09-26-2012 11:20 AM - edited 03-11-2019 04:59 PM
Hi!
I've been trying to setup my Cisco ASA to handle VPN connections to a couple of subnets.
So we have a LAN which we have XenServers on (Lab environment)
On these machines we have a pfSense each to get a public IP so that we can NAT services to our virtual machines.
We are currently running AnyConnect to reach the managemen network "172.20.20.0/24"
But the pfSense's have their own IP's on this management vlan. So I thought that I could setup a static route to them.
So I did setup the route, I can now ping all the subnets.
The next thing to do is to get the AnyConnect to be able to reach all of these subnets.
I'll post a image that describes our network topology:
And I think i've got everything right. But it seems that something is missing. I've run out of ideas, and im still learning.
So it could just be soemthing easy. I will attach the network sketch and the config.
Thanks!
Best Regars:
Jonathan Herlin
Solved! Go to Solution.
09-26-2012 10:51 PM
Hello Jonathan
I tried to undertstand your scenario and configuration. It looks like the identity NAT is breaking the configuration.
Could you do the following and see how does it go
object network vpnpool
subnet 192.168.60.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static vpnpool vpnpool
Please rate all helpful posts
Regards
Harish.
09-26-2012 10:51 PM
Hello Jonathan
I tried to undertstand your scenario and configuration. It looks like the identity NAT is breaking the configuration.
Could you do the following and see how does it go
object network vpnpool
subnet 192.168.60.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static vpnpool vpnpool
Please rate all helpful posts
Regards
Harish.
09-27-2012 12:48 AM
I tried the commands you wrote.
When I do the packet-trace I get the following.
ASA5505(config)# packet-tracer input inside tcp 192.168.60.100 80 172.20.23.68$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb52a1f0, priority=1, domain=permit, deny=false
hits=65188, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.23.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb51d4b0, priority=13, domain=permit, deny=false
hits=453, user_data=0xc9635ee0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb52def8, priority=0, domain=inspect-ip-options, deny=true
hits=51642, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc3fd5f8, priority=0, domain=user-statistics, deny=false
hits=51667, user_data=0xcc28aaf0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb52def8, priority=0, domain=inspect-ip-options, deny=true
hits=51644, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcc3fd5f8, priority=0, domain=user-statistics, deny=false
hits=51668, user_data=0xcc28aaf0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 52463, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
ASA5505(config)#
So it seems to work, but I can't access "172.20.20.11" which is one of the static route pfSense's. May be that the Cisco is proppertly configured, but can't work with the pfSense's.
And I can't figure out where the packet is going, cause it seems like the package reaches the pfSense without any problems?
And the pfSense is working just fine.
/ Jonathan
09-27-2012 01:03 AM
Hello Jonathan
Happy to hear that it worked. regarding 172.20.20.11 what is this device and I am suspecting the reverse route from that device back to your vpn pool.
regards
Harish.
09-27-2012 11:17 AM
Hi again!
I had forgot to assign the static route to the LAN interface on the pfSense.
BIG THANKS!
/ Jonathan
09-27-2012 11:24 AM
Excellent.. and Thanks for rating me
Harish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide