06-17-2020 10:25 AM - edited 06-17-2020 10:27 AM
I know I'm missing some simple and obvious but I can't see it.
When connecting via anyconnect to an asa 5505 the vpn client cannot access the inside network. It can access the inside address of the asa: I can use asdm via the vpn to connect to the asa. Just can't connect further into the network. A machine connected directly to the asa is able to access the network.
Running asa version 9.2(4)28 and asdm 7.9(1)151 and used the vpn wizard to set it up. Just need to get this up and running quickly for a one-off use.
Sanitized config:
ASA Version 9.2(4)28 ! hostname ciscoasa domain-name test.local names dns-guard ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.0.10 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.0.10 255.255.255.0 ! boot system disk0:/asa924-28-k8.bin ftp mode passive clock timezone AST -4 clock summer-time ADT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.0.1 name-server 192.168.0.2 domain-name test.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-791-151.bin asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any nat (inside,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 10.10.0.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http server idle-timeout 15 http 10.0.0.0 255.255.255.0 inside http 172.16.80.0 255.255.255.0 inside no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=192.168.0.10,CN=ciscoasa keypair ASDM_LAUNCHER crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0 certificate 4b10e95e 308201bf 30820128 a0030201 0202044b 10e95e30 0d06092a 864886f7 0d010105 05003024 310e300c 06035504 03130576 62353830 31123010 06035504 03130931 302e302e 38302e33 301e170d 32303036 31373133 31333239 5a170d33 30303631 35313331 3332395a 3024310e 300c0603 55040313 05766235 38303112 30100603 55040313 0931302e 302e3830 2e333081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a7 79b63677 8e358ea1 6179baf2 59359b15 4e00069a bf012f41 4c68062c f5e4cea1 f8ce7617 7f25ae7b 5a5d09a6 43f1a4dd e5e3cd75 68da046c 5cd5c410 c648b3cd f9795e8e 05f147c0 8b18f9a2 9d116443 3f49e1cf fac770f2 9c19fee7 62971511 1321dcae 115e26f7 abcd3174 5f839cd4 b2268200 54c74044 f160caa0 0c23df02 03010001 300d0609 2a864886 f70d0101 05050003 81810042 603b6a4c dbc2819c 556bb1cb 9fb03bfe fc9c6a7d 0b17771d adce4b4c 6e3a6ac6 6be0b9aa 34d25d62 f7b5ef2e 48800f2e 7f4a9a53 3320549d ec4cd954 eb40418d adbc018d 4780e21e f8efeb78 658d5843 9cad9440 bc21388b f5f7fd4f f613d16d d8efbf75 1b1b8a5f 150d6ac6 94f5e2cc 85d7332a cf96c49e a08c6c4e b2270d quit telnet 172.16.80.0 255.255.255.0 inside telnet 10.0.0.0 255.255.255.0 inside telnet timeout 15 no ssh stricthostkeycheck ssh 10.0.0.0 255.255.255.0 inside ssh 172.16.80.0 255.255.255.0 inside ssh timeout 15 ssh version 2 ssh key-exchange group dh-group14-sha1 console timeout 15 management-access inside vpn-addr-assign local reuse-delay 60 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 129.6.15.39 source outside ntp server 129.6.15.28 source outside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside webvpn anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1 regex "Windows NT" username mikey password ******* encrypted username mikey attributes service-type remote-access ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:512ae545599759bb2958d1ecdcbbca28 : end
Solved! Go to Solution.
06-18-2020 07:49 AM - edited 06-19-2020 09:26 AM
Edit: Found the problem. Knew it was something simple.
The device behind the asa lacked a route back to the asa. No nat statements required.
06-17-2020 10:37 AM
Hi,
This doesn't appear to be the full configuration.
Your traffic will probably being natted, you will need a NAT exemption rule to ensure the traffic between the RAVPN IP Pool and the inside network is not natted. E.g
object network LAN
subnet 192.168.0.0 255.255.255.0
object network RAVPN
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static RAVPN RAVPN
HTH
06-17-2020 11:47 AM
That actually was the full config grabbed from a backup! Did a factory reset, used the setup wizard, used the vpn wizard. Quick and dirty! Now if only it worked. (Why do the "simple" tasks always consume 90% of your time)
ASA didn't seem to like that command. Gives me a hint on where to look at least.
06-17-2020 12:38 PM
06-18-2020 06:00 AM - edited 06-18-2020 06:05 AM
Lets try this again. Haven't committed changes so the startup-config contains none of the vpn stuff. Doh! And this is why doing 30 things at once is a bad idea.
Running config:
ASA Version 9.2(4)28 ! hostname ciscoasa domain-name test.local names dns-guard ip local pool 172.16.80.1-172.16.80.99 172.16.80.1-172.16.80.99 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.0.10 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.0.10 255.255.255.0 ! boot system disk0:/asa924-28-k8.bin ftp mode passive clock timezone AST -4 clock summer-time ADT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 10.10.0.1 name-server 10.10.0.2 domain-name test.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network remote-network subnet 172.16.80.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-791-151.bin asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any nat (inside,outside) dynamic interface route outside 0.0.0.0 0.0.0.0 10.10.0.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http server idle-timeout 15 http 192.168.0.0 255.255.255.0 inside http 172.16.80.0 255.255.255.0 inside no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=192.168.0.10,CN=ciscoasa keypair ASDM_LAUNCHER crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0 certificate 4b10e95e 308201bf 30820128 a0030201 0202044b 10e95e30 0d06092a 864886f7 0d010105 05003024 310e300c 06035504 03130576 62353830 31123010 06035504 03130931 302e302e 38302e33 301e170d 32303036 31373133 31333239 5a170d33 30303631 35313331 3332395a 3024310e 300c0603 55040313 05766235 38303112 30100603 55040313 0931302e 302e3830 2e333081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a7 79b63677 8e358ea1 6179baf2 59359b15 4e00069a bf012f41 4c68062c f5e4cea1 f8ce7617 7f25ae7b 5a5d09a6 43f1a4dd e5e3cd75 68da046c 5cd5c410 c648b3cd f9795e8e 05f147c0 8b18f9a2 9d116443 3f49e1cf fac770f2 9c19fee7 62971511 1321dcae 115e26f7 abcd3174 5f839cd4 b2268200 54c74044 f160caa0 0c23df02 03010001 300d0609 2a864886 f70d0101 05050003 81810042 603b6a4c dbc2819c 556bb1cb 9fb03bfe fc9c6a7d 0b17771d adce4b4c 6e3a6ac6 6be0b9aa 34d25d62 f7b5ef2e 48800f2e 7f4a9a53 3320549d ec4cd954 eb40418d adbc018d 4780e21e f8efeb78 658d5843 9cad9440 bc21388b f5f7fd4f f613d16d d8efbf75 1b1b8a5f 150d6ac6 94f5e2cc 85d7332a cf96c49e a08c6c4e b2270d quit no ssh stricthostkeycheck ssh 192.168.0.0 255.255.255.0 inside ssh timeout 15 ssh version 2 ssh key-exchange group dh-group14-sha1 console timeout 15 management-access inside vpn-addr-assign local reuse-delay 60 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 129.6.15.39 source outside ntp server 129.6.15.28 source outside webvpn enable outside anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1 regex "Windows NT" anyconnect enable tunnel-group-list enable group-policy GroupPolicy_remote internal group-policy GroupPolicy_remote attributes wins-server none dns-server value 10.10.0.1 10.10.0.2 vpn-tunnel-protocol ssl-client default-domain value test.local username mikey password ******* encrypted username mikey attributes service-type remote-access tunnel-group remote type remote-access tunnel-group remote general-attributes address-pool 172.16.80.1-172.16.80.99 default-group-policy GroupPolicy_remote tunnel-group remote webvpn-attributes group-alias remote enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:c1a3dcc0185c2edd5a85a0f666960541 : end
Adding suggested nat statement kills all traffic: without can at least hit asa, with no traffic gets through.
06-18-2020 07:02 AM - edited 06-18-2020 07:18 AM
The suggested NAT would apply when you have the VPN configured, how can you test it if you haven't pushed the VPN configuration? The NAT exemption rule would, if configured correctly, apply to traffic between the RAVPN IP Pool network and the inside network(s) only.
Apply the VPN configuration, re-add that NAT exemption rule, try again and then provide the output of "show nat detail" and provide the syntax of the NAT rule you added.
06-18-2020 07:49 AM - edited 06-19-2020 09:26 AM
Edit: Found the problem. Knew it was something simple.
The device behind the asa lacked a route back to the asa. No nat statements required.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide