cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
954
Views
0
Helpful
6
Replies

Access Inside Network via AnyConnect Vpn

GrootLives
Level 1
Level 1

I know I'm missing some simple and obvious but I can't see it.

When connecting via anyconnect to an asa 5505 the vpn client cannot access the inside network. It can access the inside address of the asa: I can use asdm via the vpn to connect to the asa. Just can't connect further into the network. A machine connected directly to the asa is able to access the network.

Running asa version 9.2(4)28 and asdm 7.9(1)151 and used the vpn wizard to set it up. Just need to get this up and running quickly for a one-off use.

Sanitized config:

ASA Version 9.2(4)28
!
hostname ciscoasa
domain-name test.local
names
dns-guard
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.0.10 255.255.255.0
!
boot system disk0:/asa924-28-k8.bin
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.0.1
name-server 192.168.0.2
domain-name test.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791-151.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 10.10.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http server idle-timeout 15
http 10.0.0.0 255.255.255.0 inside
http 172.16.80.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.0.10,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 4b10e95e
308201bf 30820128 a0030201 0202044b 10e95e30 0d06092a 864886f7 0d010105
05003024 310e300c 06035504 03130576 62353830 31123010 06035504 03130931
302e302e 38302e33 301e170d 32303036 31373133 31333239 5a170d33 30303631
35313331 3332395a 3024310e 300c0603 55040313 05766235 38303112 30100603
55040313 0931302e 302e3830 2e333081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100a7 79b63677 8e358ea1 6179baf2 59359b15 4e00069a
bf012f41 4c68062c f5e4cea1 f8ce7617 7f25ae7b 5a5d09a6 43f1a4dd e5e3cd75
68da046c 5cd5c410 c648b3cd f9795e8e 05f147c0 8b18f9a2 9d116443 3f49e1cf
fac770f2 9c19fee7 62971511 1321dcae 115e26f7 abcd3174 5f839cd4 b2268200
54c74044 f160caa0 0c23df02 03010001 300d0609 2a864886 f70d0101 05050003
81810042 603b6a4c dbc2819c 556bb1cb 9fb03bfe fc9c6a7d 0b17771d adce4b4c
6e3a6ac6 6be0b9aa 34d25d62 f7b5ef2e 48800f2e 7f4a9a53 3320549d ec4cd954
eb40418d adbc018d 4780e21e f8efeb78 658d5843 9cad9440 bc21388b f5f7fd4f
f613d16d d8efbf75 1b1b8a5f 150d6ac6 94f5e2cc 85d7332a cf96c49e a08c6c4e
b2270d
quit
telnet 172.16.80.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
no ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 inside
ssh 172.16.80.0 255.255.255.0 inside
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 15
management-access inside
vpn-addr-assign local reuse-delay 60

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.39 source outside
ntp server 129.6.15.28 source outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
webvpn
anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1 regex "Windows NT"
username mikey password ******* encrypted
username mikey attributes
service-type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:512ae545599759bb2958d1ecdcbbca28
: end

 

1 Accepted Solution

Accepted Solutions

Edit: Found the problem. Knew it was something simple.

The device behind the asa lacked a route back to the asa. No nat statements required.

View solution in original post

6 Replies 6

Hi,

This doesn't appear to be the full configuration.

Your traffic will probably being natted, you will need a NAT exemption rule to ensure the traffic between the RAVPN IP Pool and the inside network is not natted. E.g

 

object network LAN
subnet 192.168.0.0 255.255.255.0
object network RAVPN
subnet 192.168.10.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static RAVPN RAVPN

 HTH

That actually was the full config grabbed from a backup! Did a factory reset, used the setup wizard, used the vpn wizard. Quick and dirty! Now if only it worked. (Why do the "simple" tasks always consume 90% of your time)

ASA didn't seem to like that command. Gives me a hint on where to look at least.

 

So this is the configuration you've uploaded after you reset the device?
There is no RAVPN tunnel-group, group-policies etc. You'd obviously need to setup the RAVPN and then add the NAT exemption rule, otherwise the VPN traffic will hit your existing NAT rule and not work.

Lets try this again. Haven't committed changes so the startup-config contains none of the vpn stuff. Doh! And this is why doing 30 things at once is a bad idea.

Running config:

ASA Version 9.2(4)28
!
hostname ciscoasa
domain-name test.local
names
dns-guard
ip local pool 172.16.80.1-172.16.80.99 172.16.80.1-172.16.80.99 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.10 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.0.10 255.255.255.0
!
boot system disk0:/asa924-28-k8.bin
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.10.0.1
 name-server 10.10.0.2
 domain-name test.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network remote-network
 subnet 172.16.80.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791-151.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 10.10.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http server idle-timeout 15
http 192.168.0.0 255.255.255.0 inside
http 172.16.80.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.0.10,CN=ciscoasa
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate 4b10e95e
    308201bf 30820128 a0030201 0202044b 10e95e30 0d06092a 864886f7 0d010105
    05003024 310e300c 06035504 03130576 62353830 31123010 06035504 03130931
    302e302e 38302e33 301e170d 32303036 31373133 31333239 5a170d33 30303631
    35313331 3332395a 3024310e 300c0603 55040313 05766235 38303112 30100603
    55040313 0931302e 302e3830 2e333081 9f300d06 092a8648 86f70d01 01010500
    03818d00 30818902 818100a7 79b63677 8e358ea1 6179baf2 59359b15 4e00069a
    bf012f41 4c68062c f5e4cea1 f8ce7617 7f25ae7b 5a5d09a6 43f1a4dd e5e3cd75
    68da046c 5cd5c410 c648b3cd f9795e8e 05f147c0 8b18f9a2 9d116443 3f49e1cf
    fac770f2 9c19fee7 62971511 1321dcae 115e26f7 abcd3174 5f839cd4 b2268200
    54c74044 f160caa0 0c23df02 03010001 300d0609 2a864886 f70d0101 05050003
    81810042 603b6a4c dbc2819c 556bb1cb 9fb03bfe fc9c6a7d 0b17771d adce4b4c
    6e3a6ac6 6be0b9aa 34d25d62 f7b5ef2e 48800f2e 7f4a9a53 3320549d ec4cd954
    eb40418d adbc018d 4780e21e f8efeb78 658d5843 9cad9440 bc21388b f5f7fd4f
    f613d16d d8efbf75 1b1b8a5f 150d6ac6 94f5e2cc 85d7332a cf96c49e a08c6c4e
    b2270d
  quit
no ssh stricthostkeycheck
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 15
management-access inside
vpn-addr-assign local reuse-delay 60

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.39 source outside
ntp server 129.6.15.28 source outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1 regex "Windows NT"
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_remote internal
group-policy GroupPolicy_remote attributes
 wins-server none
 dns-server value 10.10.0.1 10.10.0.2
 vpn-tunnel-protocol ssl-client
 default-domain value test.local
username mikey password ******* encrypted
username mikey attributes
 service-type remote-access
tunnel-group remote type remote-access
tunnel-group remote general-attributes
 address-pool 172.16.80.1-172.16.80.99
 default-group-policy GroupPolicy_remote
tunnel-group remote webvpn-attributes
 group-alias remote enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c1a3dcc0185c2edd5a85a0f666960541
: end

 

Adding suggested nat statement kills all traffic: without can at least hit asa, with no traffic gets through.

The suggested NAT would apply when you have the VPN configured, how can you test it if you haven't pushed the VPN configuration? The NAT exemption rule would, if configured correctly, apply to traffic between the RAVPN IP Pool network and the inside network(s) only.

Apply the VPN configuration, re-add that NAT exemption rule, try again and then provide the output of "show nat detail" and provide the syntax of the NAT rule you added.

Edit: Found the problem. Knew it was something simple.

The device behind the asa lacked a route back to the asa. No nat statements required.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: