04-16-2011 06:59 AM - edited 03-11-2019 01:21 PM
I think the problems are related to NAT and how it is implemented in 8.4. Any help THANKS!!
1) vpn client connects, but can't access the network
2) I need to allow pcanywhere traffic to go through the ASA to host 192.168.200.99. The remote host is a DHCP client.
Here is my config:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.04.16 09:33:06 =~=~=~=~=~=~=~=~=~=~=~=
: Saved
:
ASA Version 8.4(1)
!
hostname kasa
domain-name k.intra
enable password 123 encrypted
passwd 123 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name k.intra
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MNKA
host 192.168.200.99
object network RDP_static
host 192.168.200.99
object network OBJ-INSIDE_HOSTS
subnet 192.168.200.0 255.255.255.0
object network OBJ-RAVPN
subnet 10.10.10.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list OUTSIDE-IN extended permit tcp any host 192.168.200.99 eq pcanywhere-data
access-list OUTSIDE-IN remark ACL outside interface for PCanywhere
access-list OUTSIDE-IN extended permit udp any host 192.168.200.99 eq pcanywhere-status
access-list OUTSIDE-RDPIN extended permit tcp any host 192.168.200.99 eq 3389
access-list OUTSIDE-RDPIN extended permit object-group TCPUDP any host 192.168.200.99 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool eng_pool 10.10.10.10-10.10.10.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static OBJ-INSIDE_HOSTS OBJ-RAVPN destination static OBJ-RAVPN OBJ-RAVPN
!
object network obj_any
nat (inside,outside) dynamic interface
object network MNKA
nat (inside,outside) static interface service tcp pcanywhere-data pcanywhere-data
object network RDP_static
nat (inside,outside) static interface service tcp 3389 3389
access-group OUTSIDE-RDPIN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.200.0 255.255.255.0 inside
coldstart
crypto ipsec ikev1 transform-set set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set eng_trans esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set reverse-route
crypto dynamic-map dyn_map 1 set ikev1 transform-set eng_trans
crypto dynamic-map dyn_map 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map stat_map 10000 ipsec-isakmp dynamic dyn_map
crypto map stat_map interface outside
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86499
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd domain k.intra
dhcpd auto_config outside
!
dhcpd address 192.168.200.100-192.168.200.110 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy eng_policy internal
group-policy eng_policy attributes
vpn-idle-timeout 30
default-domain value k.intra
username xtu password 123lol encrypted privilege 15
username vpnuser password uGotit encrypted
tunnel-group eng type remote-access
tunnel-group eng general-attributes
address-pool eng_pool
default-group-policy eng_policy
tunnel-group eng ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
!
: end
04-16-2011 11:04 AM
Hi,
The nat exemption is missing in case of VPN.
Please try the following:
nat (inside,outside) 1 source static OBJ-INSIDE_HOSTS OBJ-INSIDE_HOSTS destination static OBJ-RAVPN OBJ-RAVPN
For
2) I need to allow pcanywhere traffic to go through the ASA to host 192.168.200.99. The remote host is a DHCP client.
Is the traffic over VPN tunnel??
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
04-16-2011 12:12 PM
I will try that NAT. Thanks
Pcanywhere traffic is not over VPN.
What we want is to redirect the pcanywhere traffic comes to the external FW interface to a host inside 192.168.200.99
04-16-2011 12:32 PM
As far as NAT is concerned, it worked like a charm.
But what was wrong with what I had in place? Is it the ordering?
nat (inside,outside) source static OBJ-INSIDE_HOSTS OBJ-RAVPN destination static OBJ-RAVPN OBJ-RAVPN
Only thing left is part 2.
04-16-2011 07:34 PM
Hi Tan,
You had placed the following:
nat (inside,outside) source static OBJ-INSIDE_HOSTS OBJ-RAVPN destination static OBJ-RAVPN OBJ-RAVPN
This means that the source OBJ-INSIDE_HOSTS is getting translated to OBJ-RAVPN.
This is not self-translation. Hence it was not working.
Nat-exemption 8.3 onwards is self translation of the source and self-translation of destination as well.
For the 2nd part, i see the following configured:
object network RDP_static
host 192.168.200.99
object network RDP_static
nat (inside,outside) static interface service tcp 3389 3389
access-group OUTSIDE-RDPIN in interface outside
access-list OUTSIDE-RDPIN extended permit tcp any host 192.168.200.99 eq 3389
access-list OUTSIDE-RDPIN extended permit object-group TCPUDP any host 192.168.200.99 eq 3389
The config is correct. there is no problem in it.
You can try the RDP on the outside interface ip address and it should forward you to the host 192.168.200.99.
But i see that the outside ip address is a dynamic address by DHCP. so everytime you try to access the host 192.168.200.99 you need to enter the current interface IP address.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel query is resolved. Do rate helpful posts.
04-16-2011 09:06 PM
It does not work.
04-17-2011 03:08 AM
Hi,
Could you please explain what exactly are you trying to do and how are you trying to achieve it?
Regards,
Anisha
04-17-2011 08:07 AM
I want to achieve what is known as redirect in the UNIX world or port forwarding.
http://www.openbsd.org/faq/pf/rdr.html
I just want to know how it works.
Let's take RDP for example.
I want the traffic to come to the external interface ex. RDP 1.2.3.4 on port 3389
I want the firewall to redirect this traffic to host 192.168.200.99 on port 3389.
04-17-2011 10:52 AM
Hello Tan,
Would you please paste your current configuration? As far as NAT concerns, the remote access clients were missing the excemption, and regarding the pcanywhere, the access group was not applied, please try the following:
packet-tracer input outside tcp 4.2.2.2 1025
That will give you a trace and where the packet is being dropped. Please attach the latest configuration along with that output.
Cheers
Mike
04-17-2011 04:43 PM
Running config is right above.
here is the output
asa# packet-tracer input outside tcp 4.2.2.2 1025 1234 pcanywhere-d$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.2.3.4 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
04-28-2011 11:39 PM
Hi, I do have a side question regarding NAT exemption in 8.4, as far as I understand, since nat-control is not requried in 8.4, then why do we need NAT exemption at all for VPN access? I have anyconnect VPN configured on 8.4 and I have ZERO NAT related configuration as far as SSLVPN is concerned and it worked like a charm, any experts care to explain why NAT exemption is required in 8.4 for VPN access?
05-02-2011 07:10 AM
Hi,
Nat exemption ensures that the data is pasisng over the VPN tunnel . hence it works like a charm for you.
On Fw the natting will happen to protect the identity of the private network and to access the internet. Internet will work only for routable ip addresses i.e. public ip address.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
05-02-2011 11:16 AM
NAT is not necessarily "required" for Anyconnect to function. The reason why you add nat exemption rules is because you don't want the traffic to hit any of your other configured NAT rules.
For example, if you NAT your inside communication outbound for internet traffic, then you will also be NATing outbound communication destined to your anyconnect users. Since you don't want to NAT your inside hosts when they communicate with your Anyconnect VPN hosts, you create a NAT rule to exempt this traffic from being NATed.This is the same theory as NAT prior to 8.3 with nat-control disabled.
For most ASA configurations, this means that a manual NAT rule is configured with both the source & destination. This ensures that the other PAT rules and NAT rules you may have configured will not affect traffic tp/from your VPN.
Of course if you have no NAT rules which conflict, then there is no need to configure NAT exemption.
I hope this helps.
Thanks,
Brendan
05-02-2011 12:06 PM
HI, Brendan,
That was an excellent explanation that cleared my doubts, for the AnyConnect VPN I did not have NAT exemption and it worked was because I did not have any other NAT rules because the ASA was dedicated for VPN access. Thanks a lot!
05-17-2013 08:09 AM
Hi,
i upgraded the ASA from 8.2(5) to 8.3(2)... everything seems to be working fine except ICMP and PcAnywhere
(i'm guessing PcAnywhere uses a ping sweep to detect available hosts).
i can see traffic through the tunnel, but no ping. Any idea??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide