I have a problem and a question regarding the VPN/Anyconnect for ASA 5505. I have excluded most of the configuration I figured wasn't related to this issue.
What works: VPN connection can be established and I can get an IP address from the DHCP scope. I can ping the gateways for my 2 internal networks from a switch after the ASA with the respective Vlans as source.
Problem: I can't ping around the network behind the ASA. From the client I can't ping the gateway of the VPN network and I can't ping the server network. From the switch I can't ping 188.8.131.52 and I can't ping between the 2 Vlans. The log when trying to ping:
|6||Jan 07 2008||01:05:27||110002||10.5.250.105||1||Failed to locate egress interface for ICMP from Outside:10.5.250.105/1 to 192.168.100.1/0|
My questions: I'm not quite sure how the ASA acts in regards to the ACL. Do I need my second line in my Server and Inside ACL to allow access from the one network to another? Would it be smarter to create the server network on another DHCP device (router) and simply route it into the ASA? And of course, can anyone help getting the configuration to work?
Green is Outside. Red is Server/device area. Blue is VPN connection.
ASA Version 9.1(6)10
switchport trunk allowed vlan 192,250
switchport mode trunk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
ip address 1x.2x.1.2x 255.255.255.248
object network Outside_IP
object network obj_any
subnet 0.0.0.0 0.0.0.0
ip address 192.168.100.1 255.255.255.0
access-list Server_access_in extended permit ip 192.168.100.0 255.255.255.0 any
access-list Server_access_in extended permit ip 10.5.250.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list Server_access_in extended permit icmp any any
access-list Server_access_in extended deny ip any any
object network Server
subnet 192.168.100.0 255.255.255.0
object network Server
nat (Server,Outside) dynamic interface
ip address 10.5.250.1 255.255.255.0
access-list ElevInside_access_in extended permit ip 10.5.250.0 255.255.255.0 any
access-list ElevInside_access_in extended permit ip 192.168.100.0 255.255.255.0 10.5.250.0 255.255.255.0
access-list ElevInside_access_in extended permit icmp any any
access-list ElevInside_access_in extended deny ip any any
object network ElevInside
subnet 10.5.250.0 255.255.255.0
object network ElevInside
nat (ElevInside,Outside) dynamic interface
object-group network ElevObject
network-object 10.5.250.0 255.255.255.0
access-list ElevSplit remark Elev250
access-list ElevSplit standard permit 10.5.250.0 255.255.255.0
access-list ElevSplit remark Server192
access-list ElevSplit standard permit 192.168.100.0 255.255.255.0
nat (ElevInside,Server) source static ElevInside ElevInside destination static Server Server no-proxy-arp
nat (Server,ElevInside) source static Server Server destination static ElevInside ElevInside no-proxy-arp
access-group ElevInside_access_in in interface ElevInside
access-group Server_access_in in interface Server
route Outside 0.0.0.0 0.0.0.0 1x.2x.1.2x 1
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
I am a little confused regarding the topology. Do the VPN users come in to the ASA on the outside or ElevInside interface? Ideally when VPN users come in from the outside, the routing table should route you to any of your internal interfaces,unless you are using nat rules to route. In your case, you do not need to add any ACL's from outside to inside for VPN traffic (this is bypassed by default with the "sysopt connection permit-vpn" command")
In order to exempt traffic from outside to inside, you can duplicate the nat rules you created before:
nat (Outside,Server) source static VPN VPN destination static Server Server no-proxy-arp route-lookup
Assuming VPN is the object for the VPN pool subnet.
Maybe I have gotten the topology all wrong, apologies if so :)
VPN users connect on the public IP 1x.2x.1.2x. They get a DHCP address in the ElevInside network. Yes, the ASA should know all the networks and there is, as far as I understand, built in functionality to allow traffic from a more secured (ElevInside) to a less secured (Server) by default. I know the configuration on here says security-level 100 on Server, but I have tried with a lower setting.
Even though you get a DHCP ip address from the inside subnet range, VPN traffic in coming in from the Public interface, so all policies should be between Public and server interface. Create a NAT rule as below:
nat (Server,Outside) source static Server Server destination static ElevInside ElevInside no-proxy-arp route-lookup
This is a NAT exemption rule to allow traffic to go between Server and Outside interface without any transalation.
Okey, I get that and I see the logic.
I applied the rule, but it didn't change anything. I've attached a small topology for the setup. When I do: ping 192.168.100.1 source vlan 250 from the switch (.10) I get this error. This is the ASA trying to answer the ping, but it's trying to send the respond out the Server interface, instead of ElevInside.
|6||Jan 12 2008||21:14:40||110003||192.168.100.1||0||10.5.250.10||0||Routing failed to locate next hop for icmp from Server:192.168.100.1/0 to Server:10.5.250.10/0|