10-23-2019 08:28 AM - edited 02-21-2020 09:37 AM
Trying to configure the FW to allow ssh from a remote vpn user to an inside private host over Mgt interface and allow traffic out Outside interface
VPN is working correctly, ssh is not working to internal host in private subnet
(traffic from the VPN subnet is allowed in sg for host 10.0.6.129: 192.168.10.0/24
VPN POOL subnet - 192.168.10.0
Mgmt Public IP - 96.127.51.x
Inside subnet - 10.0.3.0
Outside Public IP - 160.1.68.x
Object host IP - 10.0.6.129
Config as follows:
ip local pool Network-10 192.168.10.2-192.168.10.252 mask 255.255.255.0
interface GigabitEthernet0/0
description AWS Eth1 Inside interface
nameif Inside
security-level 100
ip address 10.0.3.33 255.255.255.0
!
interface GigabitEthernet0/1
description AWS Eth2 Outside interface
nameif Outside
security-level 0
ip address 15.200.26.219 255.255.255.240
!
interface Management0/0
description AWS Eth0 Management
nameif management
security-level 100
ip address dhcp setroute
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network AWS-Inside_01
subnet 10.0.1.0 255.255.255.0
object network AWS-Inside_03
subnet 10.0.3.0 255.255.255.0
object service Linux_ssh
service tcp source eq ssh destination eq ssh
object service Windows_rdp
service tcp source eq 3389 destination eq 3389
object network NLB-6.14
host 10.0.6.14
object network Linux-ssh-6.129
host 10.0.6.129
object-group network AWS-Internal
description AWS Internal networks
network-object 10.0.1.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
network-object 10.0.5.0 255.255.255.0
network-object 10.0.6.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list SplitTunnel standard permit 10.0.4.0 255.255.255.0
access-list SplitTunnel standard permit 10.0.6.0 255.255.255.0
access-list vpn-acl extended permit ip any any log
access-list vpn-acl extended deny ip any any log
access-list management_access_in remark Allow remote VPN users access to the internal AWS network over the Network-10 subnet
access-list managament_access_in extended permit ip object-group AWS-Internal object NETWORK_OBJ_192.168.10.0_24 log
access-list PrivateHost-Inside extended permit tcp any host 96.127.51.193 eq ssh log
access-list PrivateHost-Inside extended permit icmp any4 any4
nat (Inside,management) source static AWS-Internal AWS-Internal destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
!
object network NLB-6.14
nat (Inside,management) static 96.127.51.193
!
object network Linux-ssh-6.129
nat (Inside,management) static 96.127.51.193
!
nat (Inside,management) after-auto source dynamic any interface
access-group PrivateHost-Inside in interface management
route Inside 10.0.4.0 255.255.255.0 10.0.3.1 1
route Inside 10.0.6.0 255.255.255.0 10.0.3.1 1
0.0.0.0 0.0.0.0 [1/0] via 10.0.1.1, management
C 10.0.1.0 255.255.255.0 is directly connected, management
L 10.0.1.24 255.255.255.255 is directly connected, management
C 10.0.3.0 255.255.255.0 is directly connected, Inside
L 10.0.3.33 255.255.255.255 is directly connected, Inside
S 10.0.4.0 255.255.255.0 [1/0] via 10.0.3.1, Inside
S 10.0.6.0 255.255.255.0 [1/0] via 10.0.3.1, Inside
V 192.168.10.2 255.255.255.255
connected by VPN (advertised), management
ASAv-p1(config)# sh asp table socket
Protocol Socket State Local Address Foreign Address
SSL 186a8938 LISTEN 10.0.1.24:443 0.0.0.0:*
DTLS 186b7ea8 LISTEN 10.0.1.24:443 0.0.0.0:*
TCP 186babe8 LISTEN 10.0.1.24:22 0.0.0.0:*
SVC 2de68238 ESTAB 10.0.1.24:443 10.0.1.223:13607
TCP 660a1e58 ESTAB 10.0.1.24:22 10.0.1.216:48524
Thanks.....
Solved! Go to Solution.
10-23-2019 08:26 PM
10-23-2019 08:26 PM
10-24-2019 07:00 AM
Thanks for that observation, I'll make that change.
You mentioned the devices in AWS should have the route in the rtb to join back client vpn pool, can you explain this as all Outgoing traffic is allowed back out the IGW. Would that need to be the VPN Pool subnet or something else?
Is there any other config changes I need to make on the ASA to allow the connectivity to return back to the remote users through the tunnel ?
Thank you
10-24-2019 07:47 PM
10-25-2019 08:29 AM
Thanks for responding.
I have included an attachment of the arch setup.
For the packet tracer command, let me know if this is correct:
If so, the results are below.
-packet-tracer input management tcp 192.168.10.3 2022 96.127.x.x 22
(192.168.10.3 is IP of machine obtained from VPN pool)
(96.127.x.x is the management public IP)
ASAv-p1# packet-tracer input management tcp 192.168.10.3 2022 96.127.x.x 22
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.1 using egress ifc management
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: management
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thank you...
10-25-2019 05:56 PM
10-25-2019 12:28 PM
It would help to see a diagram of how this connection is happening. To me it looks like you have the VPN terminating on the management interface. You also have several NAT statement translating the inside to the managment interface, one of these statements is the after-auto dynamic NAT statement. Are there any NAT statement for the outside interface also? For VPN traffic entering the MGMT interface and also leaving the MGMT interface be sure you have the command same-security-traffic permit intra-interface configured globally.
For traffic leaving the outside interface be sure to have a dynamic NAT statment configured with source MGMT interface, destination outside translating the VPN address range to the outside interface.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide