cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
383
Views
0
Helpful
13
Replies
Highlighted

Annyconnect Profile full tunnel without Internet

Hello Team, 

 

Requesting help on an issue I have been facing while creating a new VPN profile full tunnel; we have a production FW Cisco ASA running under  Version 9.10(1)42

On that FW we have already a couple of Profiles with split tunnelling working completely fine, users can reach internal resources and public internet through each user internet breackout.

I need to configure a new Profile full tunnel so those users can go to the internet with the FW public source address, I have applied below config but the Internet is not working while connected on that profile

 

group-policy GroupPolicy_NSPT internal
group-policy GroupPolicy_NSPT attributes
wins-server none
dns-server value x.x.x.x
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
webvpn
anyconnect profiles value NSPT type user

   

tunnel-group NSPT type remote-access
tunnel-group NSPT general-attributes
address-pool DHCP_VPN_POOL
address-pool DHCP_VPN_POOL_2
authentication-server-group EESGR_LDAP
default-group-policy GroupPolicy_NSPT
tunnel-group NSPT webvpn-attributes
group-alias nspt enable
group-url https://

 

nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_103 interface

object-group network DM_INLINE_NETWORK_103
network-object object VPN_POOL
network-object object VPN_POOL_2

 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

While connected on that new profile we can reach internal resources but we can not reach the Internet (any public URL) 

 

Really appreciate your help

 

Thanks in advance and best regards, 

13 REPLIES 13
Highlighted
VIP Expert

You want to use VPN full tunnel for the remote access using your HQ Internet connection.

 

you need to have NAT in place for that Pool

 

post full NAT and IP address information to understand the issue correctly.

 



BB


*** Rate All Helpful Responses ***

Highlighted

Hello Balaji,

 

This is the NAT I'm having in place. 

 

nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_103 interface

object-group network DM_INLINE_NETWORK_103
network-object object VPN_POOL
network-object object VPN_POOL_2

 

VPN_POOL = 

object network VPN_POOL
subnet 10.100.146.0 255.255.254.0

 

VPN_POOL_2 = 

object network VPN_POOL_2
subnet 10.100.148.0 255.255.255.0

Highlighted

Has someone faced this kind of issue before? 

Is there any way to debug this in the FW to see what's missing? 

 

If someone can provide support it will be really appreciated

 

Thanks

Highlighted

thanks for the information, can you check the Logs and packet tracer where it was blocked and what is not allowing, as per the policy you made some arrangements, but it was not clear how that was tagged in the rules.

 

so can we get more information, please

 



BB


*** Rate All Helpful Responses ***

Highlighted
VIP Mentor

Hi @Unit4_cognizant 

Please can you run packet-tracer from the CLI and provide the output. Also provide the output of "show nat detail"

Do you have an outbound ACL that could be blocking the traffic?

Highlighted

Hello Rob,

 

Here is the packet-tracer output

 

---------------------------------------------------------------------------------------

NLSL-ASA01/act/sec# packet-tracer input WAN tcp 10.100.146.5 4152 142.250.184.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_101 any
object-group network DM_INLINE_NETWORK_101
network-object object VPN_POOL
network-object object VPN_POOL_2
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e61647b0, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fb9d8cbf240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_102 interface
Additional Information:
Dynamic translate 10.100.146.5/4152 to 217.166.205.100/4152
Forward Flow based lookup yields rule:
in id=0x7fb9e7277780, priority=6, domain=nat, deny=false
hits=16544, user_data=0x7fb9ebb77750, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=471721639, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=695869193, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9fa4f3c90, priority=89, domain=punt, deny=true
hits=9073, user_data=0x7fb9e26591a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.100.146.5, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9f3e0b730, priority=71, domain=svc-ib-tunnel-flow, deny=false
hits=10162, user_data=0xab9a000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.100.146.5, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

---------------------------------------------------------------------------------------

 

Looks like the traffic is been dropped because a missing ACL to alow it, but I have below ACL configured 

 

access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_101 any

 

object-group network DM_INLINE_NETWORK_101
network-object object VPN_POOL
network-object object VPN_POOL_2

 

Basically, I'm allowing everything coming from WAN to any. 

 

Do you think the ACL is wrong configured? 

 

Best regards, 

Highlighted

@Unit4_cognizant 

I believe you see that WEBVPN-SVC drop when the IP address is already allocated to a RAVPN user. Was the IP address - 10.100.146.5 in use when you run packet-tracer? Can you run it again from a source IP address that is not in use please.

Highlighted

You are right, sorry about it, by the time  ran the packet-tracer that Ip was already in use by a user. 

 

Here you can see the new packet-tracer result with a free source IP 

 

----------------------------------------------------------------------------------------

NLSL-ASA01/act/sec# packet-tracer input WAN tcp 10.100.146.10 4152 142.250.184$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_101 any
object-group network DM_INLINE_NETWORK_101
network-object object VPN_POOL
network-object object VPN_POOL_2
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e61647b0, priority=13, domain=permit, deny=false
hits=2, user_data=0x7fb9d8cbf240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_102 interface
Additional Information:
Dynamic translate 10.100.146.10/4152 to 217.166.205.100/4152
Forward Flow based lookup yields rule:
in id=0x7fb9e7277780, priority=6, domain=nat, deny=false
hits=17074, user_data=0x7fb9ebb77750, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472047265, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=696480564, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4174570, priority=20, domain=lu, deny=false
hits=134420672, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e62e67d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=464027652, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_102 interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fb9e6b61570, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0x7fb9ea5a39f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=WAN

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472047267, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=696480566, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 911066388, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 2c4f.525f.9bd0 hits 348 reference 4407

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

----------------------------------------------------------------------------------------

 

Everything is looking fine, however, while connected that VPN profile Internet access gets completely lost 

 

Bets Regards, 

Highlighted

Can you take 2 packet captures (inbound and outbound) and provide the pcaps for review.

 

I've never previously configured hairpin nat for RAVPN using the syntax you've used. Here is an example that I know works (NAT is configured under the object, not global) perhaps try this and see if it makes a difference.

 

object network VPN_POOL
subnet 10.100.146.0 255.255.254.0
nat (WAN,WAN) dynamic interface

object network VPN_POOL_2
subnet 10.100.148.0 255.255.255.0
nat (WAN,WAN) dynamic interface

Also remove your existing rule whilst testing to ensure the above rules are matched.

 

no nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_103 interface

 

Highlighted

Hello Rob, 

 

Thanks so much for your support, i have modify this VPN profile as per below 

 

-------------------------------------------------------------------------------------- 

group-policy GroupPolicy_NSPT internal
group-policy GroupPolicy_NSPT attributes
wins-server none
dns-server value 10.100.2.5 10.100.2.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
webvpn
anyconnect profiles value NSPT type user

 

tunnel-group NSPT type remote-access
tunnel-group NSPT general-attributes
address-pool DHCP_VPN_NSPT_POOL
authentication-server-group EESGR_LDAP
default-group-policy GroupPolicy_NSPT
tunnel-group NSPT webvpn-attributes
group-alias nspt enable
group-url https://anyconnectnlsl.unit4.com/nspt enable


ip local pool DHCP_VPN_NSPT_POOL 10.100.150.10-10.100.150.254 mask 255.255.255.0

 

object network VPN_NSPT_POOL
subnet 10.100.150.0 255.255.255.0
nat (WAN,WAN) dynamic interface

 

access-list WAN_access_in extended permit ip object 10.100.150.0 any

--------------------------------------------------------------------------------------

However while connected I'm still losing Internet connection and now internal connection is lost 

 

-------------------------------------------------------------------------------------- 

Packet-tracer to public IP

 

NLSL-ASA01/act/sec# packet-tracer input WAN icmp 10.100.150.15 8 0 10.100.6.50$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.6.50 using egress ifc LAN

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface LAN
Untranslate 10.100.6.50/0 to 10.100.6.50/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object 10.100.150.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e98a0890, priority=13, domain=permit, deny=false
hits=4, user_data=0x7fb9d8cbf3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.150.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
Static translate 10.100.150.15/0 to 10.100.150.15/0
Forward Flow based lookup yields rule:
in id=0x7fb9e42d9d50, priority=6, domain=nat, deny=false
hits=383413920, user_data=0x7fb9ea4319a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=LAN

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e2a68980, priority=0, domain=nat-per-session, deny=true
hits=740534783, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=697423279, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e9a56a20, priority=70, domain=inspect-icmp, deny=false
hits=18416580, user_data=0x7fb9e9a56e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e7ebca70, priority=70, domain=inspect-icmp-error, deny=false
hits=18416580, user_data=0x7fb9ea5ca6a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e62e67d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=464585761, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fb9e42d9900, priority=6, domain=nat-reverse, deny=false
hits=380684215, user_data=0x7fb9ea431e20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=LAN

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e2a68980, priority=0, domain=nat-per-session, deny=true
hits=740534785, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e4138f30, priority=0, domain=inspect-ip-options, deny=true
hits=615856513, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912005386, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 14
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.6.50 using egress ifc LAN

Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 842b.2be4.5ae1 hits 22 reference 1

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

NLSL-ASA01/act/sec#
NLSL-ASA01/act/sec#
NLSL-ASA01/act/sec# packet-tracer input WAN tcp 10.100.150.15 4356 142.250.184$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object 10.100.150.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e98a0890, priority=13, domain=permit, deny=false
hits=5, user_data=0x7fb9d8cbf3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.150.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network VPN_NSPT_POOL
nat (WAN,WAN) dynamic interface
Additional Information:
Dynamic translate 10.100.150.15/4356 to 217.166.205.100/4356
Forward Flow based lookup yields rule:
in id=0x7fb9e6ee7250, priority=6, domain=nat, deny=false
hits=195, user_data=0x7fb9e67edbc0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.100.150.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472511885, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=697470400, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4174570, priority=20, domain=lu, deny=false
hits=134537774, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e62e67d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=464615711, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472511887, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=697470402, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912052468, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 11
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 2c4f.525f.9bd0 hits 14139 reference 4359

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

-------------------------------------------------------------------------------------- 

 

Packet-tracer to internal IP 

 

NLSL-ASA01/act/sec# packet-tracer input WAN tcp 10.100.150.15 4356 10.100.6.50$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.6.50 using egress ifc LAN

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface LAN
Untranslate 10.100.6.50/22 to 10.100.6.50/22

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object 10.100.150.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e98a0890, priority=13, domain=permit, deny=false
hits=6, user_data=0x7fb9d8cbf3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.150.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
Static translate 10.100.150.15/4356 to 10.100.150.15/4356
Forward Flow based lookup yields rule:
in id=0x7fb9e42d9d50, priority=6, domain=nat, deny=false
hits=383446162, user_data=0x7fb9ea4319a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=LAN

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472514393, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=697478543, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4174570, priority=20, domain=lu, deny=false
hits=134538632, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e62e67d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=464620829, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fb9e42d9900, priority=6, domain=nat-reverse, deny=false
hits=380716155, user_data=0x7fb9ea431e20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=LAN

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472514395, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e4138f30, priority=0, domain=inspect-ip-options, deny=true
hits=615900144, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912060583, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.6.50 using egress ifc LAN

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 842b.2be4.5ae1 hits 15 reference 1

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

-------------------------------------------------------------------------------------- 

 

Any idea what could be failing? I guess I'm missing something in the config, but packet-tracer is showing good  

 

Thanks, 

 

Highlighted

Well it looks you have a NAT exemption rules in place, so LAN to WAN traffic should not be natted.

 

When you say "still losing Internet connection" does that mean it sometimes works?

 

Do you have a hosted based firewall that could be blocking access to the internet?

 

Provide your configuration in a text file, provide the output of "show nat detail" and provide the pcaps asked for previously - this will help identify where the issue lies.

Highlighted
Rising star

...

Highlighted
Rising star

it is to complicate to explain with any connect version and OS 
but you can do one step to solve this issue 

split-tunnel-all-dns enable 

 

if this work please mention as this issue is solved.
good luck friend

Content for Community-Ad