01-03-2012 07:30 PM - edited 03-11-2019 03:09 PM
So, I've set up Anyconnect client access to an ASA-5510.
I've got a handful of interfaces, which contain hosts that should be accesible to anyconnect clients. I'm unable to reach addresses on a specific network, due to what packet-tracer claims is an implicit deny, though I'm unsure where to apply an access-list in this case.
fw1# show nameif
Interface Name Security
Ethernet0/0.205 SECURE 90
Ethernet0/3.666 INTERNET 0
fw1# show int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0.205 10.1.24.1 YES CONFIG up up
Ethernet0/3.666 x.x.x.x YES CONFIG up up
In all cases, my anyconnect session is via the named interface "INTERNET", security-level 0.
From my client, I cannot reach 10.1.24.10. Incidentially, the host filters out ICMP, and is only open on tcp/80.
Can anyone suggest where I should apply an access-list permitting this traffic? I've already applied an inbound access-list to the INTERNET interface permitting all traffic from the pool assigned to the anyconnect clients. (Phase 3)
Or perhaps I've misunderstood entirely!
Any suggestions are appreciated. packet-tracer output below...
Regards,
Phil
fw1# packet-tracer input INTERNET tcp 10.1.6.1 5000 10.1.24.10 80 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.24.0 255.255.252.0 SECURE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INTERNET_access_in in interface INTERNET
access-list INTERNET_access_in extended permit ip object-group SITEVPNCLIENT any
object-group network SITEVPNCLIENT
network-object 10.1.6.0 255.255.255.128
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56823f8, priority=12, domain=permit, deny=false
hits=384, user_data=0xd554ac08, cs_id=0x0, flags=0x0, protocol=0
src ip=10.1.6.0, mask=255.255.255.128, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd61a0308, priority=7, domain=conn-set, deny=false
hits=1359, user_data=0xd619d118, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd55fdfe0, priority=0, domain=permit-ip-option, deny=true
hits=203456, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd616b8c0, priority=79, domain=punt, deny=true
hits=21, user_data=0xd4e82e08, cs_id=0x0, flags=0x0, protocol=0
src ip=10.1.6.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd51eac48, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=83, user_data=0x5000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.6.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: INTERNET
input-status: up
input-line-status: up
output-interface: SECURE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-03-2012 07:47 PM
Hello ,
Can you post the ASA configuration.
Just to let you know as soon as the ASA has configured the sysopt connection permit-vpn you do not need an ACL to allow inbound connections from a tunnel.
Julio
01-03-2012 08:31 PM
It's no problem for me to share smaller pieces of the configuration, but to post the whole thing, I'll need to get some approval.
In the mean time, is there anything else I might look for, or any smaller parts of the configuration that might help?
Regards,
--phil
01-03-2012 10:10 PM
Hello,
I would like to see the nat for the vpn traffic, the tunnel group , connection profile and webvpn configuration??
Hope to hear from you soon...
Julio
01-11-2012 03:11 PM
Alright, I've got authorization to share the config. Pleaes find it below. Thanks so much for your assistance.
Regards,
--phil
fw1# show run
: Saved
:
ASA Version 8.0(3)6
!
hostname fw1
enable password REDACTED encrypted
passwd REDACTED encrypted
names
name x.x.x.x ISP-PUBLIC-ALLOCATION
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.200
vlan 200
nameif CORP
security-level 80
ip address 10.1.4.1 255.255.254.0
!
interface Ethernet0/0.201
vlan 201
nameif BMS
security-level 100
ip address 10.1.8.1 255.255.252.0
!
interface Ethernet0/0.202
vlan 202
nameif SEC
security-level 100
ip address 10.1.12.1 255.255.252.0
!
interface Ethernet0/0.203
vlan 203
nameif VOIP
security-level 80
ip address 10.1.16.1 255.255.252.0
!
interface Ethernet0/0.204
vlan 204
nameif GUEST
security-level 10
ip address 10.1.20.1 255.255.255.0
!
interface Ethernet0/0.205
vlan 205
nameif SECURE
security-level 90
ip address 10.1.24.1 255.255.252.0
!
interface Ethernet0/0.206
vlan 206
nameif MGMT
security-level 90
ip address 10.1.0.1 255.255.252.0
!
interface Ethernet0/0.207
vlan 207
nameif SERVER
security-level 85
ip address 10.1.7.1 255.255.255.128
!
interface Ethernet0/0.600
vlan 600
nameif CUSTOMER
security-level 20
ip address 10.1.21.1 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.311
vlan 311
nameif MOD1BMS
security-level 100
ip address 10.1.144.1 255.255.252.0
!
interface Ethernet0/1.312
vlan 312
nameif MOD1SEC
security-level 100
ip address 10.1.148.1 255.255.252.0
!
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.666
vlan 666
nameif INTERNET
security-level 0
ip address y.y.y.y 255.255.255.248
!
interface Ethernet0/3.667
vlan 667
nameif PUBDMZ
security-level 5
ip address x.x.x.x 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit intra-interface
object-group network CORP
network-object 10.1.4.0 255.255.254.0
object-group network MOD1BMS
network-object 10.1.144.0 255.255.252.0
object-group network VPNCLIENT
network-object 10.1.6.0 255.255.255.128
object-group network SITE
network-object 10.1.0.0 255.255.0.0
object-group network SERVER
network-object 10.1.7.0 255.255.255.128
object-group network PUBDMZ
network-object ISP-PUBLIC-ALLOCATION 255.255.255.0
object-group network SEC
network-object 10.1.12.0 255.255.252.0
object-group service TAP
service-object tcp-udp range 161 162
service-object tcp-udp range 10161 10162
service-object tcp eq www
service-object tcp eq https
object-group network TAP_ACCESS
network-object host zz.zz.zz.zz
object-group network SECURE
network-object 10.1.24.0 255.255.252.0
access-list CORP_access_in extended permit ip any any
access-list vpn-split-tunnel standard permit 10.1.0.0 255.255.0.0
access-list nat-exclude_CORP extended permit ip object-group CORP object-group VPNCLIENT
access-list nat-exclude_CORP extended permit ip object-group VPNCLIENT object-group CORP
access-list SERVER_access_out extended permit icmp object-group CORP object-group SERVER
access-list SERVER_access_out extended permit tcp object-group CORP object-group SERVER eq https
access-list SERVER_access_out extended permit ip object-group CORP object-group SERVER
access-list MOD1BMS_out extended permit icmp object-group CORP object-group MOD1BMS
access-list MOD1BMS_out extended permit tcp object-group CORP object-group MOD1BMS eq www
access-list MOD1BMS_out extended permit tcp object-group CORP object-group MOD1BMS eq 1911
access-list INTERNET_access_in extended permit ip object-group TAP_ACCESS host x.x.x.x
access-list INTERNET_access_in extended permit ip object-group VPNCLIENT any
access-list ANY_IP extended permit ip any any
access-list SEC_access_out extended permit tcp object-group CORP object-group SEC eq 3389
access-list nat-execlude_SEC extended permit ip object-group SEC object-group CORP
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging buffered informational
mtu CORP 1500
mtu BMS 1500
mtu SEC 1500
mtu VOIP 1500
mtu GUEST 1500
mtu SECURE 1500
mtu MGMT 1500
mtu SERVER 1500
mtu CUSTOMER 1500
mtu MOD1BMS 1500
mtu MOD1SEC 1500
mtu INTERNET 1500
mtu PUBDMZ 1500
ip local pool ssl-vpn 10.1.6.1-10.1.6.127 mask 255.255.255.128
icmp unreachable rate-limit 10 burst-size 5
icmp permit any MOD1BMS
icmp permit any INTERNET
icmp permit any PUBDMZ
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (INTERNET) 1 interface
nat (CORP) 0 access-list nat-exclude_CORP
nat (CORP) 1 0.0.0.0 0.0.0.0
nat (SEC) 0 access-list nat-execlude_SEC
nat (VOIP) 1 0.0.0.0 0.0.0.0
nat (GUEST) 1 0.0.0.0 0.0.0.0
nat (CUSTOMER) 1 0.0.0.0 0.0.0.0
static (SECURE,INTERNET) x.x.x.x 10.1.24.10 netmask 255.255.255.255
static (CORP,INTERNET) x.x.x.x 10.1.4.10 netmask 255.255.255.255
access-group CORP_access_in in interface CORP
access-group SEC_access_out out interface SEC
access-group SERVER_access_out out interface SERVER
access-group MOD1BMS_out out interface MOD1BMS
access-group INTERNET_access_in in interface INTERNET
route INTERNET 0.0.0.0 0.0.0.0 y.y.y.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.6.0 255.255.255.0 MGMT
http 10.1.4.0 255.255.255.0 CORP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.1.0.0 255.255.252.0 MGMT
telnet timeout 5
ssh 10.1.4.0 255.255.252.0 CORP
ssh 10.1.6.0 255.255.255.0 MGMT
ssh x.x.x.x 255.255.255.255 INTERNET
ssh timeout 5
console timeout 0
management-access MGMT
dhcpd address 10.1.4.10-10.1.4.254 CORP
dhcpd dns z.z.z.z interface CORP
dhcpd enable CORP
!
dhcpd address 10.1.16.10-10.1.16.254 VOIP
dhcpd dns z.z.z.z interface VOIP
dhcpd enable VOIP
!
dhcpd address 10.1.20.10-10.1.20.254 GUEST
dhcpd dns z.z.z.z interface GUEST
dhcpd enable GUEST
!
dhcpd address 10.1.21.10-10.1.21.254 CUSTOMER
dhcpd dns z.z.z.z interface CUSTOMER
dhcpd enable CUSTOMER
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
enable INTERNET
svc image disk0:/anyconnect-macosx-i386-2.3.0185-k9.pkg 2
svc image disk0:/anyconnect-win-2.3.0185-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy ssl-vpn internal
group-policy ssl-vpn attributes
dns-server value z.z.z.z
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split-tunnel
address-pools value ssl-vpn
username user1 password REDACTED encrypted
username user1 attributes
service-type admin
username user2 password REDACTED encrypted
username user2 attributes
vpn-group-policy ssl-vpn
vpn-idle-timeout 60
vpn-session-timeout 1440
username user3 password REDACTED encrypted
username user3 attributes
vpn-group-policy ssl-vpn
vpn-idle-timeout 60
vpn-session-timeout 1440
username user4 password REDACTED encrypted
username user4 attributes
vpn-group-policy ssl-vpn
vpn-idle-timeout 60
vpn-session-timeout 1440
tunnel-group ssl-vpn type remote-access
tunnel-group ssl-vpn general-attributes
default-group-policy ssl-vpn
tunnel-group ssl-vpn webvpn-attributes
group-alias ssl-vpn enable
!
class-map ANY_IP
match access-list ANY_IP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect xdmcp
inspect icmp error
class class-default
set connection decrement-ttl
policy-map 2_MBPS_BIDIRECTIONAL
class ANY_IP
police output 2000000
police input 2000000
!
service-policy global_policy global
service-policy 2_MBPS_BIDIRECTIONAL interface GUEST
prompt hostname context
01-11-2012 04:00 PM
Hello Pheller,
Can you try the following:
object-group network Local_4_VPN
network-object 10.1.0.0 255.255.255.0
clear configure access-list nat-exclude_CORP
no access-list nat-exclude_CORP extended permit ip object-group CORP object-group VPNCLIENT
no access-list nat-exclude_CORP extended permit ip object-group VPNCLIENT object-group CORP
access-list nat-exclude_Local_4_vpn permit ip object-group Local-4-VPN object-group VPNCLIENT
nat (CORP) 0 access-list nat-exclude_local_4_vpn
And try it again, are you able to connect with the VPN anyconnect client?
Where does the connection stops?
Regards,
Julio
01-15-2012 05:41 PM
Ok, so the problem was accessing 10.1.24.10 (nameif SECURE) from 10.1.6.* (Anyconnect client coming inbound from nameif INTERNET).
Your suggestion, while not applicable to the right named interface, definitely put me on the right track.
I configured a nat exclusion for the right named interface, as follows:
object-group network SECURE
network-object 10.1.24.0 255.255.255.0
access-list nat-exclude_SECURE extended permit ip object-group SECURE object-group VPNCLIENT
nat (SECURE) 0 access-list nat-exclude_SECURE
I had previously configured "no nat-control", which I understood to mean that nat rules were not needed when simply configuring access between networks? I've obviously mis-understood. Now I'm not exctly sure what "no nat-control" is supposed to do.
01-15-2012 11:00 PM
Hello,
Great I could help!
Regarding nat control: this is going to make the ASA to only accept connections that have a translation rule configured, so in order for a packet to traverse a ASA interface it needs to hit a nat rule on your configuration.
With no nat control you do not need a nat statement for a packet to traverse the ASA.
Regards,
Please mark question as answered if there is nothing else we cant do otherwise just let me know =)
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide