cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11292
Views
0
Helpful
18
Replies

AnyConnect connected with no network access

mau792
Level 1
Level 1

Dear all,

 

I'm struggling with an ASA 5506 config for VPN.

Simple config, outisde is static and connected to the provider router (192.168.0.0/24) and inside is 192.168.1.0/24. ASA is not handling DHCP cause there is a domain controller doing it, which is also the main DNS for the corp network.

 

AnyConnect configured via wizard. I'm able to connect and estabilish a VPN and getting the IP assigned by the ASA static). DNS and gateway are correctly assigned (ipconfig). However there is no way to access the network. Cannot even ping the ASA on 192.168.1.1. I guess it might be related to routing issue. On AnyConnect (on windows client) I have routing 0.0.0.0.

 

Thanks

1 Accepted Solution

Accepted Solutions

Add the following for internet access

 

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.1.208_28
nat (OUTSIDE,OUTSIDE) dynamic interface

 

When you say web services are not working do you mean internal hosted web services or the internet access? Can you access RDP servers via their hostname or only the IP address?


Amend your group-policy:-

 

group-policy GroupPolicy_AnyConnectSSL attributes
dns-server value 192.168.1.21
no split-dns value 192.168.1.21 8.8.8.8
no split-tunnel-all-dns enable

 

View solution in original post

18 Replies 18

Hi,
Potentially it could be a NAT issue. You will need to have an NAT exemption rule to ensure traffic between the Remote Access IP Pool and the internal networks are not natted. Post your configuration for review.

HTH

Here we are:

ASA Version 9.8(2)
!
hostname ciscoasa
enable password **PASSWORD**
names
ip local pool VPNPool 192.168.1.210-192.168.1.250 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.1.208_28
subnet 192.168.1.208 255.255.255.240
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button

**crypto**

telnet 192.168.1.0 255.255.255.0 inside_1
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point **REMOTE FQDN** outside
ssl trust-point **REMOTE FQDN** inside_1
ssl trust-point **REMOTE FQDN** inside_2
ssl trust-point **REMOTE FQDN** inside_3
ssl trust-point **REMOTE FQDN** inside_4
ssl trust-point **REMOTE FQDN** inside_5
ssl trust-point **REMOTE FQDN** inside_6
ssl trust-point **REMOTE FQDN** inside_7
ssl trust-point **REMOTE FQDN** inside
webvpn
port 445
enable outside
dtls port 445
anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
group-policy GroupPolicy_AnyConnectSSL internal
group-policy GroupPolicy_AnyConnectSSL attributes
dns-server value 192.168.1.21 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain none
split-dns value 192.168.1.21 8.8.8.8
split-tunnel-all-dns enable
address-pools value VPNPool
dynamic-access-policy-record DfltAccessPolicy
username **USERNAME** password **PASSWORD**
tunnel-group AnyConnectSSL type remote-access
tunnel-group AnyConnectSSL general-attributes
address-pool VPNPool
default-group-policy GroupPolicy_AnyConnectSSL
tunnel-group AnyConnectSSL webvpn-attributes
authentication aaa certificate
group-alias AnyConnectSSL enable
!
!
prompt hostname context
no call-home reporting anonymous
: end

 

 

Thanks

Try this:-

 

object network INSIDE_NET
subnet 192.168.0.0 255.255.255.0

nat (any,outside) source static INSIDE_NET INSIDE_NET destination static NETWORK_OBJ_192.168.1.208_28 NETWORK_OBJ_192.168.1.208_28 no-proxy-arp

 

Mmh not working...

Please provide the output of "show nat detail" and "show vpn-sessiondb detail anyconnect" - with the user logged in.

Run a packet-tracer from the CLI to simulate the VPN user connection and provide the output

Sorry for the delay:

 

with user logged:

Result of the command: "show nat detail"

Auto NAT Policies (Section 2)
1 (inside_1) to (outside) source dynamic obj_any1 interface
translate_hits = 758164, untranslate_hits = 22050
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
2 (inside_2) to (outside) source dynamic obj_any2 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
3 (inside_3) to (outside) source dynamic obj_any3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
4 (inside_4) to (outside) source dynamic obj_any4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
5 (inside_5) to (outside) source dynamic obj_any5 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
6 (inside_6) to (outside) source dynamic obj_any6 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
7 (inside_7) to (outside) source dynamic obj_any7 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24

 

Result of the command: "show vpn-sessiondb detail anyconnect"

INFO: There are presently no active sessions

 

 

If that is all the NAT Policies defined then you don't appear to have defined the NAT exemption as previously mentioned. Your traffic is probably hitting the first Auto NAT rule #1.

What about running packet-tracer, what was the output of that? It would confirm which NAT rule you are hitting.

Thank you for your help.

I'm connected with user 192.168.1.210. ASA address is 192.168.1.1, Router address is 192.168.0.1.

 

In the dropdown menu in interface I only have inside_1 and outside as suitable. And obviously packets from 1.210 are flowing correctly to 1.1 in inside_1.

 

I'm losing a step somewhere to define the NAT rule. VPN is estabilished correctly..

 

 

 

Also tried with the solution above, but it is not accepting it. please check attachement

 

Paste the following from the CLI (using SSH)

object network INSIDE_NET
subnet 192.168.0.0 255.255.255.0

then paste the nat rule as above.

Command done, however still not able to access local and external network once VPN is connected. Connected host will take IP 192.168.1.210 as per Pool range (1.210 - 1.220)

 

Result of the command: "show nat detail"

Manual NAT Policies (Section 1)
1 (any) to (outside) source static INSIDE_NET INSIDE_NET destination static NETWORK_OBJ_192.168.1.208_28 NETWORK_OBJ_192.168.1.208_28 no-proxy-arp
translate_hits = 1, untranslate_hits = 1
Source - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
Destination - Origin: 192.168.1.208/28, Translated: 192.168.1.208/28

Auto NAT Policies (Section 2)
1 (inside_1) to (outside) source dynamic obj_any1 interface
translate_hits = 780505, untranslate_hits = 22308
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
2 (inside_2) to (outside) source dynamic obj_any2 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
3 (inside_3) to (outside) source dynamic obj_any3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
4 (inside_4) to (outside) source dynamic obj_any4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
5 (inside_5) to (outside) source dynamic obj_any5 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
6 (inside_6) to (outside) source dynamic obj_any6 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
7 (inside_7) to (outside) source dynamic obj_any7 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24

I'm still stuck on this..

Up pls

Remove that existing NAT rule, it's actually incorrect

 

no nat (any,outside) source static INSIDE_NET INSIDE_NET destination static NETWORK_OBJ_192.168.1.208_28 NETWORK_OBJ_192.168.1.208_28 no-proxy-arp

 

Add this rule

 

nat (any,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.208_28 NETWORK_OBJ_192.168.1.208_28 no-proxy-arp

 

Then try again

 

HTH

THanks,

still not working. What 192.168.1.208 is referring?

 

Manual NAT Policies (Section 1)
1 (any) to (outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.208_28 NETWORK_OBJ_192.168.1.208_28 no-proxy-arp
translate_hits = 62, untranslate_hits = 188
Source - Origin: 192.168.1.0/24, Translated: 192.168.1.0/24
Destination - Origin: 192.168.1.208/28, Translated: 192.168.1.208/28

Auto NAT Policies (Section 2)
1 (inside_1) to (outside) source dynamic obj_any1 interface
translate_hits = 933018, untranslate_hits = 29359
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
2 (inside_2) to (outside) source dynamic obj_any2 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
3 (inside_3) to (outside) source dynamic obj_any3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
4 (inside_4) to (outside) source dynamic obj_any4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
5 (inside_5) to (outside) source dynamic obj_any5 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
6 (inside_6) to (outside) source dynamic obj_any6 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24
7 (inside_7) to (outside) source dynamic obj_any7 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.10/24

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: