cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3591
Views
25
Helpful
25
Replies

ASA 5515X VPN Client Cannot See internal network

dlo00011
Level 1
Level 1

Hi Guys,

I recently configured our ASA 5515X firewall with anyconnect vpn. 

The VPN client can log in and connect to the internet due to tunnel all traffic. 

However, the vpn clients (192.168.150.0/24) cannot see the internal network on 192.168.0.0/24 (inside) .


See attached for running-config

 

Can anyone please assist ? 

1 Accepted Solution

Accepted Solutions

Am I right in thinking that you have 2 ISPs? One via ASA and the second via the Gateway. 

 

The issue you are having is due to the return traffic from the servers going to the gateway and getting dropped there because it doesn't have the route to 192.168.150.0/24. 

 

192.168.150.15 >>> ASA >>> Server >>> Gateway >>> Dropped 

 

Option -1 

 

If the ASA Inside interface is on the same VLAN as 192.168.0.0/24, you change the gateway on one of the servers from 192.168.0.1 to 192.168.0.10 for testing. After the change, you should be able to reach the internal network via the VPN.

 

Example - 192.168.150.15 >> ASA >> Server >>>>> ASA >>>192.168.150.15

 

Option - 2

 

Add a static route on the Gateway assuming Gateway, ASA Inside Interface and the servers are on the same VLAN.

route 192.168.150.0 255.255.255.0 192.168.0.10

 

 

Please let me know how it goes.

 

 

 

 

 

View solution in original post

25 Replies 25

@dlo00011 

Why do you have a static route for the VPN network via the inside interface? Remove it.

no route inside 192.168.150.0 255.255.255.0 192.168.0.1 1

You'll need a NAT exemption rule to ensure that traffic is not unintentially natted by the other nat rules.

nat (INSIDE,OUTSIDE) source static inside-host inside-host destination static VPN VPN no-proxy-arp  

 

dlo00011
Level 1
Level 1

Hi Thanks, 

But still unable to see the inside network

How are you testing?

Provide the output of "show nat detail" and run packet-tracer from the CLI to simulate the packet.

Result of the command: "show nat detail"

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside_192.168.0.10 inside_192.168.0.10 inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.0.10/32, Translated: 192.168.0.10/32
2 (outside) to (inside) source static VPN VPN
translate_hits = 187, untranslate_hits = 0
Source - Origin: 192.168.150.0/24, Translated: 192.168.150.0/24
3 (inside) to (outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
Destination - Origin: 192.168.150.0/24, Translated: 192.168.150.0/24

Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic inside_nat interface
translate_hits = 234, untranslate_hits = 8
Source - Origin: 192.168.0.0/24, Translated: 74.10.177.111/24
2 (outside) to (outside) source dynamic VPN interface
translate_hits = 10391, untranslate_hits = 5345
Source - Origin: 192.168.150.0/24, Translated: 74.10.177.111/24

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 74.10.177.111/24

 

 

Packet Tracer Information:

 

Result of the command: "packet-tracer input inside rawip 192.168.150.100 0 192.168.0.79"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

 

Hi,

I just replicated your config on my lab and was able to reach Inside hosts (192.168.0.0/24) while connected to the VPN. (Please see the screenshot)

 

I made the changes suggested by Rob:

  1. Remove the static route
  2. Add manual NAT - nat (inside,outside) source static inside_nat inside_nat destination static VPN VPN no-proxy-arp

Can you please run a Packet Tracer once you connected to the VPN. Let's say the IP you have received while connected to the VPN is 192.168.150.110 and the inside host IP is 192.168.0.15.

 

# packet-tracer input outside tcp 192.168.150.110 25000 192.168.0.15 80

 

Thanks

Suresh

 

 

 

Hi Vsurresh, 

 

See below.

 

Result of the command: "packet-tracer input outside tcp 192.168.150.110 25000 192.168.0.15 80"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group traffic_out in interface outside
access-list traffic_out extended permit ip object VPN object inside-host
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Static translate 192.168.150.110/25000 to 192.168.150.110/25000

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16890, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

 

Could you also please run packet-tracer in the opposite direction? (Please make sure the ACL permits the traffic for testing if not, add a test ACL)

 

#packet-tracer input inside tcp 192.168.0.15 15000 192.168.150.110 22

Thanks

Suresh

 

Hi Suresh, 

 

Result of the command: "packet-tracer input inside tcp 192.168.0.15 15000 192.168.150.110 22"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.150.110/22 to 192.168.150.110/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Static translate 192.168.0.15/15000 to 192.168.0.15/15000

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 19482, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

@dlo00011 

The packet-tracer confirms "allow", so how are you testing with real traffic?

Are you pinging a device on the inside network?

Does that device have a local firewall enabled?

Is this ASA the default gateway for all traffic?

 

The output above confirms that you aren't matching the NAT exemption rule #3 (in either direction), but from outside to inside you are matching manual nat rule #2. It looks like the inside traffic is not replying, I'd expect it to match rule #3.

Hi Rob, 

 

Yes, I tried to ping several machines on the internal network and attempted to visit a few internal web servers. 

Unfortunately, I got no response. I brought down the firewall for some of the machines too. 

Yes, the ASA is the default gateway for internet traffic. 

Disable rule #2 and re-test, traffic should match nat rule #3

Enable "debug icmp trace" and then run a ping from an anyconnect client to inside device, provide debug output.

Provide the output of "show nat detail".

Hi Rob, 

 

I am unable to run debug icmp trace on the CLI since I am having issues connecting to ASA serial. 

I am currently using ASDM. The machines are still not responding. I notice I cannot ping 192.168.0.10 (inside interface) anymore on as a VPN client after removing nat #2. This the best log detail I can get for the ICMP request. 

 

6 Jan 15 2021 18:30:56 302020 192.168.150.100 49117 192.168.0.111 0 Built inbound ICMP connection for faddr 192.168.150.100/49117(LOCAL\dummyuser) gaddr 192.168.0.111/0 laddr 192.168.0.111/0 (dummyuser)

 

 

Result of the command: "show nat detai"

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside_192.168.0.10 inside_192.168.0.10 inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.0.10/32, Translated: 192.168.0.10/32
2 (outside) to (inside) source static VPN VPN inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.150.0/24, Translated: 192.168.150.0/24
3 (inside) to (outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
translate_hits = 6, untranslate_hits = 23
Source - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
Destination - Origin: 192.168.150.0/24, Translated: 192.168.150.0/24

Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic inside_nat interface
translate_hits = 234, untranslate_hits = 8
Source - Origin: 192.168.0.0/24, Translated: 74.10.177.111/24
2 (outside) to (outside) source dynamic VPN interface
translate_hits = 12445, untranslate_hits = 6722
Source - Origin: 192.168.150.0/24, Translated: 74.10.177.111/24

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 74.10.177.111/24

 

 

As all suggest this NAT issue 
when using packer tracer use it with detail keyword it will make us know the traffic nat it use,

please share it here  

See below. This is with Nat #2 enabled

 

Result of the command: "packet-tracer input inside tcp 192.168.0.15 15000 192.168.150.110 22 detail"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.150.110/22 to 192.168.150.110/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b0cd330, priority=13, domain=permit, deny=false
hits=4, user_data=0x7fff2376db00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Static translate 192.168.0.15/15000 to 192.168.0.15/15000
Forward Flow based lookup yields rule:
in id=0x7fff2a6d7290, priority=6, domain=nat, deny=false
hits=4, user_data=0x7fff217f7f20, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.150.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a26d2c0, priority=1, domain=nat-per-session, deny=true
hits=23787, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a65c130, priority=0, domain=inspect-ip-options, deny=true
hits=930, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a675a80, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=669, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff29387950, priority=6, domain=nat-reverse, deny=false
hits=5, user_data=0x7fff29385c70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.150.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a26d2c0, priority=1, domain=nat-per-session, deny=true
hits=23789, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a604480, priority=0, domain=inspect-ip-options, deny=true
hits=33970, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23463, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

 

 

This without Nat rule #2 

 

Result of the command: "packet-tracer input inside tcp 192.168.0.15 15000 192.168.150.110 22 detail"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.150.110/22 to 192.168.150.110/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b0cd330, priority=13, domain=permit, deny=false
hits=5, user_data=0x7fff2376db00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
Static translate 192.168.0.15/15000 to 192.168.0.15/15000
Forward Flow based lookup yields rule:
in id=0x7fff29b90e50, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fff217de0e0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.150.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a26d2c0, priority=1, domain=nat-per-session, deny=true
hits=23940, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a65c130, priority=0, domain=inspect-ip-options, deny=true
hits=931, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a675a80, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=670, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff29d4ef70, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7fff2cbcafa0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.150.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a26d2c0, priority=1, domain=nat-per-session, deny=true
hits=23942, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a604480, priority=0, domain=inspect-ip-options, deny=true
hits=34142, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23612, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

Review Cisco Networking for a $25 gift card