cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4199
Views
0
Helpful
7
Replies

ASA: Unable to access outside interface from inside

benlemasurier
Level 1
Level 1

I think I'm having an issue with NAT translations coming from the inside network designated for the ASA's outside interface.

Networks:

External (ASA GE0/0):     216.x.x.34

Internal LAN (ASA GE0/1): 192.168.0.0/255.255.0.0

Nat configuration:

nat (outside,outside) source static obj-192.168 obj-192.168 destination static subnet_dc subnet_dc no-proxy-arp route-lookup

nat (inside,outside) source static lan_internal lan_internal destination static lan lan no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic lan_internal interface

In the end, I need our wireless (non-trusted) users in the 192.168.x.x subnet to be able to connect to the external interface for VPN access. Can anyone point me in the right direction?

7 Replies 7

rizwanr74
Level 7
Level 7

If your inside network (192.168.0.0/16) need to access in the internet you need dynamic nat.

Please follow the example below.

object network obj-192.168.0.0

  subnet 192.168.0.0 255.255.0.0

  nat (inside, outside) dynamic interface

I hope this answers your question.

Thanks

Rizwan Rafeek

Thanks Rizwan,

Isn't that essentially what I've already defined?

I did try it however, with no luck (this is ASA 8.4(3)):

object network obj-192.168.0.0

  subnet 192.168.0.0 255.255.0.0

  nat (inside, outside) dynamic interface

nat (inside,outside) source dynamic obj-192.168 interface

Plese post your current running config on the forum for easier trouble shooting

thanks

Current running config (sanitized):

ASA Version 8.4(3)

!

hostname gw

domain-name internal.company.com

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 216.x.x.x 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!            

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone MST -7

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name internal.company.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network subnet_a

subnet 192.168.20.0 255.255.255.0

object network subnet_a_wireless

subnet 192.168.21.0 255.255.255.0

object network subnet_b

subnet 192.168.10.0 255.255.255.0

object network subnet_b_wireless

subnet 192.168.11.0 255.255.255.0

object network subnet_c

subnet 192.168.30.0 255.255.255.0

object network subnet_c_wireless

subnet 192.168.31.0 255.255.255.0

object network subnet_dc

subnet 10.10.10.0 255.255.255.192

object network subnet_server

subnet 192.168.5.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network subnet_primary

subnet 192.168.0.0 255.255.255.0

object network EXTERNAL_PAT

host 216.x.x.x

object network subnet_192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network vpn_nat

subnet 192.168.0.0 255.255.0.0

object network obj-192.168

subnet 192.168.0.0 255.255.255.0

object-group network internal_lan_wireless

network-object object subnet_b_wireless

network-object object subnet_c_wireless

network-object object subnet_a_wireless

object-group network company_trusted_lan

network-object object subnet_a

network-object object subnet_b

network-object object subnet_c

network-object object subnet_server

network-object object subnet_dc

network-object object subnet_primary

object-group network company_lan

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_dc

network-object object subnet_primary

network-object object subnet_server

object-group network company_lan_internal

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_primary

network-object object subnet_server

access-list inside_access_in extended permit ip any any log disable

access-list global_access extended permit icmp any any log disable

access-list global_access extended permit ip any any log disable

access-list outside_access_in extended permit ip any any log disable

access-list outside_access_in extended permit icmp any any log disable

access-list split_tunnel extended permit ip object-group company_lan any log disable

access-list split_tunnel extended permit icmp object-group company_lan any log

access-list DC_VPN_TRAFFIC extended permit ip object subnet_192.168.0.0 object subnet_dc

access-list inside_access extended permit ip any any

access-list inside_acl extended permit ip object-group company_lan any

access-list inside_acl extended permit icmp object-group company_lan any

access-list outside_access_out extended permit ip any any log disable

access-list outside_access_out extended permit icmp any any log disable

pager lines 30

logging enable

logging buffered debugging

logging asdm notifications

mtu outside 1500

mtu inside 1500

mtu vpn 1500

mtu management 1500

ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (outside,outside) source static obj-192.168 obj-192.168 destination static subnet_dc subnet_dc no-proxy-arp route-lookup

nat (inside,outside) source static company_lan_internal company_lan_internal destination static company_lan company_lan no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic company_lan_internal interface

access-group global_access global

!

router eigrp 10

no auto-summary

network 192.168.0.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 216.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server company protocol radius

aaa-server company (inside) host 192.168.5.29

key *

radius-common-pw *

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.0.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec fragmentation after-encryption outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DC_VPN_MAP 1 match address DC_VPN_TRAFFIC

crypto map DC_VPN_MAP 1 set pfs

crypto map DC_VPN_MAP 1 set peer 204.x.x.x

crypto map DC_VPN_MAP 1 set ikev1 transform-set ESP-3DES-SHA

crypto map DC_VPN_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DC_VPN_MAP interface outside

crypto ca trustpoint anyconnect_trustpoint

enrollment self

subject-name CN=gw

crl configure

crypto ca certificate chain anyconnect_trustpoint

certificate 48733d4f

  quit

crypto isakmp nat-traversal 21

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha     

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint anyconnect_trustpoint

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.0.20-192.168.0.100 inside

dhcpd dns 192.168.5.47 interface inside

dhcpd wins 192.168.5.29 interface inside

dhcpd ping_timeout 20 interface inside

dhcpd domain internal.company.com interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 91.189.94.4 source outside prefer

ssl trust-point anyconnect_trustpoint outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2

anyconnect image disk0:/anyconnect-linux-64-2.5.3054-k9.pkg 3

anyconnect image disk0:/anyconnect-linux-2.5.3054-k9.pkg 4

anyconnect profiles company_anyconnect_client_profile disk0:/company_anyconnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev1 ikev2 ssl-client

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.company.com

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

default-domain value internal.company.com

group-policy company internal

group-policy company attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev1

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.company.com

group-policy GroupPolicy_company_anyconnect internal

group-policy GroupPolicy_company_anyconnect attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev2 ssl-client

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.company.com

webvpn

  anyconnect profiles value company_anyconnect_client_profile type user

tunnel-group DefaultRAGroup general-attributes

address-pool vpn_pool

authentication-server-group company LOCAL

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group company LOCAL

tunnel-group company_anyconnect type remote-access

tunnel-group company_anyconnect general-attributes

address-pool vpn_pool

authentication-server-group company LOCAL

default-group-policy GroupPolicy_company_anyconnect

tunnel-group company_anyconnect webvpn-attributes

group-alias company_anyconnect enable

tunnel-group company type remote-access

tunnel-group company general-attributes

address-pool vpn_pool

authentication-server-group company LOCAL

default-group-policy company

tunnel-group company ipsec-attributes

ikev1 pre-shared-key *

tunnel-group DC_VPN type ipsec-l2l

tunnel-group 204.x.x.x type ipsec-l2l

tunnel-group 204.x.x.x ipsec-attributes

ikev1 pre-shared-key *

!            

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class class-default

  user-statistics accounting

!

service-policy global_policy global

Hi Ben,

"nat (inside,outside) source dynamic obj-192.168 interface"

object network obj-192.168

subnet 192.168.0.0 255.255.255.0

The mask your defined in the above object is /24, however your request was for /16.

only above network alone will be dynamic as per above maks in the obj-192.168

However your requested on your post, the network mask as /16.

object network obj-192.168.0.0

  subnet 192.168.0.0 255.255.0.0

  nat (inside, outside) dynamic interface

that is the difference as far as I can see but syntax is correct.

Look forward to hear from you.

Hi Rizwan,

The posted config did not include the fix you mentioned, that's the current running config (our object names just happened to be the same).

If I use the exact same config posted above and then add the following:

object network test-obj

  subnet 192.168.0.0 255.255.0.0

  nat (inside, outside) dynamic interface

I am still not able to access the VPN from an internal interface.

"I am still not able to access the VPN from an internal interface"

"In the end, I need our wireless (non-trusted) users in the 192.168.x.x subnet to be able to connect to the external interface for VPN access. Can anyone point me in the right direction"

I am no so cleaner what is that you are trying to, you cannot access internal network while remote in via remote-vpn client?

-------------------------------------------------------------------------------------------------------------------------------------

ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

As you can see, these two segment are on the same network, can you break it down, to different mask /25?

Your setup is recipe routing nightmare ?

-------------------------------------------------------------------------------------------------------------------------------------

Please update me.

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: