Solved: Allowing external IP access through VPN Client

stever4321 · ‎12-20-2010

We are looking to allow our remote VPN users to access one external IP address. Basically once the users authenticates when they try to access 202.1.56.19 they should be nat'd out through the firewalls external interface. Below is output from packet tracer being denied on 'vpn ecrypt' and also a snippet from the config. On the client I can see that the route for 202.1.56.19 has been added but it does not work.

Please advise should more information be ing required. Thank you.

access-list INSIDE-OUT extended permit ip 10.15.160.0 255.255.255.0 any
access-list OUTSIDE-IN extended permit ip 10.15.160.0 255.255.255.0 any
access-group OUTSIDE-IN in interface OUTSIDE-IDC

access-list NONATIDC extended permit ip any 10.15.160.0 255.255.255.0

nat (INSIDE) 0 access-list NONATIDC
nat (INSIDE) 1 10.15.160.0 255.255.255.0
global (OUTSIDE-IDC) 1 128.15.155.2

group-policy CorpVPN internal
group-policy CorpVPN attributes
dns-server value 10.15.155.17
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
default-domain value something.com

tunnel-group CorpVPN general-attributes
address-pool CorpVPNpool
default-group-policy CorpVPN
tunnel-group CorpVPN ipsec-attributes
pre-shared-key

access-list SplitTunnel standard permit 192.168.168.0 255.255.255.0
access-list SplitTunnel standard permit host 202.1.56.19

packet-tracer input ouTSIDE-iDC tcp 10.15.160.18 22 202.1.56.19 22

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE-IDC

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE-IN in interface OUTSIDE-IDC
access-list OUTSIDE-IN extended permit ip 10.15.160.0 255.255.255.0 any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: OUTSIDE-IDC
input-status: up
input-line-status: up
output-interface: OUTSIDE-IDC
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Yudong Wu · ‎12-20-2010

Basically, the traffic need to make a U-turn at ASA outside interface if I understood your setup correctly.

You need the following to make it work.

- same-security-traffic permit intra-interface

- access-list Host202 permit ip 10.15.160.0 255.255.255.0 host 202.1.56.19

- nat (OUTSIDE-IDC) 1 access-list Host202

View solution in original post

Yudong Wu · ‎12-20-2010

Basically, the traffic need to make a U-turn at ASA outside interface if I understood your setup correctly.

You need the following to make it work.

- same-security-traffic permit intra-interface

- access-list Host202 permit ip 10.15.160.0 255.255.255.0 host 202.1.56.19

- nat (OUTSIDE-IDC) 1 access-list Host202

stever4321 · ‎12-20-2010

Adding the NAT rule made it work. Thanks very much.