Solved: Re: Anyconnect ASA cannot access internal network or internet

gary_gray · ‎02-18-2018

Hi All,

It has been a while working with cisco so I am not that fresh with it. Setting up a new 5506 and the vpn, everything seemed to go ok, no errors. User can attach but unable to hit any internal resources or ping. Internal machines can ping the vpn client however. I am guessing it is in the access list or nat rules. Tried what was in other posts but no luck.

Internal network in 192.168.2.0, vpn address pool is 192.168.10.20-100

Here is the config

ftp mode passive
dns server-group DefaultDNS
domain-name 3ks.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.4.0_24
subnet 192.168.4.0 255.255.255.0
object network VCPrivate
host 192.168.2.196
object network VCPublic
host 74.81.133.227
object network NETWORK_OBJ_192.168.20.0_25
subnet 192.168.20.0 255.255.255.0
object network VPN
subnet 192.168.20.0 255.255.255.0
description VPN
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.20.0_25_0
subnet 192.168.20.0 255.255.255.128
object network NETWORK_OBJ_192.168.10.0_25
subnet 192.168.10.0 255.255.255.128
object-group service VCServices
service-object tcp destination eq h323
service-object tcp destination eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object 192.168.2.0 255.255.255.0
network-object object VPN
access-list Inside3KS_access_in extended permit object-group VCServices object VCPrivate object VCPublic
access-list Inside3KS_access_in extended permit ip any any
access-list Inside3KS_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 10.100.4.0 255.255.255.0
access-list Inside3KS_access_in extended permit icmp any any
access-list Inside3KS_access_in extended permit ip object VPN any
access-list outside_access_in extended permit object-group VCServices object VCPublic any
access-list outside_access_in remark VOIP access
access-list outside_access_in extended permit object-group TCPUDP any 192.168.2.0 255.255.255.0 eq sip
access-list outside_access_in extended permit ip object VPN any
access-list InsidePort3_access_in extended permit object-group TCPUDP 10.100.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list InsidePort3_access_in extended permit ip any any
access-list insidePort5_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 10.100.4.0 255.255.255.0
access-list insidePort5_access_in extended permit ip any any
access-list InsidePort4_access_in extended permit object-group TCPUDP any any
access-list InsidePort4_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list global_access extended permit icmp any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu InsidePort3 1500
mtu InsidePort4 1500
mtu insidePort5 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside3KS
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (InsidePort4,outside) source static any any destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.20.0_25 NETWORK_OBJ_192.168.20.0_25 no-proxy-arp route-lookup
nat (any,any) source static VPN VPN
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group InsidePort3_access_in in interface InsidePort3
access-group InsidePort4_access_in in interface InsidePort4
access-group insidePort5_access_in in interface insidePort5
access-group Inside3KS_access_in in interface Inside3KS
access-group global_access global
timeout xlate 3:00:00

Probably something easy and been aswered a hunder times but I can't find it.

Francesco Molino · ‎02-19-2018

I don't know what this nat is for:

nat (inside,outside) source static any any destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

I don't see the group DM_INLINE_NETWORK_2 in your config.

The nat you need is :

nat (inside,outside) source staticNETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.10.0_25 NETWORK_OBJ_192.168.10.0_25 no-proxy-arp route-lookup

I put inside because I don't have all your config. You need to replace inside by the name of the interface where 192.168.2.0/24 resides to.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎02-18-2018

Hi

Let's start with anyconnect and internal resources first and then we'll adjust your config for internet access.

You said your anyconnect pool is 192.168.10.0 and i don't see any Nat configuration (nat exemption) for communication between inside and anyconnect pool. I just see a Nat for subnet 192.168.20.0

Can you add this Nat statement and let us know?

For internet access, save thing, Nat isn't configured.

We don't have all the config and i assume you're doing a full tunnel with anyconnect and not configured any split tunnel?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gary_gray · ‎02-19-2018

Thank you for the response. That is what I was guessing. Added NAT statements, or at least I think I did for the 192.168.10.0 network but it still is not working. Yes, I am not doing split tunneling at this point.

Going ot have to really learn this cisco stuff....been a long time since I worked on them. Thank you very much for your help.

!
ftp mode passive
dns server-group DefaultDNS
domain-name 3ks.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.4.0_24
subnet 192.168.4.0 255.255.255.0
object network VCPrivate
host 192.168.2.196
object network VCPublic
host 74.81.133.227
object network NETWORK_OBJ_192.168.20.0_25
subnet 192.168.20.0 255.255.255.0
object network VPN
subnet 192.168.20.0 255.255.255.0
description VPN
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.20.0_25_0
subnet 192.168.20.0 255.255.255.128
object network NETWORK_OBJ_192.168.10.0_25
subnet 192.168.10.0 255.255.255.128
object-group service VCServices
service-object tcp destination eq h323
service-object tcp destination eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object 192.168.2.0 255.255.255.0
network-object object VPN
object-group network DM_INLINE_NETWORK_2
network-object object NETWORK_OBJ_192.168.10.0_25
network-object object NETWORK_OBJ_192.168.20.0_25
access-list Inside3KS_access_in extended permit object-group VCServices object VCPrivate object VCPublic
access-list Inside3KS_access_in extended permit ip any any
access-list Inside3KS_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 10.100.4.0 255.255.255.0
access-list Inside3KS_access_in extended permit icmp any any
access-list Inside3KS_access_in extended permit ip object VPN any inactive
access-list outside_access_in extended permit object-group VCServices object VCPublic any
access-list outside_access_in remark VOIP access
access-list outside_access_in extended permit object-group TCPUDP any 192.168.2.0 255.255.255.0 eq sip
access-list outside_access_in extended permit ip object VPN any inactive
access-list outside_access_in remark VOIP access
access-list InsidePort3_access_in extended permit object-group TCPUDP 10.100.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list InsidePort3_access_in extended permit ip any any
access-list insidePort5_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 10.100.4.0 255.255.255.0
access-list insidePort5_access_in extended permit ip any any
access-list InsidePort4_access_in extended permit object-group TCPUDP any any
access-list InsidePort4_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list global_access extended permit icmp any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu InsidePort3 1500
mtu InsidePort4 1500
mtu insidePort5 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside3KS
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,any) source static VPN VPN
nat (inside,outside) source static any any destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
nat (InsidePort4,outside) source static any any destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group InsidePort3_access_in in interface InsidePort3
access-group InsidePort4_access_in in interface InsidePort4
access-group insidePort5_access_in in interface insidePort5
access-group Inside3KS_access_in in interface Inside3KS
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server ThroneVPN protocol radius
aaa-server ThroneVPN (Inside3KS) host 192.168.2.1

gary_gray · ‎02-19-2018

added these:

nat (inside,outside) source static Inside3ks Inside3ks destination static NETWORK_OBJ_192.168.10.0_25 NETWORK_OBJ_192.168.10.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_25 NETWORK_OBJ_192.168.10.0_25 destination static Inside3ks Inside3ks no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_25 NETWORK_OBJ_192.168.10.0_25 no-proxy-arp route-lookup

Francesco Molino · ‎02-19-2018

I don't know what this nat is for:

nat (inside,outside) source static any any destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

I don't see the group DM_INLINE_NETWORK_2 in your config.

The nat you need is :

nat (inside,outside) source staticNETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.10.0_25 NETWORK_OBJ_192.168.10.0_25 no-proxy-arp route-lookup

I put inside because I don't have all your config. You need to replace inside by the name of the interface where 192.168.2.0/24 resides to.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gary_gray · ‎02-20-2018

Thanks for the help. Had the entries in the latest config but I was trying to use the BVI interface rather than a physical one.