03-08-2016 05:00 AM
Hi all,
Hope you're doing fine. I have checked other questions but unfortunately, I didn't find any related to my query. I am just a beginner here. So, I will really appreciate if Pros help me out in here. Thank you!
Here is the problem. I have set up a VPN ASA 5505. I have set up two local networks (one that is directly connected where I sit and the other that I have connected to my local network by adding static route) where I operate this Firewall. Now I want access to both local networks from "Outside" interface of ASA 5505.
I can easily access the local network that is at my place but I cannot access the other one when I come through VPN. Whereas, I can ping the other network from ASA 5505 and there's no problem. As far as I have troubleshooted it, I found that "NAT reverse path failure" is the error when I try to access the other network by connecting through VPN
Now If you have understood the scenario, I just need to know what is there that I am missing.
Your help will be highly appreciated.
Thank You!
Regards,
Ali
Solved! Go to Solution.
03-08-2016 09:42 AM
I apologize if I was not clear enough. For accessing resources across VPN, we need to make sure the traffic is nat-exempted.
1- Assign VPN POOL of 10.10.10.0_24 to any user who is trying to connect VPN.
Yes, assign a VPN pool for subnet different
2- Add
We do not need to translate the IPs . We just need to
nat (inside,outside) source static obj_internal obj_internal destination static obj_remote obj_remote no-proxy-arp route-lookup
This command states that translate obj_internal to obj_internal whenever it needs to access obj_remote. So in essence, this is
3- I have to add another NAT that will translate 11.0 address to 192.168.10.0 address.
You
Hope this helps.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-08-2016 05:08 AM
Hi Ali,
Can you share the VPN config along with NAT and
You might want to make sure that network has a route for VPN subnet to point to ASA.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-08-2016 05:58 AM
:
ASA Version 8.3(1)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address (Hidden) (Hidden)
!
interface Vlan5
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport protected
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.11.0_24
subnet 192.168.11.0 255.255.255.0
object network NETWORK_OBJ_192.168.11.80_28
subnet 192.168.11.80 255.255.255.240
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object udp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
service-object tcp destination eq ssh
service-object tcp destination eq telnet
object-group service DM_INLINE_SERVICE_2
service-object udp
service-object tcp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
service-object tcp destination eq ssh
service-object tcp destination eq telnet
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object tcp destination eq telnet
object-group network DM_INLINE_NETWORK_1
network-object (hidden) (hidden)
network-object object NETWORK_OBJ_192.168.11.0_25
object-group service DM_INLINE_SERVICE_3
service-object udp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object tcp destination eq telnet
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq telnet
logging enable
logging monitor alerts
logging asdm informational
logging flash-bufferwrap
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Local-pool 192.168.11.85-192.168.11.90 mask 255.255.255.0
ip local pool Local-khr 192.168.10.85-192.168.10.90 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.11.80_28 NETWORK_OBJ_192.168.11.80_28
!
object network obj_any
nat (inside,outside) dynamic interface
object network OBJ_GENERIC_ALL
nat (inside,outside) dynamic interface
object network inside-test-server
nat (inside,outside) static (hidden)
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
!
router rip
version 1
!
route outside 0.0.0.0 0.0.0.0 (hidden) 1
route inside 192.168.10.0 255.255.255.0 192.168.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start
snmp-server enable traps remote-access session-threshold-exceeded
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 21
vpn-addr-assign local reuse-delay 1
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect http
inspect icmp
inspect ip-options
!
service-policy global-policy global
pop3s
default-group-policy DfltGrpPolicy
authorization-dn-attributes EA OU
profile CiscoTAC-1
hpm topN enable
: end
03-08-2016 06:02 AM
I see a
route inside 192.168.10.0 255.255.255.0 192.168.11.1 1
Can you confirm if this is the one that you are not able to
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-08-2016 06:21 AM
03-08-2016 06:38 AM
I have seen many cases where we see the issue occurring due to VPN pool subnet overlapping with
Your VPN pools are defined as
and you are also trying to access 192.168.10.0 so this may create issues.
Can you try using a totally different subnet for VPN pool and share the results.
For this you can do
let us suppose you need to access 192.168.10.0/24 present on inside interface behind
nat (inside,outside) source static obj_192.168.10.0_24 obj_192.168.10.0_24 destination static obj_10.10.10.0_24 obj_10.10.10.0_24 no-proxy-arp route-lookup
where object network as
object network obj_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
object network obj_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-08-2016 07:19 AM
Thank you for the total explanation, Dinesh.
Let me explain one thing more that the network 10.0 is not accessible without 11.0 as I have a static route added to my switch that connects both these local networks with 11.1 and 10.1 as gateways.
So if we look at all the scenario that you have explained above, shouldn't I use 11.0_24 instead of 10.0_24 ?
03-08-2016 07:31 AM
Correct me if I am wrong but are you stating that from
Ideally,
A. You shall have a route on ASA to point to switch for a subnet which is not connected directly.
This is already present "route inside 192.168.10.0 255.255.255.0 192.168.11.1 1"
B.On switch, there shall be a route to point to ASA for VPN pool subnet.
Can you please verify this?
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-08-2016 07:41 AM
Actually, I am able to access 192.168.10.0 from ASA internally and I have a static route present in switch and here as well.
I was asking about the object obj_192.168.10.0_24 . Is it going to be right ? Don't I have to be working on 11.0 rather than 10.0 ?
And I have tried the above configuration, when I make an IPsec profile using 10.10.10.0 pool , it generates an error that "The address matches with your Static NAT"
I am sorry if I sound really dumb here but I am trying to learn it all by my own.
03-08-2016 08:22 AM
Dont worry , Ali
(The expert at anything was once a beginner)
In this case, do not use 10.10.10.10 and try any other IP e.g. 172.16.x.x.
"I was asking about the object obj_192.168.10.0_24 . Is it going to be right ? Don't I have to be working on 11.0 rather than 10.0 ? "
Can you please clarify this statement ?
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-08-2016 09:28 AM
Thank you Danish for your support.
As I have tried other IP but still the issue is same. This time it can't access anything.
According to my knowledge
Do you want me to work like this.
1- Assign VPN POOL of 10.10.10.0_24 to any user who is trying to connect VPN.
2- Add a NAT that will translate that 10.10.10.0_24 IP address to 192.168.11.0_24 IP address.
3- I have to add another NAT that will translate 11.0 address to 192.168.10.0 address.
Am I right?
I have added another NAT to my old policy and it has started accessing 192.168.10.0 network.
Now there are two NAT rules currently active.
1- inside,outside static source 192.168.11.0/255.255.255.128 destination 192.168.11.80/255.255.255.240
2- inside outside static source any destination 192.169.11.80/255.255.255.240
But it sometimes connect and sometimes generate an error of "Inbound TCP connection denied from 192.168.10.41/80 to 192.168.11.86 (IP assigned through VPN pool to user) /port glags FIN ACK on interface inside"
03-08-2016 09:42 AM
I apologize if I was not clear enough. For accessing resources across VPN, we need to make sure the traffic is nat-exempted.
1- Assign VPN POOL of 10.10.10.0_24 to any user who is trying to connect VPN.
Yes, assign a VPN pool for subnet different
2- Add
We do not need to translate the IPs . We just need to
nat (inside,outside) source static obj_internal obj_internal destination static obj_remote obj_remote no-proxy-arp route-lookup
This command states that translate obj_internal to obj_internal whenever it needs to access obj_remote. So in essence, this is
3- I have to add another NAT that will translate 11.0 address to 192.168.10.0 address.
You
Hope this helps.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-08-2016 10:29 AM
Hey Danish,
Yes, you're right. The thing that I was missing out the NAT rule that would translate 11.0 to 10.0 address. I just made that rule and things started working successfully.
Although I have not yet assigned any other subnet to the users because I have many users currently using the 11.0 VPN pool , so I can't just delete that right now.
But yes, you've just described the perfect procedure to anyone (including me) who's looking for a perfect NAT translation.
Thank you so very much for helping me in the best possible way!
03-08-2016 10:46 AM
Glad to help with your query Ali :)
Let me know if you run into any other issues.
Regards,
Dinesh Moudgil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide