Thanks for the help.  I thought I was unable to reach my server over my VPN unless I had that statement.  I'll test that now...

Yep, without that statement, I can't access anything over the VPN so I asked one of the people in the office to test it out for me.  They confirmed that they can get online, but now, I can't access anything over the VPN.  Can I get the best of both worlds (which I think is NAT from inside to outside and no-NAT over VPN)?  I am correctly authenticated and assigned a 192.168.1.x address but am unable to reach my server (192.168.1.9).

Thanks!

Hi,

I suggest that you change your VPN Pools to something else than your LAN network

Change them for example to 192.168.100.0/24 and 192.168.101.0/24 or something else.

The correct format to enable the NAT0 / NAT Exempt for the VPN client traffic is to use these configurations (presuming you use the above 2 network ranges for your 2 VPN Pools in the above configuration).

object-group network VPN-POOLS

network-object 192.168.100.0 255.255.255.0

network-object 192.168.101.0 255.255.255.0

object network LAN

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOLS VPN-POOLS

After adding the above the VPN connections should work also. The key thing naturally is to change the current VPN IP Pools to something else, for example the above and then use those networks in the above configurations.

The reason why your original NAT configuration caused problems is the fact that it didnt define any "destination" parameters. Without those the ASA would apply the NAT to all traffic (all destination networks). The VPN and Internet traffic. The above configuration clearly specifies now that the NAT should only be applied to the traffic when the destination (or source depending which side of the firewall you are looking at) is the VPN Pools.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Hi, Jouni.  I appreciate your help.  What you said about the VPN pools makes perfect sense.  I am upgrading from 8.2 to 8.4 and the differences are quite astounding.  I understood 8.2 a bit better than 8.4, it's a new beast for me to tackle.

I made the changes you suggested and their Internet still works and I can still connect to the VPN and am getting a 192.168.100.x address but I still can't ping or access the server at 192.168.1.9.

Here's my config as it stands now.  Any other suggestions you have are welcomed.

my-gw(config)# sh run

: Saved

:

ASA Version 8.4(5)

!

hostname my-gw

domain-name office.mydomain.local

enable password xxxxxxxx encrypted

passwd xxxxxxxx encrypted

names

name 192.168.1.9 thunder

name 192.168.1.55 printer

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Vlan3

description dmz

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server thunder

name-server 75.75.75.75

name-server 75.75.76.76

domain-name office.mydomain.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-192.168.1

subnet 192.168.1.0 255.255.255.0

object-group network VPN-POOLS

network-object 192.168.100.0 255.255.255.0

network-object 192.168.101.0 255.255.255.0

access-list FROM-INTERNET extended permit icmp any any echo

access-list FROM-INTERNET extended permit icmp any any echo-reply

access-list FROM-INTERNET extended permit icmp any any time-exceeded

access-list FROM-INTERNET extended permit icmp any any unreachable

access-list FROM-INTERNET extended permit udp any eq domain any log

access-list FROM-INTERNET extended permit ip any any log

access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list VPN-SPLIT remark Corporate LAN

access-list VPN-SPLIT standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered informational

logging asdm warnings

mtu inside 1500

mtu outside 1500

ip local pool VPN-POOL 192.168.100.240-192.168.100.250

ip local pool SSLVPN-POOL 192.168.101.240-192.168.101.250

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj-192.168.1

nat (inside,outside) dynamic interface

access-group FROM-INTERNET in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server location tele-closet

snmp-server contact itadmin@mydomain.com

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set WINMAC-VPN esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set WINMAC-VPN mode transport

crypto ipsec ikev1 transform-set IPSEC-VPN esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map OUTSIDE_VPN_MAP 20 set ikev1 transform-set WINMAC-VPN IPSEC-VPN

crypto map VPN-TUNNEL 65535 ipsec-isakmp dynamic OUTSIDE_VPN_MAP

crypto map VPN-TUNNEL interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint localtrust

enrollment self

fqdn sslvpn.mydomain.com

subject-name CN=sslvpn.mydomain.com

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca

<...>

<...>

  quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 28800

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 45

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd dns 75.75.75.75 75.75.76.76

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 0.pool.ntp.org

ssl trust-point localtrust outside

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 75.75.75.75 75.75.76.76

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SPLIT

group-policy IPSEC-VPN internal

group-policy IPSEC-VPN attributes

dns-server value 75.75.75.75 75.75.76.76

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SPLIT

username asa password xxxxxx encrypted privilege 15

username user.name1 password xxxxxx nt-encrypted privilege 15

username user.name1 attributes

vpn-group-policy DefaultRAGroup

vpn-tunnel-protocol ikev1 l2tp-ipsec

username user.name2 password xxxxxx nt-encrypted privilege 15

username user.name2 attributes

vpn-group-policy DefaultRAGroup

vpn-tunnel-protocol ikev1 l2tp-ipsec

username user.name0 password xxxxxx nt-encrypted privilege 15

username user.name0 attributes

vpn-group-policy DefaultRAGroup

vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

address-pool VPN-POOL

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group IPSEC-VPN type remote-access

tunnel-group IPSEC-VPN general-attributes

address-pool VPN-POOL

default-group-policy IPSEC-VPN

tunnel-group IPSEC-VPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group IPSEC-VPN ppp-attributes

no authentication chap

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  no dns-guard

  no protocol-enforcement

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Hi,

The configuration on the ASA seems fine.

Though I would add the ICMP Inspections

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

In the above we basically only add the "inspect" commands. The above 2 comamnds are used to change the configuration mode only.

There is ofcourse always the possibility that there is something on the server side. Though you said you changed from older software level so I would presume this was already working for the VPNs back then?

Naturally now we changed the VPN Pools. Is there perhaps something on the server/LAN that could block these new VPN pool address ranges?

The software level 8.2 was the last software level to use the older NAT configuration format. Starting from 8.3 the NAT format changed completely and the old NAT configuration format is not supported anymore.

You could always take a look at a document I wrote about the subject here on the CSC. Maybe it might help.

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Quite an impressive article.  I am still stumped, though.  Based on your article, I set up a static PAT to the Windows server so I can RDP from the outside to troubleshoot this further.  I checked the firewall and I have icmp IN and OUT being allowed from any address.  I don't want to turn the firewall off completely because of the fact it is now exposed to the world so I enabled logging (log all allowed or denied traffic) and can't find anything in the logs except other local traffic from other local clients accessing files on the server.

I can get a reply if I ping my VPN client's IP address (192.168.100.240) from the server but I'm not sure if that is a proxy-ARP response or not because the ARP table on the server doesn't have an entry for 192.168.100.240.

There is nothing helpful in the ASA's logs, just the building and teardown of dynamic connections and translations.  Not to mention, nothing at all from my client's VPN IP address.  Do you have any suggestions on how to configure logging to watch some ICMP & NAT messages?

my-gw(config)# sh log

Syslog logging: enabled

    Facility: 20

    Timestamp logging: enabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: level debugging, 15488 messages logged

    Trap logging: disabled

    Permit-hostdown logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level warnings, 1656 messages logged

Thanks so much!

This is helpful but makes it seem like the ASA is configured correctly, that is if I did the packet-tracer correctly.

my-gw(config)# packet-tracer input outside icmp 192.168.100.240 8 0 192.168.1.9

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS

Additional Information:

NAT divert to egress interface inside

Untranslate thunder/0 to thunder/0

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group FROM-INTERNET in interface outside

access-list FROM-INTERNET extended permit icmp any any echo

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: L2TP-PPP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS

Additional Information:

Static translate 192.168.100.240/0 to 192.168.100.240/0

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: L2TP-PPP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: PPP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 6737, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Hi,

If you can ICMP from the server to the VPN Client this should already indicate that there is connectivity. It would start to seem that the servers itself is blocking the ICMP from the VPN clients. Its pretty common that a server will allow the ICMP Echo reply back to an ICMP Echo that it has sent but will deny ICMP arriving to itself.

So it would start looking at the server side software firewalls and other softwares/settings that might block these connections.

This should have nothing to do with ARP. The VPN Pool is now on a different network so the server is not using ARP to determine the MAC address of the destination IP address. It rather sends the traffic to the default gateway because the destination is in another network.

Naturally if your servers network mask was /16 (255.255.0.0) then it would send ARP to determine the MAC address of the VPN host as both addresses would be in the same network according to how the server sees its connected network. Though in that case I think you shouldnt be able to ICMP the VPN client from the server at all.

Since you have configured Split Tunnel for the VPN you should be able to both have a VPN Client connection open and connect to the ASA remotely through ASDM. You could then use ASDM to monitor the connections through the firewall. You could enter the VPN Clients IP address as the filter.

Now if you tested some TCP based connection through the VPN Client to the server you should be able to see on the ASDM side the "Teardown" message for the TCP connection. It would probably mention something like SYN Timeout or Reset-I.

SYN Timeout would mean that the server isnt replying. The Reset-I would mean that the server actively Reset the TCP Connection and prevented the connection.

For ICMP you can configure traffic capture on the ASA CLI to determine if any ICMP Echo Reply are coming back from the server

access-list VPN-CAP permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list VPN-CAP permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

capture VPN-CAP type raw-data access-list VPN-CAP interface inside buffer 1000000 circular buffer

After the ACL and the capture are configure you could then try to ICMP the server once or twice from the VPN Client.

Then you could use the following command to determine if anything is being captured

show capture

You could then use this command to view the capture contents on the CLI

show capture VPN-CAP

You could also copy the contents of the capture to a PC with TFTP so you could view the capture with software like Wireshark. It makes it a lot easier to view the capture.

copy /pcap capture:VPN-CAP tftp://x.x.x.x/VPN-CAP.pcap

You can remove the capture and its contents with the command

no capture VPN-CAP

The "access-list" we created to match to the traffic has to be removed separately.

- Jouni

I changed my VPN client to send all traffic over the tunnel and I can reach my server, now.  Thanks so much for the help!