Remote user cannot access the inside corporate network using any

lourdesanne · ‎02-08-2012

Hi guys,

Can anyone help me why i can't access the servers that is on the corporate network that is located on the trust side of the ssg140 firewall using anyconnect vpn.

my network topology goes like these:

dmz untrust

| |

\/ \/

ASA5510 ------- SSG140 ------- INTERNET ------ REMOTE USER

|

| <-------- trust

|

CORPORATE NETWORK (where the servers are located)

Config on asa:

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name thpal.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

no ip address

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.30.10.236 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 40

ip address 192.168.200.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup management

dns server-group DefaultDNS

name-server 192.168.1.1

domain-name thpal.local

same-security-traffic permit intra-interface

access-list inside_access_out extended permit ip any any

access-list inside_access_out_1 extended permit ip any any inactive

access-list inside_access_out_1 extended permit icmp any any echo-reply inactive

access-list SPLITTUNNEL standard permit 172.30.10.0 255.255.255.0

access-list SPLITTUNNEL standard permit 172.30.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound_1 extended permit ip 172.30.20.0 255.255.255.0 172.30.10.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 172.30.10.0 255.255.255.0 172.30.20.0 255.255.255.0

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool ANYPOOL 172.30.20.60-172.30.20.65 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (inside) 1 172.30.20.20-172.30.20.25 netmask 255.0.0.0

global (inside) 2 203.167.x.x netmask 255.255.255.240

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 172.30.10.0 255.255.255.0

static (inside,inside) 203.167.x.x 172.30.10.236 netmask 255.255.255.255

static (inside,inside) 172.30.20.0 172.30.10.0 netmask 255.255.255.0

access-group inside_access_in in interface inside

access-group inside_access_out_1 out interface inside

route inside 0.0.0.0 0.0.0.0 172.30.10.1 1

route inside 0.0.0.0 0.0.0.0 172.30.10.236 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.30.10.0 255.255.255.0 inside

http 192.168.200.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.200.2-192.168.200.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

port-forward remoteaccess 2300 192.168.1.1 telnet telnet to ssg5

port-forward remoteaccess 2100 192.168.1.236 ftp connects to ftp

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-network-list value SPLITTUNNEL

default-domain value thpal.local

group-policy CLIENTLESS_SSL_POLICY internal

group-policy CLIENTLESS_SSL_POLICY attributes

wins-server none

dns-server value 192.168.1.1

vpn-tunnel-protocol l2tp-ipsec

default-domain value thpal.local

webvpn

url-list value ssl_services

group-policy ANYCON internal

group-policy ANYCON attributes

wins-server none

dns-server value 192.168.1.1

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLITTUNNEL

default-domain value thpal.local

webvpn

url-list value ssl_services

port-forward disable

svc ask enable default svc

username Sally password kjqjVsSlNIa.DGOu encrypted privilege 15

username Sally attributes

vpn-group-policy ANYCON

webvpn

port-forward auto-start remoteaccess

url-list value ssl_services

username Louanne password 0IoElNJ1cQv7RJiy encrypted privilege 15

username Louanne attributes

vpn-group-policy ANYCON

webvpn

port-forward auto-start remoteaccess

url-list value ssl_services

username Jonathan password 4DZSa0919GBhEyiT encrypted

username Jonathan attributes

vpn-group-policy ANYCON

webvpn

url-list value ssl_services

username Rommel password 6hWsMiVOi2o1KyzI encrypted privilege 15

username Larry password m98u9t2E8Jrzu96P encrypted

username Larry attributes

vpn-group-policy CLIENTLESS_SSL_POLICY

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool ANYPOOL

tunnel-group CL_SSLVPN_PROFILE type remote-access

tunnel-group CL_SSLVPN_PROFILE general-attributes

default-group-policy CLIENTLESS_SSL_POLICY

tunnel-group anycon type remote-access

tunnel-group anycon general-attributes

address-pool ANYPOOL

default-group-policy ANYCON

tunnel-group anycon webvpn-attributes

group-alias anycon enable

group-url https://203.167.x.x/anycon enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a9e4e955d01c1504b4b85fa39e040886

: end

Remote user can established an anyconnect vpn connection to the asa and can access the local folders and internet while connected to the vpn but it cannot access the remote corporate network.

Any help would be much appreciated.

Thanks.

-L.A.-

Julio Carvajal · ‎02-08-2012

Hello Lourdes,

Can you remove the following:

no access-group inside_access_out_1 out interface inside

And then give it a try.

Also

Please provide following output as well

packet-tracer input inside tcp 172.30.20.62 1025 172.30.10.11 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lourdesanne · ‎02-08-2012

Hi Julio,

Thanks for the reply.

I already add the management-access inside. What should i ping?

here is the result of the packet tracer command

ciscoasa(config)# packet-tracer input inside tcp 172.30.20.62 1025 172.30.10.1$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.30.10.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

rizwanr74 · ‎02-08-2012

Please remove this static nat.

static (inside,inside) 172.30.20.0 172.30.10.0 netmask 255.255.255.0

Please make sure you have a static route on your inside network to push "172.30.20.0 255.255.255.0" to FW's inside interface ip address i.e. 172.30.10.236

try it and let me know the result.

thanks

Rizwan Rafeek

lourdesanne · ‎02-08-2012

Hi Rizwan,

Thanks for the reply.

I did what you have suggested, and it works like magic.

May I ask the reason for removing the static nat:

static (inside,inside) 172.30.20.0 172.30.10.0 netmask 255.255.255.0

Thank you very much and kind regards.

-L.A.-

rizwanr74 · ‎02-09-2012

Hi Lourdes Anne,

I am glad to hear that worked out for you.

"May I ask the reason for removing the static nat:

static (inside,inside) 172.30.20.0 172.30.10.0 netmask 255.255.255.0"

FW sees that IP segment comes from outside interface but your above statement tells FW to translate it to inside, which is a contradictory rule.

Please rate, any help post, so that it will be a helpful tip for someone else.

thanks

Rizwan Rafeek

Remote user cannot access the inside corporate network using anyconnect vpn