside_map 15 set peer 34.85.120.241
crypto map outside_map 15 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 15 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 16 match address outside_cryptomap_18
crypto map outside_map 16 set peer 1.237.186.182
crypto map outside_map 16 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 17 set peer 218.36.252.2
crypto map outside_map 17 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 17 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 18 match address outside_cryptomap_17
crypto map outside_map 18 set pfs group5
crypto map outside_map 18 set peer 13.127.71.45
crypto map outside_map 18 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 18 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map siteBpublic_map 1 match address outside_cryptomap
crypto map ATT_SS8_LI_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ATT_SS8_LI_map interface ATT_SS8_LI
crypto map AWS_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map AWS_map interface AWS
crypto ca trustpoint ASDM_TrustPoint0
tunnel-group mobile_for_fd type remote-access
tunnel-group mobile_for_fd general-attributes
address-pool for_fd
default-group-policy mobile_for_fd
tunnel-group mobile_for_fd ipsec-attributes
ikev1 pre-shared-key *****
04-29-2020 11:51 PM
05-02-2020 06:25 AM
05-02-2020 06:46 AM
05-02-2020 11:27 PM
05-03-2020 04:15 PM - edited 05-04-2020 12:26 AM
Thanks for your kindness!!
Yes right, after some configuration change, now failed Anyconnect User(Actually it is an UE) failed to access to server.
When I tried to ping from UE(20.20.20.248) to server(20.20.20.50), there is no packet in VPN.
However, When I tried to ping from sever(20.20.20.50) to UE(20.20.20.248), ping is successful and packet are exist in VPN.
please check the following information from CLI. I think.. this looks like some NAT issues as follows. because when I tried to ping from server to UE with NAT that "6 (any) to (outside) source dynamic any interface" it succeed. but when I disabled this NAT, ping is failed even from server.
So, I tried to add NAT(7 (outside) to (AWS) source dynamic any interface) from UE to server as follows, but ping is failed still...
Result of the command: "show route"
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 121.137.98.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 121.137.98.1, outside
S 10.9.100.0 255.255.255.0 [1/0] via 172.20.62.251, AT_S8_L
S 10.100.1.0 255.255.255.0 [1/0] via 165.213.198.184, jiotrial
C 20.20.20.0 255.255.255.0 is directly connected, AWS
L 20.20.20.1 255.255.255.255 is directly connected, AWS
S 20.20.20.248 255.255.255.255 [1/0] via 121.137.98.1, outside
S 33.33.33.0 255.255.255.248 [1/0] via 172.20.62.253, AT_S8_L
C 50.50.50.0 255.255.255.0 is directly connected, DEMO
L 50.50.50.1 255.255.255.255 is directly connected, DEMO
S 69.0.0.0 255.240.0.0 [1/0] via 167.1.1.1, CIOT
C 121.137.98.0 255.255.255.0 is directly connected, outside
L 121.137.98.146 255.255.255.255 is directly connected, outside
C 165.213.198.0 255.255.255.0 is directly connected, jiotrial
L 165.213.198.107 255.255.255.255 is directly connected, jiotrial
C 167.1.1.0 255.255.255.0 is directly connected, CIOT
L 167.1.1.5 255.255.255.255 is directly connected, CIOT
S 172.19.1.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.2.92 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.4.16 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.20.0 255.255.252.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.21.224 255.255.255.224 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.9 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.10 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.29 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.30 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.82 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.110 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.24.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.25.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.28.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.29.219 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.29.229 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.32.221 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.34.1 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.34.3 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.41.108 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.41.109 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.41.110 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.42.110 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.42.111 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.42.112 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.43.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.45.151 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.45.152 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.45.155 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.47.153 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.49.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.53.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.62.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
C 172.20.62.248 255.255.255.248 is directly connected, AT_S8_L
L 172.20.62.254 255.255.255.255 is directly connected, AT_S8_L
S 172.20.65.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.73.12 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.73.13 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.1.138 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.5.140 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.18 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.89 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.124 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.131 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.134 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.135 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.146 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.24.186 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.24.189 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.28.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.28.77 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.32.82 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.32.89 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.22.20.0 255.255.252.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.22.32.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.22.33.138 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.20.101 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.20.104 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.51 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.52 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.120 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.121 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.122 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
Result of the command: "show run nat"
nat (jiotrial,outside) source dynamic DM_INLINE_NETWORK_20 interface
nat (AT_S8,AT_S8) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
nat (AT_S8,outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
nat (AT_S8,outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
nat (AT_S8,outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
nat (any,outside) source dynamic any interface // if it does not exist, ping from server to UE also failed.
nat (outside,AWS) source dynamic any interface // so I think it is the main point to resolve from UE to server ping failed issue.
!
nat (any,outside) after-auto source dynamic DM_INLINE_NETWORK_3 interface
nat (AWS,outside) after-auto source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup
nat (AWS,outside) after-auto source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp inactive
nat (inside,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
nat (jiotrial,outside) after-auto source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
Result of the command: "show run all sysopt"
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp AWS
no sysopt noproxyarp jiotrial
no sysopt noproxyarp CIOT
no sysopt noproxyarp ipv6test
no sysopt noproxyarp inside2
no sysopt noproxyarp AT_S8_L
no sysopt noproxyarp DEMO
no sysopt noproxyarp management
no sysopt noproxyarp inside9
no sysopt noproxyarp inside
Result of the command: "show nat"
Manual NAT Policies (Section 1)
1 (jiotrial) to (outside) source dynamic DM_INLINE_NETWORK_20 interface
translate_hits = 4022, untranslate_hits = 1
2 (AT_S8) to (AT_S8) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
3 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
5 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
6 (any) to (outside) source dynamic any interface // When I tried to ping from Server to UE, this count increased
translate_hits = 36969, untranslate_hits = 54
7 (outside) to (AWS) source dynamic any interface // When I tried to ping from UE to server, this count increased
translate_hits = 16, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (any) to (outside) source dynamic DM_INLINE_NETWORK_3 interface
translate_hits = 0, untranslate_hits = 0
2 (AWS) to (outside) source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
3 (AWS) to (outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (jiotrial) to (outside) source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
translate_hits = 472, untranslate_hits = 0
7 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
translate_hits = 14, untranslate_hits = 84
9 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
10 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
11 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
17 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
18 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
19 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
20 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
translate_hits = 91, untranslate_hits = 102
21 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
22 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
23 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
24 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
05-03-2020 06:57 PM
05-03-2020 07:16 PM
05-04-2020 04:12 AM - edited 05-04-2020 04:27 AM
Hi,
When user connected, there will be a /32 route install automatically. This is expected behavior.
I have noted that your NAT exception for UE & AWS was hidden by the PAT statement.
Therefore, the NAT exception will not be executed, and the traffic were actually routed to the Internet rather than VPN tunnel.
As you have changed you configuration, I would use the original 'show run nat' result (based on my email record) to illustrate the problem.
Look at the line 19 (which is your NAT exception), and line 14 (which is your NAT overload / PAT).
The NAT overload (line 14) is on top of the NAT exception (line 19), line 19 will never be executed.
If you have a configuration backup, you could have a check where was the NAT overload (line 14).
After fixing the NAT order, you should able to ping.
With reference to the given configuration in the first post, you can see the different:
Do you have a configuration backup?
05-04-2020 07:22 AM - edited 05-04-2020 09:00 AM
I am really appreciate your kindness!!! but Could I ask more? ^^
I modified NAT rule as you said because I don't have configuration backup..
current NAT Exception is on top as follows. but I cannot ping to server(20.20.20.50) from UE(20.20.20.246).
Could you check it again? (Actually I am really sorry to bother you... I am a super beginner for VPN... lol )
Result of the command: "show run nat"
nat (AWS,outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp
nat (jiotrial,outside) source dynamic DM_INLINE_NETWORK_20 interface
nat (AT_S8_L,AT_S8_L) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
nat (AT_S8_L,outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
nat (AT_S8_L,outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
nat (AT_S8_L,outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
!
nat (any,outside) after-auto source dynamic any interface description SBC -> UE (20.20.20.X/24)
nat (AWS,outside) after-auto source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup inactive
nat (any,outside) after-auto source dynamic DM_INLINE_NETWORK_3 interface inactive
nat (inside,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
nat (jiotrial,outside) after-auto source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
Result of the command: "show nat"
Manual NAT Policies (Section 1)
1 (AWS) to (outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp
translate_hits = 3, untranslate_hits = 3
2 (jiotrial) to (outside) source dynamic DM_INLINE_NETWORK_20 interface
translate_hits = 5671, untranslate_hits = 1
3 (AT_S8_L) to (AT_S8_L) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
5 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
6 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (any) to (outside) source dynamic any interface description SBC -> UE (20.20.20.X/24)
translate_hits = 505, untranslate_hits = 2
2 (AWS) to (outside) source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic DM_INLINE_NETWORK_3 interface inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (jiotrial) to (outside) source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
translate_hits = 494, untranslate_hits = 0
7 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
translate_hits = 14, untranslate_hits = 84
9 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
10 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
translate_hits = 158, untranslate_hits = 0
11 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
17 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
18 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
19 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
20 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
translate_hits = 153, untranslate_hits = 102
21 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
22 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
23 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
24 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
05-04-2020 08:25 AM
05-04-2020 09:02 AM
Thanks very much... how can I really appreciate you ... I will check after I get up early tomorrow... it's 1am now.. : )
05-04-2020 10:05 AM - edited 05-04-2020 10:08 AM
With reference to your information, I have built a webvpn and you will expect you have the similar result in each verification steps as follow.
1. When you have connected to the SSLVPN, you will assigned with the corresponding IP address. You will also see a 20.20.20.246/32 route automatically installed on ASA.
2. On the PC, you should see the traffic designated to server (e.g. 20.20.20.0/24) is routed via VPN (20.20.20.246)
3. On ASA, you could see that you are connected
4. Setup two Captures on ASA, then try to ping from PC to server.
ciscoasa# capture CAP_TEMP_AWS buffer 2048 interface AWS match icmp host 20.20.20.246 any
ciscoasa# capture LOG_DROP type asp-drop all match ip host 20.20.20.50 host 20.20.20.246
ciscoasa# capture LOG_DROP type asp-drop all match ip host 20.20.20.246 host 20.20.20.50
You see that the your ICMP echo-request is sending to server. And server replied with ICMP echo-reply
Also check the LOG_DROP, If ASA has dropped any packet, you would see something like that:
Remove the captures when done.
ciscoasa# no capture CAP_TEMP_AWS ciscoasa# no capture LOG_DROP ciscoasa# no capture LOG_DROP
5. If server have ever received your echo-request, you should see the ARP record on server (20.20.20.50)
The MAC address of 20.20.20.246 is same as the ASA gateway 20.20.20.1.
As you see below, the MAC address of 20.20.20.246 & 20.20.20.1 are sharing the same MAC address.
If not, you have an IP address conflict issue.
(here I used a router to simulate server, you can use 'arp -a' on Windows/Linux Platform to check the arp table)
6. If server replied with echo-reply, check the NAT exception counter, which should be increased (four echo-reply messages from server).
Please let us know if you stuck at which step.
===
Attached is my configuration for your quick reference.
05-04-2020 04:39 PM - edited 05-04-2020 04:47 PM
Thanks for your kind simulation.
When I checked my NAT after I ping to server from UE, I found "untranslate_hits" in my NAT no.1 rule as you simulated. And ARP table is some different, I can only check 20.20.20.50 ip even UE gets 20.20.20.246 as follows.
And I tried to capture the icmp packet with what you teach me. I found 20.20.20.247 > 20.20.20.50 icmp's echo request drop by configured rule!
Result of the command: "show capture CAP_TEMP_AWS"
0 packet captured
0 packet shown
Result of the command: "show capture LOG_DROP"
3780 packets captured
916: 09:43:44.965129 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
1600: 09:43:48.986536 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
1784: 09:43:53.017241 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
Result of the command: "show nat"
Manual NAT Policies (Section 1)
1 (AWS) to (outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp
translate_hits = 9, untranslate_hits = 9
2 (jiotrial) to (outside) source dynamic DM_INLINE_NETWORK_20 interface
translate_hits = 7442, untranslate_hits = 3
3 (AT_S8_L) to (AT_S8_L) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
5 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
6 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (any) to (outside) source dynamic any interface description SBC -> UE (20.20.20.X/24)
translate_hits = 206482, untranslate_hits = 15
2 (AWS) to (outside) source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic DM_INLINE_NETWORK_3 interface inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (jiotrial) to (outside) source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
translate_hits = 494, untranslate_hits = 0
7 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
translate_hits = 14, untranslate_hits = 84
9 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
10 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
translate_hits = 190, untranslate_hits = 0
11 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
17 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
18 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
19 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
20 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
translate_hits = 154, untranslate_hits = 102
21 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
22 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
23 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
24 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Result of the command: "show arp"
outside 121.137.98.1 00d0.cb79.32a9 0
AWS 20.20.20.50 90e2.bad3.f628 2174
jiotrial 165.213.198.1 0003.2e24.03c0 0
jiotrial 165.213.198.100 0003.2e24.03c0 1
jiotrial 165.213.198.3 0003.2e24.03c0 1
jiotrial 165.213.198.150 b4de.3101.4c6b 2
jiotrial 165.213.198.184 fa16.3e49.2fc4 5
jiotrial 165.213.198.114 fa16.3e5d.8084 12
jiotrial 165.213.198.118 fa16.3ebf.5cf3 33
jiotrial 165.213.198.66 0004.969c.6ee4 62
jiotrial 165.213.198.45 8836.6c42.bb71 5714
AT_S8_L 172.20.62.251 fa16.3e91.a118 20
AT_S8_L 172.20.62.253 0000.5e00.0101 274
DEMO 50.50.50.3 9883.8934.e3ab 29
Result of the command: "show arp ?"
exec mode commands/options:
statistics Show ARP statistics
vtep-mapping Show ARP entries with VTEP IPs
| Output modifiers
<cr>
05-05-2020 05:53 AM
Hope we get closer to the root cause.
For the "show arp" capture, I meant to check ARP record on your server 20.20.20.50. Not on the ASA.
And ASA somehow has dropped the ICMP traffic, could you check few more things:
Check the policy-map global_policy
Check the IPSEC status for the UE client
When you try to ping to server from UE, the number of decrypt packet counter should increase:
Tbh, with reference to your configuration. I still not yet figure out why would the packet get dropped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide