Solved: Cisco VPN Two Local Networks Inside

engr_alikhan · ‎03-08-2016

Hi all,

Hope you're doing fine. I have checked other questions but unfortunately, I didn't find any related to my query. I am just a beginner here. So, I will really appreciate if Pros help me out in here. Thank you!

Here is the problem. I have set up a VPN ASA 5505. I have set up two local networks (one that is directly connected where I sit and the other that I have connected to my local network by adding static route) where I operate this Firewall. Now I want access to both local networks from "Outside" interface of ASA 5505.

I can easily access the local network that is at my place but I cannot access the other one when I come through VPN. Whereas, I can ping the other network from ASA 5505 and there's no problem. As far as I have troubleshooted it, I found that "NAT reverse path failure" is the error when I try to access the other network by connecting through VPN

Now If you have understood the scenario, I just need to know what is there that I am missing.
Your help will be highly appreciated.

Thank You!

Regards,
Ali

Dinesh Moudgil · ‎03-08-2016

I apologize if I was not clear enough. For accessing resources across VPN, we need to make sure the traffic is nat-exempted.

1- Assign VPN POOL of 10.10.10.0_24 to any user who is trying to connect VPN.
Yes, assign a VPN pool for subnet different then 192.168.x.x or 10.10.x.x so that it does not interfere with your current IP addressing.

2- Add a NAT that will translate that 10.10.10.0_24 IP address to 192.168.11.0_24 IP address.

We do not need to translate the IPs . We just need to self translate them or nat exempt them as follows:

nat (inside,outside) source static obj_internal obj_internal destination static obj_remote obj_remote no-proxy-arp route-lookup

This command states that translate obj_internal to obj_internal whenever it needs to access obj_remote. So in essence, this is self translation or nat exempt.

3- I have to add another NAT that will translate 11.0 address to 192.168.10.0 address.

You dont need any other nat command.

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎03-08-2016

Hi Ali,

Can you share the VPN config along with NAT and routes ?
You might want to make sure that network has a route for VPN subnet to point to ASA.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

engr_alikhan · ‎03-08-2016

:

ASA Version 8.3(1)

!

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.11.100 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address (Hidden) (Hidden)

!

interface Vlan5

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

duplex full

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport protected

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.11.0_24

subnet 192.168.11.0 255.255.255.0

object network NETWORK_OBJ_192.168.11.80_28

subnet 192.168.11.80 255.255.255.240

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object udp

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq www

service-object tcp destination eq ssh

service-object tcp destination eq telnet

object-group service DM_INLINE_SERVICE_2

service-object udp

service-object tcp

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq www

service-object tcp destination eq ssh

service-object tcp destination eq telnet

object-group service DM_INLINE_SERVICE_4

service-object ip

service-object tcp destination eq telnet

object-group network DM_INLINE_NETWORK_1

network-object (hidden) (hidden)

network-object object NETWORK_OBJ_192.168.11.0_25

object-group service DM_INLINE_SERVICE_3

service-object udp

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq ssh

service-object tcp destination eq telnet

object-group service DM_INLINE_SERVICE_5

service-object ip

service-object tcp destination eq www

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_6

service-object ip

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq telnet

logging enable

logging monitor alerts

logging asdm informational

logging flash-bufferwrap

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Local-pool 192.168.11.85-192.168.11.90 mask 255.255.255.0

ip local pool Local-khr 192.168.10.85-192.168.10.90 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.11.80_28 NETWORK_OBJ_192.168.11.80_28

!

object network obj_any

nat (inside,outside) dynamic interface

object network OBJ_GENERIC_ALL

nat (inside,outside) dynamic interface

object network inside-test-server

nat (inside,outside) static (hidden)

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

!

router rip

version 1

!

route outside 0.0.0.0 0.0.0.0 (hidden) 1

route inside 192.168.10.0 255.255.255.0 192.168.11.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start

snmp-server enable traps remote-access session-threshold-exceeded

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp nat-traversal 21

vpn-addr-assign local reuse-delay 1

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.11.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

!

class-map global-class

match default-inspection-traffic

!

policy-map global-policy

class global-class

inspect http

inspect icmp

inspect ip-options

!

service-policy global-policy global

pop3s

default-group-policy DfltGrpPolicy

authorization-dn-attributes EA OU

profile CiscoTAC-1

hpm topN enable

: end

Dinesh Moudgil · ‎03-08-2016

I see a route :

route inside 192.168.10.0 255.255.255.0 192.168.11.1 1

Can you confirm if this is the one that you are not able to access ?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

engr_alikhan · ‎03-08-2016

Yes Dinesh, this is the one. When I connect through VPN from another device and monitor the session through other, I can see the error of "NAT Reverse Path Failure" whenever I try to access anything in that 10.0 network. I am still confused what NAT rule should I use here, if it's a NAT issue.

Dinesh Moudgil · ‎03-08-2016

I have seen many cases where we see the issue occurring due to VPN pool subnet overlapping with internal subnet.

Your VPN pools are defined as

ip local pool Local-pool 192.168.11.85-192.168.11.90 mask 255.255.255.0

ip local pool Local-khr 192.168.10.85-192.168.10.90 mask 255.255.255.0

and you are also trying to access 192.168.10.0 so this may create issues.
Can you try using a totally different subnet for VPN pool and share the results.

For this you can do natting in the following way:
let us suppose you need to access 192.168.10.0/24 present on inside interface behind firewall and you wish to allow VPN (10.10.10.0/24) users to be able to access it , so nat would look like:

nat (inside,outside) source static obj_192.168.10.0_24 obj_192.168.10.0_24 destination static obj_10.10.10.0_24 obj_10.10.10.0_24 no-proxy-arp route-lookup

where object network as
object network obj_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0

object network obj_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

engr_alikhan · ‎03-08-2016

Thank you for the total explanation, Dinesh.
Let me explain one thing more that the network 10.0 is not accessible without 11.0 as I have a static route added to my switch that connects both these local networks with 11.1 and 10.1 as gateways.

So if we look at all the scenario that you have explained above, shouldn't I use 11.0_24 instead of 10.0_24 ?

Dinesh Moudgil · ‎03-08-2016

Correct me if I am wrong but are you stating that from ASA , you are not able to access 192.168.10.0 when sourcing the ping from inside interface 192.168.11.100?

Ideally,
A. You shall have a route on ASA to point to switch for a subnet which is not connected directly.
This is already present "route inside 192.168.10.0 255.255.255.0 192.168.11.1 1"

B.On switch, there shall be a route to point to ASA for VPN pool subnet.

Can you please verify this?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

engr_alikhan · ‎03-08-2016

Actually, I am able to access 192.168.10.0 from ASA internally and I have a static route present in switch and here as well.

I was asking about the object obj_192.168.10.0_24 . Is it going to be right ? Don't I have to be working on 11.0 rather than 10.0 ?

And I have tried the above configuration, when I make an IPsec profile using 10.10.10.0 pool , it generates an error that "The address matches with your Static NAT"

I am sorry if I sound really dumb here but I am trying to learn it all by my own.

Dinesh Moudgil · ‎03-08-2016

Dont worry , Ali
(The expert at anything was once a beginner)

In this case, do not use 10.10.10.10 and try any other IP e.g. 172.16.x.x.

"I was asking about the object obj_192.168.10.0_24 . Is it going to be right ? Don't I have to be working on 11.0 rather than 10.0 ? "

Can you please clarify this statement ?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

engr_alikhan · ‎03-08-2016

Thank you Danish for your support.

As I have tried other IP but still the issue is same. This time it can't access anything.

According to my knowledge

Do you want me to work like this.

1- Assign VPN POOL of 10.10.10.0_24 to any user who is trying to connect VPN.
2- Add a NAT that will translate that 10.10.10.0_24 IP address to 192.168.11.0_24 IP address.

3- I have to add another NAT that will translate 11.0 address to 192.168.10.0 address.
Am I right?

I have added another NAT to my old policy and it has started accessing 192.168.10.0 network.

Now there are two NAT rules currently active.

1- inside,outside static source 192.168.11.0/255.255.255.128 destination 192.168.11.80/255.255.255.240
2- inside outside static source any destination 192.169.11.80/255.255.255.240

But it sometimes connect and sometimes generate an error of "Inbound TCP connection denied from 192.168.10.41/80 to 192.168.11.86 (IP assigned through VPN pool to user) /port glags FIN ACK on interface inside"

Dinesh Moudgil · ‎03-08-2016

I apologize if I was not clear enough. For accessing resources across VPN, we need to make sure the traffic is nat-exempted.

1- Assign VPN POOL of 10.10.10.0_24 to any user who is trying to connect VPN.
Yes, assign a VPN pool for subnet different then 192.168.x.x or 10.10.x.x so that it does not interfere with your current IP addressing.

2- Add a NAT that will translate that 10.10.10.0_24 IP address to 192.168.11.0_24 IP address.

We do not need to translate the IPs . We just need to self translate them or nat exempt them as follows:

nat (inside,outside) source static obj_internal obj_internal destination static obj_remote obj_remote no-proxy-arp route-lookup

This command states that translate obj_internal to obj_internal whenever it needs to access obj_remote. So in essence, this is self translation or nat exempt.

3- I have to add another NAT that will translate 11.0 address to 192.168.10.0 address.

You dont need any other nat command.

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

engr_alikhan · ‎03-08-2016

Hey Danish,
Yes, you're right. The thing that I was missing out the NAT rule that would translate 11.0 to 10.0 address. I just made that rule and things started working successfully.

Although I have not yet assigned any other subnet to the users because I have many users currently using the 11.0 VPN pool , so I can't just delete that right now.

But yes, you've just described the perfect procedure to anyone (including me) who's looking for a perfect NAT translation.

Thank you so very much for helping me in the best possible way!

Dinesh Moudgil · ‎03-08-2016

Glad to help with your query Ali :)

Let me know if you run into any other issues.

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/