Solved: VPN on ASA 5508 - VPN clients can't ping LAN and don't have Internet

MihaiLun · ‎01-15-2020

VPN: L2TP IPsec IKEv1 with split tunneling.
VPN Clients can connect and authenticate successfully but they lose access to the internet. Also the VPN clients can't ping the LAN IPs and don't have access to LAN PCs but it works from the LAN to VPN.

Internt IP: 192.168.2.85
LAN: 192.168.58.0/23
VPN Pool: 192.168.50.0/24

Can someone look at my config and point me in the right direction?

Thank you!

Edit: The router is currently being tested and placed in the private network behind another router. The VPN client connection was done from the private network that it is in the same network with WAN Asa. Can this be the problem? - the fact that it is not directly connected to the internet and was tested from the private network?

Rob Ingram · ‎01-17-2020

That explains it, split-tunnel is not supported on native Windows VPN client, you need AnyConnect to do that.

View solution in original post

MihaiLun · ‎01-16-2020

I put ASA directly on internet and now pings are working and I have access on LANs PC but still no internet over the split tunnel. Any ideas?

Rob Ingram · ‎01-16-2020

Hi,
EDIT:Sorry I re-read, you are split-tunneling.

If you are split tunneling please provide the output from the "route details" tab in AnyConnect client.

From the cli of a computer connected to the VPN, can you resolve dns names? Run nslookup and provide the output for review.

HTH

Sheraz.Salim · ‎01-16-2020

can you nat command

!

object network obj_any
nat (outside,outside) dynamic interface

and check if this works

please do not forget to rate.

MihaiLun · ‎01-17-2020

Thank you guys! but still not working.

The DNS on the client VPN side works - the name are resolved.

I put the nat command and still not working. Here I can say that I have already have something very similar in config (any instead of outsede)

!
object network obj_any
 nat (any,outside) dynamic interface
!

Added for you the output for ipconfig and route print on the VPN client side; maybe it help.

Rob Ingram · ‎01-17-2020

From that output all VPN traffic is routed through the VPN tunnel, so you aren't split-tunneling.

Please connect to the VPN, then provide the output of "show vpn-sessiondb detail anyconnect" from the ASA cli.

Also run packet-tracer and provide the output, e.g. "packet-tracer input outside tcp 192.168.50.5 3000 8.8.8.8 80" - EDIT: in fact this is only necessary if you wanted to find out why you cannot access the internet through the VPN tunnel. It won't help if your intention is still to split-tunnel.

MihaiLun · ‎01-17-2020

Thank you for your help!

Split tunnel was configured in ADSM wizard and I know I put the check box for split tunnel.

Here is the output:

ciscoasa# show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
IKEv1 IPsec/L2TP IPsec : 1 : 3 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 3
Device Total VPN Capacity : 100
Device Load : 1%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 1 : 3 : 1
IPsecOverNatT : 1 : 3 : 1
L2TPOverIPsecOverNatT : 1 : 3 : 1
---------------------------------------------------------------------------
Totals : 3 : 9
---------------------------------------------------------------------------

ciscoasa# show vpn-sessiondb ra-ikev1-ipsec

Session Type: IKEv1 IPsec

Username : mihai Index : 61421
Assigned IP : 192.168.50.1 Public IP : ***
Protocol : IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
License : Other VPN
Encryption : IKEv1: (1)3DES IPsecOverNatT: (1)AES128 L2TPOverIPsecOverNatT: (1)none
Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1 L2TPOverIPsecOverNatT: (1)none
Bytes Tx : 15992 Bytes Rx : 69097
Group Policy : DefaultRAGroup Tunnel Group : DefaultRAGroup
Login Time : 14:22:11 EEST Fri Jan 17 2020
Duration : 0h:12m:19s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a83a010efed0005e21a6f3
Security Grp : none

ciscoasa# packet-tracer input outside tcp 192.168.50.5 3000 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop *.*.*.225 using egress ifc outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.50.5/3000 to *.*.*.227/3000

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

Looks like nat problem.

Should I delete:

object network obj_any
nat (any,outside) dynamic interface

and put

object network obj_any
nat (outside,outside) dynamic interface

or keep them both?

Edit: Tried both of above and still not internet.

Rob Ingram · ‎01-17-2020

Your Group Policy/Split tunnel configuration looks ok, can you check the "route details" tab under anyconnect and just confirm what routes are secured/non-secure.

If you are split-tunneling then the nat is not relevant for the user traffic, the error does confirm "rpf-check" issue. I assume you can access the internet from a computer on the inside of the ASA (not on the VPN tunnel)?

Can you provide the current configuration of the ASA please.

What version of ASA and AnyConnect software are you running?

MihaiLun · ‎01-17-2020

ASA Version: 9.8(2)

I don't have anyconnect so I can't provide you the routes there. The connections is done with Windows built in VPN client.

LAN users have internet, only VPN users don't have.

I will reinstall the VPN without split-tunnel and see if it works.

Thank you guys!

Rob Ingram · ‎01-17-2020

That explains it, split-tunnel is not supported on native Windows VPN client, you need AnyConnect to do that.

MihaiLun · ‎01-17-2020

Thank you RJI!