Re: 2 issues with ASA 8.4

tanzeus129 · ‎04-16-2011

I think the problems are related to NAT and how it is implemented in 8.4. Any help THANKS!!

1) vpn client connects, but can't access the network

2) I need to allow pcanywhere traffic to go through the ASA to host 192.168.200.99. The remote host is a DHCP client.

Here is my config:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.04.16 09:33:06 =~=~=~=~=~=~=~=~=~=~=~=

: Saved

:

ASA Version 8.4(1)

!

hostname kasa

domain-name k.intra

enable password 123 encrypted

passwd 123 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name k.intra

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network MNKA

host 192.168.200.99

object network RDP_static

host 192.168.200.99

object network OBJ-INSIDE_HOSTS

subnet 192.168.200.0 255.255.255.0

object network OBJ-RAVPN

subnet 10.10.10.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list OUTSIDE-IN extended permit tcp any host 192.168.200.99 eq pcanywhere-data

access-list OUTSIDE-IN remark ACL outside interface for PCanywhere

access-list OUTSIDE-IN extended permit udp any host 192.168.200.99 eq pcanywhere-status

access-list OUTSIDE-RDPIN extended permit tcp any host 192.168.200.99 eq 3389

access-list OUTSIDE-RDPIN extended permit object-group TCPUDP any host 192.168.200.99 eq 3389

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool eng_pool 10.10.10.10-10.10.10.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static OBJ-INSIDE_HOSTS OBJ-RAVPN destination static OBJ-RAVPN OBJ-RAVPN

!

object network obj_any

nat (inside,outside) dynamic interface

object network MNKA

nat (inside,outside) static interface service tcp pcanywhere-data pcanywhere-data

object network RDP_static

nat (inside,outside) static interface service tcp 3389 3389

access-group OUTSIDE-RDPIN in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.200.0 255.255.255.0 inside

coldstart

crypto ipsec ikev1 transform-set set esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set eng_trans esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set reverse-route

crypto dynamic-map dyn_map 1 set ikev1 transform-set eng_trans

crypto dynamic-map dyn_map 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map stat_map 10000 ipsec-isakmp dynamic dyn_map

crypto map stat_map interface outside

crypto isakmp nat-traversal 30

crypto ikev2 policy 1

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86499

telnet timeout 5

ssh 192.168.200.0 255.255.255.0 inside

ssh timeout 20

console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd domain k.intra

dhcpd auto_config outside

!

dhcpd address 192.168.200.100-192.168.200.110 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy eng_policy internal

group-policy eng_policy attributes

vpn-idle-timeout 30

default-domain value k.intra

username xtu password 123lol encrypted privilege 15

username vpnuser password uGotit encrypted

tunnel-group eng type remote-access

tunnel-group eng general-attributes

address-pool eng_pool

default-group-policy eng_policy

tunnel-group eng ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 30 retry 5

!

: end

andamani · ‎04-16-2011

Hi,

The nat exemption is missing in case of VPN.

Please try the following:

nat (inside,outside) 1 source static OBJ-INSIDE_HOSTS OBJ-INSIDE_HOSTS destination static OBJ-RAVPN OBJ-RAVPN

For

2) I need to allow pcanywhere traffic to go through the ASA to host 192.168.200.99. The remote host is a DHCP client.

Is the traffic over VPN tunnel??

Hope this helps.

Regards,
Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

tanzeus129 · ‎04-16-2011

I will try that NAT. Thanks

Pcanywhere traffic is not over VPN.

What we want is to redirect the pcanywhere traffic comes to the external FW interface to a host inside 192.168.200.99

tanzeus129 · ‎04-16-2011

As far as NAT is concerned, it worked like a charm.

But what was wrong with what I had in place? Is it the ordering?

nat (inside,outside) source static OBJ-INSIDE_HOSTS OBJ-RAVPN destination static OBJ-RAVPN OBJ-RAVPN

Only thing left is part 2.

andamani · ‎04-16-2011

Hi Tan,

You had placed the following:

nat (inside,outside) source static OBJ-INSIDE_HOSTS OBJ-RAVPN destination static OBJ-RAVPN OBJ-RAVPN

This means that the source OBJ-INSIDE_HOSTS is getting translated to OBJ-RAVPN.

This is not self-translation. Hence it was not working.

Nat-exemption 8.3 onwards is self translation of the source and self-translation of destination as well.

For the 2nd part, i see the following configured:

object network RDP_static
host 192.168.200.99

object network RDP_static
nat (inside,outside) static interface service tcp 3389 3389

access-group OUTSIDE-RDPIN in interface outside
access-list OUTSIDE-RDPIN extended permit tcp any host 192.168.200.99 eq 3389

access-list OUTSIDE-RDPIN extended permit object-group TCPUDP any host 192.168.200.99 eq 3389

The config is correct. there is no problem in it.

You can try the RDP on the outside interface ip address and it should forward you to the host 192.168.200.99.

But i see that the outside ip address is a dynamic address by DHCP. so everytime you try to access the host 192.168.200.99 you need to enter the current interface IP address.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel query is resolved. Do rate helpful posts.

tanzeus129 · ‎04-16-2011

It does not work.

andamani · ‎04-17-2011

Hi,

Could you please explain what exactly are you trying to do and how are you trying to achieve it?

Regards,

Anisha

tanzeus129 · ‎04-17-2011

I want to achieve what is known as redirect in the UNIX world or port forwarding.

http://www.openbsd.org/faq/pf/rdr.html

I just want to know how it works.

Let's take RDP for example.

I want the traffic to come to the external interface ex. RDP 1.2.3.4 on port 3389

I want the firewall to redirect this traffic to host 192.168.200.99 on port 3389.

Maykol Rojas · ‎04-17-2011

Hello Tan,

Would you please paste your current configuration? As far as NAT concerns, the remote access clients were missing the excemption, and regarding the pcanywhere, the access group was not applied, please try the following:

packet-tracer input outside tcp 4.2.2.2 1025

That will give you a trace and where the packet is being dropped. Please attach the latest configuration along with that output.

Cheers

Mike

tanzeus129 · ‎04-17-2011

Running config is right above.

here is the output

asa# packet-tracer input outside tcp 4.2.2.2 1025 1234 pcanywhere-d$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 1.2.3.4 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Same goes for RDP

asa# packet-tracer input outside tcp 4.2.2.2 1025 1.2.3.4 3389

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 1.2.3.4 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

oldcreek12 · ‎04-28-2011

Hi, I do have a side question regarding NAT exemption in 8.4, as far as I understand, since nat-control is not requried in 8.4, then why do we need NAT exemption at all for VPN access? I have anyconnect VPN configured on 8.4 and I have ZERO NAT related configuration as far as SSLVPN is concerned and it worked like a charm, any experts care to explain why NAT exemption is required in 8.4 for VPN access?

andamani · ‎05-02-2011

Hi,

Nat exemption ensures that the data is pasisng over the VPN tunnel . hence it works like a charm for you.

On Fw the natting will happen to protect the identity of the private network and to access the internet. Internet will work only for routable ip addresses i.e. public ip address.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

brquinn · ‎05-02-2011

NAT is not necessarily "required" for Anyconnect to function. The reason why you add nat exemption rules is because you don't want the traffic to hit any of your other configured NAT rules.

For example, if you NAT your inside communication outbound for internet traffic, then you will also be NATing outbound communication destined to your anyconnect users. Since you don't want to NAT your inside hosts when they communicate with your Anyconnect VPN hosts, you create a NAT rule to exempt this traffic from being NATed.This is the same theory as NAT prior to 8.3 with nat-control disabled.

For most ASA configurations, this means that a manual NAT rule is configured with both the source & destination. This ensures that the other PAT rules and NAT rules you may have configured will not affect traffic tp/from your VPN.

Of course if you have no NAT rules which conflict, then there is no need to configure NAT exemption.

I hope this helps.

Thanks,

Brendan

oldcreek12 · ‎05-02-2011

HI, Brendan,

That was an excellent explanation that cleared my doubts, for the AnyConnect VPN I did not have NAT exemption and it worked was because I did not have any other NAT rules because the ASA was dedicated for VPN access. Thanks a lot!

Kshakir80 · ‎05-17-2013

Hi,

i upgraded the ASA from 8.2(5) to 8.3(2)... everything seems to be working fine except ICMP and PcAnywhere

(i'm guessing PcAnywhere uses a ping sweep to detect available hosts).

i can see traffic through the tunnel, but no ping. Any idea??