Solved: ASA 5505 Anyconnect no return traffic/can't ping anything beyond

Djurre Woudstra · ‎07-16-2013

Hi All,

I have a bit of a problem with my any connect setup (probably NAT exempt)

I can setup a any connect connection without issue but i am unable to reach anything beyond the firewall. It seems i have no return traffic.

If i log in to the firewall itself i can ping everything i need to ping.

Any help is greatly appriciated,

Thanks!

ASA Version 9.1(2)

!

hostname CJD-PERIMETER-FW01

domain-name jud.local

enable password FtIWMCJmyPFy.7bM encrypted

names

ip local pool DHCP-VPN-10.255.255.0_24 10.255.255.10-10.255.255.69 mask 255.255.255.0

!

interface Ethernet0/0

description Uplink to Internet

switchport access vlan 650

!

interface Ethernet0/1

description Uplink to vendor

switchport access vlan 651

!

interface Ethernet0/2

switchport trunk allowed vlan 11,652,660

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan650

description Uplink to Internet

nameif outside

security-level 0

ip address 74.214.9.106 255.255.255.248

!

interface Vlan651

description Uplink to vendor

nameif vendor

security-level 0

ip address 10.153.0.58 255.255.255.252

!

interface Vlan652

nameif inside

security-level 100

ip address 10.6.240.1 255.255.255.248

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.6.10.110

name-server 10.6.10.111

domain-name jud.local

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.6.0.0_16

subnet 10.6.0.0 255.255.0.0

object service TCP25-SMTP

service tcp source eq smtp

subnet 10.255.255.0 255.255.255.128

object network obj-10.255.255.0

subnet 10.255.255.0 255.255.255.0

object network obj-10.6.0.0

subnet 10.6.0.0 255.255.0.0

access-list outside_access_in remark Alllow SMTP to CJD-EXCH01 (Exchange Server)

access-list outside_access_in extended permit tcp any host 10.6.10.112 eq smtp

access-list vendor_access_in extended deny ip any any

access-list outside_access_out extended permit ip any any

access-list vendor_access_out extended permit ip any any

access-list Vlan652-webfilter_out_access_in extended permit ip any any

access-list INTERNAL_10.6.0.0_16 standard permit 10.6.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu vendor 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static CJD-EXCH01 interface service TCP25-SMTP TCP25-SMTP

nat (any,outside) source static obj-10.6.0.0 obj-10.6.0.0 destination static obj-10.255.255.0 obj-10.255.255.0 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group vendor_access_in in interface vendor

access-group vendor_access_out out interface vendor

access-group Vlan652-webfilter_out_access_in in interface inside control-plane

route outside 0.0.0.0 0.0.0.0 74.222.92.105 1

route vendor 10.0.0.0 255.0.0.0 10.153.0.57 10

route inside 10.6.0.0 255.255.0.0 10.6.240.2 1

route vendor 172.0.0.0 255.224.0.0 10.153.0.57 1

route vendor 192.168.0.0 255.255.0.0 10.153.0.57 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map 1-Webmail

map-name memberOf IETF-Radius-Class

dynamic-access-policy-record DfltAccessPolicy

aaa-server Jud-ldap protocol ldap

aaa-server Jud-ldap (inside) host 10.6.10.110

ldap-base-dn DC=Jud,DC=local

ldap-group-base-dn DC=Jud,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=svc-Cisco_ASA_LDAP,OU=Service,OU=Users,OU=Jud,DC=Jud,DC=local

server-type microsoft

aaa-server Jud-ldap (inside) host 10.6.10.111

timeout 5

ldap-base-dn DC=Jud,DC=local

ldap-group-base-dn DC=Jud,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=svc-Cisco_ASA_LDAP,OU=Service,OU=Users,OU=Jud,DC=Jud,DC=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable 9443

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=Jud

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

certificate 4e079651

quit

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.6.10.110 source inside prefer

ntp server 10.6.10.111 source inside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2 regex "Intel Mac OS X"

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

split-tunnel-policy tunnelspecified

ipv6-split-tunnel-policy tunnelspecified

split-tunnel-network-list value INTERNAL_10.6.0.0_16

group-policy GroupPolicy_1-Webmail internal

group-policy GroupPolicy_1-Webmail attributes

wins-server none

dns-server value 10.6.10.110 10.6.10.111

vpn-tunnel-protocol ssl-client

default-domain value jud.local

username Admin password hD9NaKiPiFEXFQxL encrypted privilege 15

tunnel-group 1-Webmail type remote-access

tunnel-group 1-Webmail general-attributes

address-pool DHCP-VPN-10.255.255.0_24

authentication-server-group Jud-ldap

default-group-policy GroupPolicy_1-Webmail

tunnel-group 1-Webmail webvpn-attributes

group-alias 1-Webmail enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

Jouni Forss · ‎07-17-2013

Hi,

Removing the "route-lookup" should only affect the connections aimed at the "inside" interface. Its needed if you plan to manage the firewall through the VPN connections using the "inside" interface IP address.

I would still like to see the actual "packet-tracer" command output. Without it I am quite blind to what is actually happening with your connection attempts.

All I can say is that the NAT configurations seems correct if you want to connect from the VPN Client to the inside network range of 10.6.0.0/16

Also the most common reasons that ICMP tests fail would be that the ICMP Echo is blocked on either the actual target device or some other device in between OR that there is something wrong with the routing. For example if you had accidentally configured 10-network with /8 mask somewhere internally the return traffic to VPN Pool would fail. Then again you seem to have another link with route for 10.0.0.0/8 so in that case that wouldnt work either, so probably not the case here.

- Jouni

View solution in original post

Jouni Forss · ‎07-16-2013

Hi,

The NAT looks fine, even though I would personally define the actual source interface for the NAT rather than use "any"

The most typical reason that ICMP fails through a Cisco firewall is lacking the ICMP Inspection, which is disabled by default

You could try adding the following and see if it makes any difference

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

Djurre Woudstra · ‎07-17-2013

Hi JouniForss,

Thanks for you reply,

No luck with the inspect, unfortunately

Jouni Forss · ‎07-17-2013

Hi,

So have you confirmed that the traffic comes to the ASA through the VPN connection?

Can you tell us what is the specific network/host to which you are attempting connections to?

Have you tried to connect to several different hosts to rule out maybe some software firewall preventing the connections?

- Jouni

Djurre Woudstra · ‎07-17-2013

Hi Jouni,

I can ping the 10.6.240.1 ip if i connect the VPN but nothing beyond that. and i see the counters increase.

The VPN IP address is added to the routing table on the ASA.

- Djurre

Jouni Forss · ‎07-17-2013

Hi,

Does the router behind the ASAs "inside" interface have connections anywhere else? Is it possible that the traffic back to the VPN Client pool is forwarded somewhere else on the internal router?

When you have the VPN Client connected you could always run the "packet-tracer" command

packet-tracer input inside icmp 8 0

You can also do the same for the other direction where the input interface is "outside"

packet-tracer input outside icmp 8 0

Naturally use the IP address assigned to the users in the above commands.

- Jouni

Djurre Woudstra · ‎07-17-2013

Don't see how, as i do have internet connectivity and the subnet 10.255.255.0/24 is not used anywhere else

Jouni Forss · ‎07-17-2013

Hi,

Did you change the "nat" configuration I mentioned initially?

nat (any,outside) source static obj-10.6.0.0 obj-10.6.0.0 destination static obj-10.255.255.0 obj-10.255.255.0 no-proxy-arp route-lookup

Maybe you could even try this

nat (inside,outside) source static obj-10.6.0.0 obj-10.6.0.0 destination static obj-10.255.255.0 obj-10.255.255.0

Incase the NAT is causing some problems or there is something with the route lookup even though the ASA should have a more specific route for the VPN pool and choose that over the 10.0.0.0/8 route you have in place staticly on the ASA.

If the above change doesnt do anything then I would suggest running the "packet-tracer" commands through to see what the ASA does to the traffic you are testing.

- Jouni

Djurre Woudstra · ‎07-17-2013

Tried nat (inside,outside) source static obj-10.6.0.0 obj-10.6.0.0 destination static obj-10.255.255.0 obj-10.255.255.0

But without the route-lookup at the end i'm not able to even ping the firewall.

I did a packet trace and i just don't see any returning trafic :-(

Jouni Forss · ‎07-17-2013

Hi,

Removing the "route-lookup" should only affect the connections aimed at the "inside" interface. Its needed if you plan to manage the firewall through the VPN connections using the "inside" interface IP address.

I would still like to see the actual "packet-tracer" command output. Without it I am quite blind to what is actually happening with your connection attempts.

All I can say is that the NAT configurations seems correct if you want to connect from the VPN Client to the inside network range of 10.6.0.0/16

Also the most common reasons that ICMP tests fail would be that the ICMP Echo is blocked on either the actual target device or some other device in between OR that there is something wrong with the routing. For example if you had accidentally configured 10-network with /8 mask somewhere internally the return traffic to VPN Pool would fail. Then again you seem to have another link with route for 10.0.0.0/8 so in that case that wouldnt work either, so probably not the case here.

- Jouni

Djurre Woudstra · ‎12-20-2015

Sorry for the late reply It

It was in a routing issue in the core switch,

Thank you for your time! Jouni

ASA 5505 Anyconnect no return traffic/can't ping anything beyond firewall