01-15-2021 11:43 AM
Hi Guys,
I recently configured our ASA 5515X firewall with anyconnect vpn.
The VPN client can log in and connect to the internet due to tunnel all traffic.
However, the vpn clients (192.168.150.0/24) cannot see the internal network on 192.168.0.0/24 (inside) .
See attached for running-config
Can anyone please assist ?
Solved! Go to Solution.
01-15-2021 04:11 PM
This is the reverse with Nat#2 disable
Result of the command: "packet-tracer input outside tcp 192.168.150.110 25000 192.168.0.15 80"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.0.15/80 to 192.168.0.15/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group traffic_out in interface outside
access-list traffic_out extended permit ip object VPN object inside-host
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
Static translate 192.168.150.110/25000 to 192.168.150.110/25000
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23678, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
This is the reverse with nat #2 enable
Result of the command: "packet-tracer input outside tcp 192.168.150.110 25000 192.168.0.15 80"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group traffic_out in interface outside
access-list traffic_out extended permit ip object VPN object inside-host
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Static translate 192.168.150.110/25000 to 192.168.150.110/25000
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23740, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
01-15-2021 05:52 PM
route inside 192.168.150.0 255.255.255.0 192.168.0.1 1<- this wrong
the ip address of VPN which is terminate in ASA so any VPN connect is local connect no need route.
please remove this route and use
manual NAT "static Inside Inside VPN VPN"
NOTE:- you need this route only in router connect to ASA no in ASA itself
01-15-2021 07:21 PM
Hi ,
I currently have the ASA internal network (192.168.0.10) connected to a switch in L2 mode.
Within the existing 192.168.0.0/24 network I have a gateway at 192.168.0.7 which handles traffic for that network.
Would I need to create the route 192.168.150.0 255.255.255.0 192.168.0.1 1 in the 192.168.0.7 gateway ?
01-15-2021 07:45 PM - edited 01-15-2021 07:52 PM
192.168.150.0 iş subnet of vpn, no need any route for it to config in asa.
Only remove this route and try connect from vpn to inside,
One note:- if you connect any l3 sw or router to asa you must config route of vpn subnet toward asa.
01-16-2021 02:11 AM
Hey.
Where is 192.168.0.7 configured? What is the default gateway for the hosts, 192.168.0.7 or 192.168.0.10?
If you have a default gateway of 192.168.0.7 in a router then you need a static route there:
route 192.168.150.0 255.255.255.0 192.168.0.1 10 (Assuming IP address of inside interface is 192.168.0.10)
Regards
Suresh
01-16-2021 07:18 AM - edited 01-16-2021 07:21 AM
Hi Suresh,
Correction, 192.168.0.7 is meant to be 192.168.0.1 which is the gateway on the existing network.
I think I may have confused myself with the network setup.
Currently the ASA inside interface has the IP of 192.168.0.10 and this is connected to a Cisco switch (layer 2) which has the subnet 192.168.0.0/24. The 192.168.0.10 (inside) currently uses the ASA outside interface for internet (default gateway). Within the the existing network of 192.168.0.0/24 all traffic goes through a gateway of 192.168.0.1 for internet.
I hope this gives a better idea.
So I assume I would need to include a route for the VPN as route 192.168.150.0 255.255.255.0 192.168.0.1 10
within my gateway in 192.168.0.1 ?
Or do I need to do a VLAN connection between the ASA and the Cisco switch ?
01-16-2021 07:37 AM
What I would do is, connect the ASA inside interface to the same VLAN as 192.168.0.0/24 and make the ASA as the default gateway. I'm not sure if this would fit in with your current set up.
So, Internet traffic would go through the ASA. Are you able to attach a diagram? I just want to make that I'm not misleading you.
01-16-2021 07:50 AM
01-16-2021 08:54 AM
Am I right in thinking that you have 2 ISPs? One via ASA and the second via the Gateway.
The issue you are having is due to the return traffic from the servers going to the gateway and getting dropped there because it doesn't have the route to 192.168.150.0/24.
192.168.150.15 >>> ASA >>> Server >>> Gateway >>> Dropped
Option -1
If the ASA Inside interface is on the same VLAN as 192.168.0.0/24, you change the gateway on one of the servers from 192.168.0.1 to 192.168.0.10 for testing. After the change, you should be able to reach the internal network via the VPN.
Example - 192.168.150.15 >> ASA >> Server >>>>> ASA >>>192.168.150.15
Option - 2
Add a static route on the Gateway assuming Gateway, ASA Inside Interface and the servers are on the same VLAN.
route 192.168.150.0 255.255.255.0 192.168.0.10
Please let me know how it goes.
01-16-2021 10:54 AM
Hi Suresh,
It work!!!. I can see the internal network through the VPN.
I used option 2 and set the route in the gateway.
Thanks alot.
01-16-2021 01:17 PM
So It was as I suspect routing issue not any connect issue.
Good Job friend.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide