cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1013
Views
25
Helpful
25
Replies
dlo00011
Beginner

ASA 5515X VPN Client Cannot See internal network

Hi Guys,

I recently configured our ASA 5515X firewall with anyconnect vpn. 

The VPN client can log in and connect to the internet due to tunnel all traffic. 

However, the vpn clients (192.168.150.0/24) cannot see the internal network on 192.168.0.0/24 (inside) .


See attached for running-config

 

Can anyone please assist ? 

25 REPLIES 25

This is the reverse with Nat#2 disable

 

Result of the command: "packet-tracer input outside tcp 192.168.150.110 25000 192.168.0.15 80"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.0.15/80 to 192.168.0.15/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group traffic_out in interface outside
access-list traffic_out extended permit ip object VPN object inside-host
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
Static translate 192.168.150.110/25000 to 192.168.150.110/25000

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23678, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

 

 

This is the reverse with nat #2 enable

 

Result of the command: "packet-tracer input outside tcp 192.168.150.110 25000 192.168.0.15 80"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group traffic_out in interface outside
access-list traffic_out extended permit ip object VPN object inside-host
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Static translate 192.168.150.110/25000 to 192.168.150.110/25000

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23740, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

 

 

 

MHM Cisco World
Rising star

route inside 192.168.150.0 255.255.255.0 192.168.0.1 1<- this wrong 
the ip address of VPN which is terminate in ASA so any VPN connect is local connect no need route.
please remove this route and use 
manual NAT "static Inside Inside VPN VPN"

NOTE:- you need this route only in router connect to ASA no in ASA itself

Hi , 

I currently have the ASA internal network (192.168.0.10) connected to a switch in L2 mode. 

Within the existing 192.168.0.0/24 network I have a gateway at 192.168.0.7 which handles traffic for that network. 

Would I need to create the route 192.168.150.0 255.255.255.0 192.168.0.1 1 in the 192.168.0.7 gateway  ? 

 

192.168.150.0 iş subnet of vpn, no need any route for it to config in asa.

Only remove this route and try connect from vpn to inside,

One note:- if you connect any l3 sw or router to asa you must config route of vpn subnet toward asa.

Hey.

Where is 192.168.0.7 configured? What is the default gateway for the hosts, 192.168.0.7 or 192.168.0.10?

 

If you have a default gateway of 192.168.0.7 in a router then you need a static route there:

route 192.168.150.0 255.255.255.0 192.168.0.1 10 (Assuming IP address of inside interface is 192.168.0.10)

 

Regards

Suresh

 

Hi Suresh, 

Correction, 192.168.0.7 is meant to be 192.168.0.1 which is the gateway on the existing network. 

I think I may have confused myself with the network setup. 

 

Currently the ASA inside interface has the IP of 192.168.0.10 and this is connected to a Cisco switch (layer 2) which has the subnet 192.168.0.0/24. The 192.168.0.10 (inside) currently uses the ASA outside interface for internet (default gateway). Within the the existing network of 192.168.0.0/24 all traffic goes through a gateway of 192.168.0.1 for internet. 

I hope this gives a better idea. 

 

So I assume I would need to include a route for the VPN as route 192.168.150.0 255.255.255.0 192.168.0.1 10

within my gateway in 192.168.0.1 ?

 

Or do I need to do a VLAN connection between the ASA and the Cisco switch ? 

What I would do is, connect the ASA inside interface to the same VLAN as 192.168.0.0/24 and make the ASA as the default gateway. I'm not sure if this would fit in with your current set up. 

 

So, Internet traffic would go through the ASA. Are you able to attach a diagram? I just want to make that I'm not misleading you. 

Hi Suresh, 

Please see attached. 

 

The entire goal of what I am doing is to simply let clients connect through a VPN from our new ISP and allow them to see 

the existing internal network (192.168.0.0/24) and to browse the internet through the new ISP (This is working). 

 

 

 

Am I right in thinking that you have 2 ISPs? One via ASA and the second via the Gateway. 

 

The issue you are having is due to the return traffic from the servers going to the gateway and getting dropped there because it doesn't have the route to 192.168.150.0/24. 

 

192.168.150.15 >>> ASA >>> Server >>> Gateway >>> Dropped 

 

Option -1 

 

If the ASA Inside interface is on the same VLAN as 192.168.0.0/24, you change the gateway on one of the servers from 192.168.0.1 to 192.168.0.10 for testing. After the change, you should be able to reach the internal network via the VPN.

 

Example - 192.168.150.15 >> ASA >> Server >>>>> ASA >>>192.168.150.15

 

Option - 2

 

Add a static route on the Gateway assuming Gateway, ASA Inside Interface and the servers are on the same VLAN.

route 192.168.150.0 255.255.255.0 192.168.0.10

 

 

Please let me know how it goes.

 

 

 

 

 

View solution in original post

Hi Suresh, 

 

It work!!!. I can see the internal network through the VPN.

I used option 2 and set the route in the gateway. 

 

Thanks alot. 

MHM Cisco World
Rising star

So It was as I suspect routing issue not any connect issue.
Good Job friend.

Content for Community-Ad