Re: Remote users cannot access inside network with anyconnect on asa 5

tater0214 · ‎07-16-2022

I have a Cisco ASA 5510 with anyconnect setup, users are able to connect just fine and I have split tunneling setup to allow users to use internet while connected however I cannot connect or ping anything on the inside when I connect to the vpn. I have tried adding nat rules based on other guides but I am not sure if I'm just doing it wrong or if there is another issue. Any help would be greatly appreciated and I have posed the config for reference.

Aref Alsouqi · ‎07-16-2022

Please try to amend this change and try again:

tunnel-group SSLVPN general-attributes
no nat-assigned-to-public-ip Inside

tater0214 · ‎07-16-2022

This did not fix it unfortunately

MHM Cisco World · ‎07-16-2022

I dont see any wrong in your config but packet-tracer can help us to get issue here
please do command below
NOTE:- dont use IP from VPN pool that client used before

packet-tracer input outside tcp  <vpn client IP> www <inside IP> www

tater0214 · ‎07-16-2022

This is the result from the packet trace using an ip from vpn pool not yet used and the inside interface ip:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.1 255.255.255.255 identity

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.1 255.255.255.255 identity

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.1 255.255.255.255 identity

Phase: 5
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.1 255.255.255.255 identity

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

I am clearly no expert and don't understand most of this but the 'Action: drop' doesn't seem great but I am not sure why it is doing this.

MHM Cisco World · ‎07-16-2022

sorry I must mention that you need try again but this time not using Inside IP but using any IP of Inside subnet
also

packet-tracer input outside tcp  <vpn client IP> www <inside IP> www detail

add detail in end of command

tater0214 · ‎07-16-2022

Ok gotcha

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 Inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,outside) source static any any destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.3.50/80 to 192.168.3.50/80

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,outside) source static any any destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae08ecd8, priority=6, domain=nat, deny=false
hits=139, user_data=0xae9ce398, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=Inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad752f80, priority=0, domain=nat-per-session, deny=false
hits=648758, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa9881f80, priority=0, domain=permit, deny=true
hits=129715, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So because it fails in the access-list type and the drop type was ACL-drop I'm assuming there is an issue with my access list correct?

MHM Cisco World · ‎07-16-2022

first we need to add this temporarily ACL in outside

access-group inbound in interface outside
access-list inbound extended permit tcp any any eq www

second for NAT please remove any any and add INSIDE object instead.

nat (Inside,outside) source static any any destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24

nat (Inside,outside) 1 source static INSIDE-Object INSIDE-Object destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24

***alos double check are you enter the IP as show below if you flapping the IP we get wrong packet-tracer,
the VPN client IP must enter before you enter the inside IP.

packet-tracer input outside tcp  <vpn client IP> www <inside IP> www

then try again.

tater0214 · ‎07-16-2022

Ok I followed the first step however I was confused on the second step ' second for NAT please remove any any and add INSIDE object instead' as I did not see any rule that was any any so I went ahead and ran both commands and replaced 'INSIDE-Object' with my inside network object. That did not work so I tried

no nat (Inside,outside) source static any any destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24

because I thought that was what you meant by 'second for NAT please remove any any and add INSIDE object instead' and still did not work

EDIT: Now when I run packet tracer I get

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,outside) source static inside_nw inside_nw destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.3.50/80 to 192.168.3.50/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit object-group DM_INLINE_SERVICE_1 any any
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp destination eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae8a7740, priority=13, domain=permit, deny=false
hits=209, user_data=0xab49b500, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,outside) source static inside_nw inside_nw destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24
Additional Information:
Static translate 192.168.5.199/80 to 192.168.5.199/80
Forward Flow based lookup yields rule:
in id=0xb11dc8a8, priority=6, domain=nat, deny=false
hits=14, user_data=0xae232aa8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=Inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad752f80, priority=0, domain=nat-per-session, deny=false
hits=672309, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad521368, priority=0, domain=inspect-ip-options, deny=true
hits=392385, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,outside) source static inside_nw inside_nw destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24
Additional Information:
Forward Flow based lookup yields rule:
out id=0xb11dc950, priority=6, domain=nat-reverse, deny=false
hits=15, user_data=0xae9cf960, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.5.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.3.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=Inside

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad752f80, priority=0, domain=nat-per-session, deny=false
hits=672311, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xaeb97280, priority=0, domain=inspect-ip-options, deny=true
hits=454884, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 544031, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

So in theory It should be working since all results were allow and the action was allow right? However it is not working

MHM Cisco World · ‎07-17-2022

that great every thing now is OK,
still two point must check
1-in exception NAT add route-lookup
2- if the Inside have default route than the Inside interface of ASA,
then you need to config static route toward Inside interface of ASA for VPN Pool.

tater0214 · ‎07-17-2022

I think I was able to do the first step but I get an error message saying the gateway cannot be the ip of an interface

MHM Cisco World · ‎07-17-2022

what I mean
1- L3SW/R-ASA-Internet-Anyconnect client
you need
static route <VPN Pool> in L3SW/R toward INside interface of ASA

2-you need this keyword
nat (Inside,outside) source static inside_nw inside_nw destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 route-lookup

tater0214 · ‎07-17-2022

Ok I did step 2 but I do not have a layer 3 switch/router on the inside network so I think I will need to put one in, I will try that and report back

tater0214 · ‎07-17-2022

I cannot for the life of me get this router to work, I'm not sure what's wrong with it and I don't think my main outside router supports static routes. Is there something else I can try?

MHM Cisco World · ‎07-17-2022

if you dont have any L3SW nor Router then you dont need any static route.
NOW just to check,
packet-tracer is now success,
for real DO YOU REMOVE THE temporarily ACL ?

Remote users cannot access inside network with anyconnect on asa 5510