cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3124
Views
30
Helpful
20
Replies

[ASA 5585-SSP-10] NAT issue? for Remote Access VPN

BAEK_1027
Level 1
Level 1

Hello, I use CISCO ASA 5585 VPN and I faced some issue about NAT or Firewall. Please help me T_T

 

Devices get an IP from VPN ip local pool (20.20.20.0/24) and they should ping with specific server as follows.

from specific server(20.20.20.50) to device(20.20.20.246~)side ping is successful but, opposite side is failed with issue as follows.

  

1) Device(20.20.20.246~254) <----- (20.20.20.1) VPN <--------- (20.20.20.50) specific server  : success

2) Device(20.20.20.246~254) -----> (20.20.20.1) VPN

  : failed with "Failed to locate egress interface for ICMP from outside 20.20.20.246/103 to 20.20.20.1/0"

3) Device(20.20.20.246~254) -----> (20.20.20.1) VPN ---------> (20.20.20.50) specific server  :

  : I tried to ping to 20.20.20.50 but there is no packet in ASDM.

 

vpn_pkt_fialed_to_locate_Egress.PNG

 

 

vpn.png

                                                                 

vpn1.png

AWS NAT.png

 

Following running configuration is set in my VPN.

ip local pool for_fd 20.20.20.246-20.20.20.254 mask 255.255.255.0


interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
igmp forward interface AWS
!
interface GigabitEthernet0/1
nameif AWS
security-level 100
ip address 20.20.20.1 255.255.255.0
!

 

no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752-153.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (AWS,outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup
nat (AWS,outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_10.10.0.214 NETWORK_OBJ_10.10.0.214 no-proxy-arp route-lookup
!
nat (any,outside) after-auto source dynamic DM_INLINE_NETWORK_3 interface
nat (AWS,outside) after-auto source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup
nat (AWS,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
nat (AWS,outside) after-auto source static 20.20.20.0 20.20.20.0 destination static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 no-proxy-arp route-lookup
nat (AWS,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_24 NETWORK_OBJ_20.20.20.0_24 no-proxy-arp route-lookup
nat (ipv6test,outside) after-auto source static any any destination static NETWORK_OBJ_192.168.2.128_25 NETWORK_OBJ_192.168.2.128_25 no-proxy-arp route-lookup
nat (inside,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
nat (jiotrial,outside) after-auto source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup

access-group AWS_access_in in interface AWS
access-group AWS_access_out_1 out interface AWS
route S8_LL 10.9.100.0 255.255.255.0 172.20.62.251 1
route jiotrial 10.100.1.0 255.255.255.0 165.213.198.184 1
route S8_LL 33.33.33.0 255.255.255.248 172.20.62.253 1
route CIOT 69.0.0.0 255.240.0.0 167.1.1.1 1
route inside2 77.77.77.0 255.255.255.0 200.200.0.10 1
route inside2 100.3.0.0 255.255.0.0 200.200.0.10 1
route inside 132.132.0.0 255.255.0.0 20.4.1.108 1

 


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_15
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 218.36.252.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_cryptomap_4
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 13.126.140.63
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 13.126.140.63
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 4 match address outside_cryptomap_1
crypto map outside_map 4 set peer 13.126.140.63
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 5 match address outside_cryptomap_3
crypto map outside_map 5 set peer 205.172.229.252
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 6 match address outside_cryptomap_7
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer 13.125.76.33
crypto map outside_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 6 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 13.126.68.155
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 8 match address outside_cryptomap_5
crypto map outside_map 8 set peer 203.244.197.254
crypto map outside_map 8 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 8 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 9 match address outside_cryptomap_8
crypto map outside_map 9 set peer 70.50.191.60
crypto map outside_map 9 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 9 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 10 match address outside_cryptomap_9
crypto map outside_map 10 set peer 59.13.32.21
crypto map outside_map 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 11 match address outside_cryptomap_10
crypto map outside_map 11 set peer 12.207.252.67
crypto map outside_map 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 11 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 11 set security-association lifetime seconds 345600
crypto map outside_map 12 match address outside_cryptomap_11
crypto map outside_map 12 set pfs
crypto map outside_map 12 set peer 13.124.171.223
crypto map outside_map 12 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 12 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 13 match address outside_cryptomap_13
crypto map outside_map 13 set peer 52.141.4.217
crypto map outside_map 14 match address outside_cryptomap_14
crypto map outside_map 14 set peer 34.85.120.241
crypto map outside_map 15 match address outside_cryptomap_12
crypto map outside_map 15 set peer 34.85.120.241
crypto map outside_map 15 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 15 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 16 match address outside_cryptomap_18
crypto map outside_map 16 set peer 1.237.186.182
crypto map outside_map 16 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 17 set peer 218.36.252.2
crypto map outside_map 17 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 17 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 18 match address outside_cryptomap_17
crypto map outside_map 18 set pfs group5
crypto map outside_map 18 set peer 13.127.71.45
crypto map outside_map 18 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 18 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map siteBpublic_map 1 match address outside_cryptomap
crypto map ATT_SS8_LI_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ATT_SS8_LI_map interface ATT_SS8_LI
crypto map AWS_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map AWS_map interface AWS
crypto ca trustpoint ASDM_TrustPoint0

tunnel-group mobile_for_fd type remote-access
tunnel-group mobile_for_fd general-attributes
address-pool for_fd
default-group-policy mobile_for_fd
tunnel-group mobile_for_fd ipsec-attributes
ikev1 pre-shared-key *****

20 Replies 20

ngkin2010
Level 7
Level 7
Hi,

Were you trying to ping from Device (20.20.20.246) to ASA's AWS interface (20.20.20.1) ?

This is not allowed as ASW interface (20.20.20.1) is not the nearest interface to 20.20.20.246.

Although you could not reach 20.20.20.1 from 20.20.20.246, this does not affect the connection from 20.20.20.246 (outside) to 20.20.20.50 (AWS).

According to the given information, I see that the security-level for outside interface is 0, while the security-level for AWS is 100. Did you configure access list to permit 20.20.20.246 to ping 20.20.20.50? If not, the connection is dropped by implicitly.


Thanks for your comments. but could I know how can I configure access list to permit 20.20.20.246 to ping 20.20.20.50?
I think I should have configure access list to permit Device network(20.20.20.246~254) to 20.20.20.50 as you said. but actually I don't know how can I configured in ASDM T_T can you teach me?

I tried to configure the access list to permit 20.20.20.246 to 20.20.20.50. but after it, ping was also failed. I think 20.20.20.X/24 network should connect to specific server(20.20.20.50) but there is no any packet in 20.20.20.50 from anywhere.
(Actually it had already succeed between 20.20.20.x to 20.20.20.50 ping 4days ago. but I commanded wrong command and then all ping for 20.20.20.50 is failed after that... I didn't know what I command.. T_T I think it is about NAT or ACL but there is no any solution which I have ever tried.

Hi,

Do you mean after some configuration change, now failed Anyconnect User failed to access to server?

No worry, let's get more information for troubleshooting

First, connect the AnyConnect on user PC, confirm the PC obtained the IP addresses (e.g. 20.20.20.246)

Setup a temporary packet capture at ASA to see what is happening.
ASA# capture tempCap type asp-drop acl-drop buffer 2048 interface ASW match icmp host 20.20.20.246 host 20.20.20.50

Try to ping the server from the PC (e.g. 20.20.20.246 ping to 20.20.20.50), then on ASA see whether any packet dropped:

ASA# show capture tempCap
ASA# show capture tempCap
<..>
ASA# show capture tempCap

After testing, remove the capture:

ASA# no capture tempCap

Beside, please post the following information from command line (when the AnyConnect is connected):

show run nat
show run all sysopt
show route


Thanks for your kindness!!
Yes right, after some configuration change, now failed Anyconnect User(Actually it is an UE) failed to access to server.
When I tried to ping from UE(20.20.20.248) to server(20.20.20.50), there is no packet in VPN.
However, When I tried to ping from sever(20.20.20.50) to UE(20.20.20.248), ping is successful and packet are exist in VPN.

please check the following information from CLI.  I think.. this looks like some NAT issues as follows. because when I tried to ping from server to UE with NAT that "6 (any) to (outside) source dynamic any interface" it succeed. but when I disabled this NAT, ping is failed even from server.

So, I tried to add NAT(7 (outside) to (AWS) source dynamic any interface) from UE to server as follows, but ping is failed still... 

 

Result of the command: "show route"

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 121.137.98.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 121.137.98.1, outside
S 10.9.100.0 255.255.255.0 [1/0] via 172.20.62.251, AT_S8_L
S 10.100.1.0 255.255.255.0 [1/0] via 165.213.198.184, jiotrial
C 20.20.20.0 255.255.255.0 is directly connected, AWS
L 20.20.20.1 255.255.255.255 is directly connected, AWS
S 20.20.20.248 255.255.255.255 [1/0] via 121.137.98.1, outside
S 33.33.33.0 255.255.255.248 [1/0] via 172.20.62.253, AT_S8_L
C 50.50.50.0 255.255.255.0 is directly connected, DEMO
L 50.50.50.1 255.255.255.255 is directly connected, DEMO
S 69.0.0.0 255.240.0.0 [1/0] via 167.1.1.1, CIOT
C 121.137.98.0 255.255.255.0 is directly connected, outside
L 121.137.98.146 255.255.255.255 is directly connected, outside
C 165.213.198.0 255.255.255.0 is directly connected, jiotrial
L 165.213.198.107 255.255.255.255 is directly connected, jiotrial
C 167.1.1.0 255.255.255.0 is directly connected, CIOT
L 167.1.1.5 255.255.255.255 is directly connected, CIOT
S 172.19.1.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.2.92 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.4.16 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.20.0 255.255.252.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.21.224 255.255.255.224 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.9 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.10 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.29 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.30 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.82 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.22.110 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.24.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.25.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.28.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.29.219 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.29.229 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.32.221 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.34.1 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.34.3 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.41.108 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.41.109 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.41.110 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.42.110 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.42.111 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.42.112 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.43.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.45.151 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.45.152 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.45.155 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.47.153 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.49.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.53.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.62.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
C 172.20.62.248 255.255.255.248 is directly connected, AT_S8_L
L 172.20.62.254 255.255.255.255 is directly connected, AT_S8_L
S 172.20.65.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.73.12 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.20.73.13 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.1.138 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.5.140 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.18 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.89 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.124 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.131 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.134 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.135 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.21.146 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.24.186 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.24.189 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.28.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.28.77 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.32.82 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.21.32.89 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.22.20.0 255.255.252.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.22.32.0 255.255.255.0 [1/0] via 172.20.62.253, AT_S8_L
S 172.22.33.138 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.20.101 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.20.104 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.51 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.52 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.120 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.121 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L
S 172.23.45.122 255.255.255.255 [1/0] via 172.20.62.253, AT_S8_L

Result of the command: "show run nat"

nat (jiotrial,outside) source dynamic DM_INLINE_NETWORK_20 interface
nat (AT_S8,AT_S8) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
nat (AT_S8,outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
nat (AT_S8,outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
nat (AT_S8,outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
nat (any,outside) source dynamic any interface  // if it does not exist, ping from server to UE also failed. 
nat (outside,AWS) source dynamic any interface // so I think it is the main point to resolve from UE to server ping failed issue.
!
nat (any,outside) after-auto source dynamic DM_INLINE_NETWORK_3 interface
nat (AWS,outside) after-auto source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup
nat (AWS,outside) after-auto source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp inactive
nat (inside,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
nat (jiotrial,outside) after-auto source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
nat (AT_S8,outside) after-auto source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup

Result of the command: "show run all sysopt"

no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp AWS
no sysopt noproxyarp jiotrial
no sysopt noproxyarp CIOT
no sysopt noproxyarp ipv6test
no sysopt noproxyarp inside2
no sysopt noproxyarp AT_S8_L
no sysopt noproxyarp DEMO
no sysopt noproxyarp management
no sysopt noproxyarp inside9
no sysopt noproxyarp inside

 

 

Result of the command: "show nat"

Manual NAT Policies (Section 1)
1 (jiotrial) to (outside) source dynamic DM_INLINE_NETWORK_20 interface
translate_hits = 4022, untranslate_hits = 1
2 (AT_S8) to (AT_S8) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
3 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
5 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
6 (any) to (outside) source dynamic any interface   // When I tried to ping from Server to UE, this count increased
translate_hits = 36969, untranslate_hits = 54
7 (outside) to (AWS) source dynamic any interface     // When I tried to ping from UE to server, this count increased
translate_hits = 16, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (any) to (outside) source dynamic DM_INLINE_NETWORK_3 interface
translate_hits = 0, untranslate_hits = 0
2 (AWS) to (outside) source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
3 (AWS) to (outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (jiotrial) to (outside) source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
translate_hits = 472, untranslate_hits = 0
7 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
translate_hits = 14, untranslate_hits = 84
9 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
10 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
11 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
17 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
18 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
19 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
20 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
translate_hits = 91, untranslate_hits = 102
21 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
22 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
23 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
24 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

 

S 20.20.20.54 255.255.255.255 [1/0] via 121.137.98.1, outside
S 20.20.20.55 255.255.255.255 [1/0] via 121.137.98.1, outside
S 20.20.20.246 255.255.255.255 [1/0] via 121.137.98.1, outside
S 20.20.20.248 255.255.255.255 [1/0] via 121.137.98.1, outside

I think this is an cause why 20.20.20.246 cannot ping to 20.20.20.50...I think it should be via AWS or 20.20.20.x/24. because 121.137.98.1 is public IP range. My VPN's public IP is 121.137.98.X..
However, I didn't add this routing anywhere. when I checked Configuration > device setup > routing > static routes.. there is no any routing for 20.20.20.x. How can I handle this routing in ASDM? T_T

Opps.. When I connect to VPN, this routing added automatically. and when I disconnect to VPN from my UE, this routing deleted automatically...
So I tried to add routing before I connect to VPN. I added 20.20.20.247 255.255.255.255 to AWS as follows. but 20.20.20.247 -> 20.20.20.50 ping also failed after I connect VPN again..

Result of the command: "show route AWS"
Gateway of last resort is 121.137.98.1 to network 0.0.0.0
L 20.20.20.1 255.255.255.255 is directly connected, AWS
S 20.20.20.247 255.255.255.255 [1/0] via 20.20.20.50, AWS


Result of the command: "show route outside"
Gateway of last resort is 121.137.98.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 121.137.98.1, outside
S 20.20.20.54 255.255.255.255 [1/0] via 121.137.98.1, outside // other UE connected
S 20.20.20.55 255.255.255.255 [1/0] via 121.137.98.1, outside // other UE connected
S 20.20.20.246 255.255.255.255 [1/0] via 121.137.98.1, outside // other UE connected
S 20.20.20.248 255.255.255.255 [1/0] via 121.137.98.1, outside // other UE connected
C 121.137.98.0 255.255.255.0 is directly connected, outside
L 121.137.98.146 255.255.255.255 is directly connected, outside
S 172.20.38.83 255.255.255.255 [1/0] via 121.137.98.1, outside

Hi,

 

When user connected, there will be a /32 route install automatically. This is expected behavior.

 

I have noted that your NAT exception for UE & AWS was hidden by the PAT statement.

 

Therefore, the NAT exception will not be executed, and the traffic were actually routed to the Internet rather than VPN tunnel.

 

As you have changed you configuration, I would use the original 'show run nat' result (based on my email record) to illustrate the problem.

 

tmp2.png

Look at the line 19 (which is your NAT exception), and line 14 (which is your NAT overload / PAT).
The NAT overload (line 14) is on top of the NAT exception (line 19), line 19 will never be executed.

 

If you have a configuration backup, you could have a check where was the NAT overload (line 14). 

After fixing the NAT order, you should able to ping.

 

With reference to the given configuration in the first post, you can see the different:

 

tmp2.png

 

Do you have a configuration backup?

 

I am really appreciate your kindness!!! but Could I ask more? ^^

I modified NAT rule as you said because I don't have configuration backup..
current NAT Exception is on top as follows. but I cannot ping to server(20.20.20.50) from UE(20.20.20.246).
Could you check it again? (Actually I am really sorry to bother you... I am a super beginner for VPN... lol )

Result of the command: "show run nat"

nat (AWS,outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp
nat (jiotrial,outside) source dynamic DM_INLINE_NETWORK_20 interface
nat (AT_S8_L,AT_S8_L) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
nat (AT_S8_L,outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
nat (AT_S8_L,outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
nat (AT_S8_L,outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
!
nat (any,outside) after-auto source dynamic any interface description SBC -> UE (20.20.20.X/24)
nat (AWS,outside) after-auto source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup inactive
nat (any,outside) after-auto source dynamic DM_INLINE_NETWORK_3 interface inactive
nat (inside,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
nat (jiotrial,outside) after-auto source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
nat (AT_S8_L,outside) after-auto source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup



Result of the command: "show nat"

Manual NAT Policies (Section 1)
1 (AWS) to (outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp
translate_hits = 3, untranslate_hits = 3
2 (jiotrial) to (outside) source dynamic DM_INLINE_NETWORK_20 interface
translate_hits = 5671, untranslate_hits = 1
3 (AT_S8_L) to (AT_S8_L) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
5 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
6 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (any) to (outside) source dynamic any interface description SBC -> UE (20.20.20.X/24)
translate_hits = 505, untranslate_hits = 2
2 (AWS) to (outside) source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic DM_INLINE_NETWORK_3 interface inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (jiotrial) to (outside) source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
translate_hits = 494, untranslate_hits = 0
7 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
translate_hits = 14, untranslate_hits = 84
9 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
10 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
translate_hits = 158, untranslate_hits = 0
11 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
17 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
18 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
19 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
20 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
translate_hits = 153, untranslate_hits = 102
21 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
22 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
23 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
24 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Hi,

I will simulate your case on lab, and post some step-by-step verification for your reference. Hope that help.



Thanks very much... how can I really appreciate you ... I will check after I get up early tomorrow... it's 1am now.. : )

With reference to your information, I have built a webvpn and you will expect you have the similar result in each verification steps as follow.

 

1. When you have connected to the SSLVPN, you will assigned with the corresponding IP address. You will also see a 20.20.20.246/32 route automatically installed on ASA.

 

1.jpg 

2. On the PC, you should see the traffic designated to server (e.g. 20.20.20.0/24) is routed via VPN (20.20.20.246)

 

0.jpg

 

3. On ASA, you could see that you are connected 

 

2.jpg

 

4. Setup two Captures on ASA, then try to ping from PC to server.

 

ciscoasa# capture CAP_TEMP_AWS buffer 2048 interface AWS match icmp host 20.20.20.246 any
ciscoasa# capture LOG_DROP type asp-drop all match ip host 20.20.20.50 host 20.20.20.246
ciscoasa# capture LOG_DROP type asp-drop all match ip host 20.20.20.246 host 20.20.20.50

 

You see that the your ICMP echo-request is sending to server.  And server replied with ICMP echo-reply

3.jpg

Also check the LOG_DROP, If ASA has dropped any packet, you would see something like that:

6.jpg

7.jpg

 

Remove the captures when done.

ciscoasa# no capture CAP_TEMP_AWS ciscoasa# no capture LOG_DROP ciscoasa# no capture LOG_DROP

 

5. If server have ever received your echo-request, you should see the ARP record on server (20.20.20.50)

The MAC address of 20.20.20.246 is same as the ASA gateway 20.20.20.1.

As you see below, the MAC address of 20.20.20.246 & 20.20.20.1 are sharing the same MAC address.

If not, you have an IP address conflict issue.

8.jpg

(here I used a router to simulate server, you can use 'arp -a' on Windows/Linux Platform to check the arp table)

 

6. If server replied with echo-reply, check the NAT exception counter, which should be increased (four echo-reply messages from server).

 

4.jpg

 

 

Please let us know if you stuck at which step.

 

===

 

Attached is my configuration for your quick reference.

 

Thanks for your kind simulation.
When I checked my NAT after I ping to server from UE, I found "untranslate_hits" in my NAT no.1 rule as you simulated. And ARP table is some different, I can only check 20.20.20.50 ip even UE gets 20.20.20.246 as follows.

And I tried to capture the icmp packet with what you teach me. I found 20.20.20.247 > 20.20.20.50 icmp's echo request drop by configured rule!


Result of the command: "show capture CAP_TEMP_AWS"
0 packet captured
0 packet shown


Result of the command: "show capture LOG_DROP"
3780 packets captured
916: 09:43:44.965129 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
1600: 09:43:48.986536 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
1784: 09:43:53.017241 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule



Result of the command: "show nat"
Manual NAT Policies (Section 1)
1 (AWS) to (outside) source static NETWORK_OBJ_20.20.20.50 NETWORK_OBJ_20.20.20.50 destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp
translate_hits = 9, untranslate_hits = 9
2 (jiotrial) to (outside) source dynamic DM_INLINE_NETWORK_20 interface
translate_hits = 7442, untranslate_hits = 3
3 (AT_S8_L) to (AT_S8_L) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
5 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
6 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (any) to (outside) source dynamic any interface description SBC -> UE (20.20.20.X/24)
translate_hits = 206482, untranslate_hits = 15
2 (AWS) to (outside) source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic DM_INLINE_NETWORK_3 interface inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (jiotrial) to (outside) source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
translate_hits = 494, untranslate_hits = 0
7 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
translate_hits = 14, untranslate_hits = 84
9 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
10 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
translate_hits = 190, untranslate_hits = 0
11 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
17 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
18 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
19 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
20 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
translate_hits = 154, untranslate_hits = 102
21 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
22 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
23 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
24 (AT_S8_L) to (outside) source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0


Result of the command: "show arp"
outside 121.137.98.1 00d0.cb79.32a9 0
AWS 20.20.20.50 90e2.bad3.f628 2174
jiotrial 165.213.198.1 0003.2e24.03c0 0
jiotrial 165.213.198.100 0003.2e24.03c0 1
jiotrial 165.213.198.3 0003.2e24.03c0 1
jiotrial 165.213.198.150 b4de.3101.4c6b 2
jiotrial 165.213.198.184 fa16.3e49.2fc4 5
jiotrial 165.213.198.114 fa16.3e5d.8084 12
jiotrial 165.213.198.118 fa16.3ebf.5cf3 33
jiotrial 165.213.198.66 0004.969c.6ee4 62
jiotrial 165.213.198.45 8836.6c42.bb71 5714
AT_S8_L 172.20.62.251 fa16.3e91.a118 20
AT_S8_L 172.20.62.253 0000.5e00.0101 274
DEMO 50.50.50.3 9883.8934.e3ab 29



Result of the command: "show arp ?"

exec mode commands/options:
statistics Show ARP statistics
vtep-mapping Show ARP entries with VTEP IPs
| Output modifiers
<cr>

Hope we get closer to the root cause.

 

For the "show arp" capture, I meant to check ARP record on your server 20.20.20.50. Not on the ASA.

 

And ASA somehow has dropped the ICMP traffic, could you check few more things:

 

1.jpg

Check the policy-map global_policy

2.jpg

Check the IPSEC status for the UE client

3.jpg

 

When you try to ping to server from UE, the number of decrypt packet counter should increase:

 

4.jpg

 

 

Tbh, with reference to your configuration. I still not yet figure out why would the packet get dropped.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: