Solved: Anyconnect can only access some IP within a block

Albert Wong · ‎03-24-2013

I have strange behaviour on the when connecting over Anyconnect to the ASA. I can access some of the cisco equipment on the network like the core switch on 10.2.15.254.

I particularly can't see the 10.1.1.0 network...

any hints would be most welcome, bound to have done something silly.

ASA Version 8.6(1)2

!

hostname myasa01

domain-name company.internal

enable password encrypted

passwd encrypted

names

name 10.2.0.0 Data_Net

name 10.0.0.0 Voice_Net

name 10.1.1.58 jab.my-domain.com

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.30

vlan 30

nameif server

security-level 100

ip address 10.1.1.1 255.255.255.128

!

interface GigabitEthernet0/0.40

vlan 40

nameif manageNet

security-level 100

ip address 10.1.4.1 255.255.255.0

!

interface GigabitEthernet0/0.50

description DMZ VLAN

vlan 50

nameif DMZ

security-level 90

ip address 10.1.1.254 255.255.255.128

!

interface GigabitEthernet0/0.100

vlan 100

nameif data

security-level 100

ip address 10.2.0.1 255.255.240.0

!

interface GigabitEthernet0/0.101

vlan 101

nameif voice

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet0/0.108

vlan 108

nameif guestwifi

security-level 80

ip address 172.31.0.1 255.255.255.0

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4.88

description Public VLAN 88 2.2.2.0/28 to HKBN Router

vlan 88

nameif outside1

security-level 0

ip address 2.2.2.2 255.255.255.240

!

interface GigabitEthernet0/5

description To HGC Broadband

nameif outside2

security-level 0

ip address 3.3.3.3 255.255.255.240

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

clock timezone HKST 8

dns domain-lookup server

dns server-group DefaultDNS

name-server 10.1.1.15

name-server 10.1.1.10

domain-name company.internal

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network DMZ

subnet 2.2.2.0 255.255.255.240

object network data

subnet 10.2.0.0 255.255.240.0

object network server

subnet 10.1.1.0 255.255.255.128

object network voice

subnet 10.0.0.0 255.255.255.0

object network VPN_user

subnet 10.68.1.0 255.255.255.0

object network web_server

host 10.1.1.19

object network web_server_outside

host 2.2.2.3

object service http

service tcp source eq www destination eq www

object network mail_server

host 10.1.1.129

object service ssh

service tcp source eq ssh destination eq ssh

object service smtp

service tcp source eq smtp destination eq smtp

object service pop

service tcp source eq pop3 destination eq pop3

object service https

service tcp source eq https destination eq https

object service port465

service tcp source eq 465 destination eq 465

object service port587

service tcp source eq 587 destination eq 587

object service port993

service tcp source eq 993 destination eq 993

object network jabber_server

host 10.1.1.58

object network jabber_server_outside

host 2.2.2.4

object network mail_server_outside

host 2.2.2.5

object network vcse_server

host 10.1.1.193

object network vcse_server_outside

host 2.2.2.6

object network external_ip

host 2.2.2.7

object network NETWORK_OBJ_10.2.16.0_24

subnet 10.2.16.0 255.255.255.0

object-group service jabber

access-list split-tunnel standard permit 10.1.1.0 255.255.255.128

access-list split-tunnel standard permit 10.2.0.0 255.255.240.0

access-list 100 extended permit tcp 10.0.0.0 255.255.255.0 host 10.1.1.58 eq 2000

access-list outside_access_in extended permit tcp any object web_server eq www

access-list outside_access_in extended permit tcp any object mail_server eq www

access-list outside_access_in extended permit tcp any object mail_server eq ssh

access-list outside_access_in extended permit tcp any object mail_server eq smtp

access-list outside_access_in extended permit tcp any object mail_server eq pop3

access-list outside_access_in extended permit tcp any object mail_server eq https

access-list outside_access_in extended permit tcp any object mail_server eq 465

access-list outside_access_in extended permit tcp any object mail_server eq 587

access-list outside_access_in extended permit tcp any object mail_server eq 993

access-list outside_access_in extended permit udp any object jabber_server range 16384 32766

access-list outside_access_in extended permit tcp any object mail_server eq imap4

access-list outside_access_in extended permit tcp any object jabber_server eq www

access-list outside_access_in extended permit icmp any object jabber_server echo-reply

access-list outside_access_in extended permit icmp any object jabber_server time-exceeded

access-list outside_access_in extended permit udp any object jabber_server eq tftp

access-list outside_access_in extended permit tcp any object jabber_server eq sip

access-list outside_access_in extended permit tcp any object jabber_server eq ctiqbe

access-list outside_access_in extended permit tcp any object jabber_server eq ldap

access-list outside_access_in extended permit tcp any object jabber_server eq ldaps

access-list outside_access_in extended permit tcp any object jabber_server eq 3268

access-list outside_access_in extended permit tcp any object jabber_server eq 3269

access-list outside_access_in extended permit tcp any object jabber_server eq imap4

access-list outside_access_in extended permit tcp any object jabber_server eq 7993

access-list outside_access_in extended permit tcp any object jabber_server eq 8080

access-list outside_access_in extended permit tcp any object web_server eq https

access-list outside_access_in extended permit tcp any object jabber_server range 2000 2050

access-list outside_access_in extended permit icmp any object jabber_server unreachable

access-list outside_access_in extended permit ip any object jabber_server

access-list outside_access_in extended permit tcp any object web_server eq imap4

access-list outside_access_in extended permit tcp any object web_server eq 144

access-list outside_access_in extended permit tcp any object web_server eq 5800

access-list internal_access_out extended permit ip any any

access-list internal_access_out extended permit udp any any

access-list internal_access_out extended permit tcp any any

access-list internal_access_out extended permit icmp any any

pager lines 24

logging enable

logging buffer-size 512000

logging buffered informational

logging asdm informational

mtu server 1500

mtu manageNet 1500

mtu DMZ 1500

mtu data 1500

mtu voice 1500

mtu guestwifi 1500

mtu outside1 1500

mtu outside2 1500

mtu management 1500

ip local pool vpn_ip 10.2.16.0-10.2.16.250 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (data,outside2) source dynamic any interface

nat (server,outside2) source dynamic any interface

nat (DMZ,outside2) source dynamic any interface

nat (server,outside1) source dynamic any interface

nat (DMZ,outside1) source dynamic any interface

nat (guestwifi,outside1) source dynamic any interface

nat (data,outside1) source dynamic any interface

nat (data,outside1) source static any any destination static NETWORK_OBJ_10.2.16.0_24 NETWORK_OBJ_10.2.16.0_24 no-proxy-arp route-lookup

!

object network web_server

nat (server,outside1) static web_server_outside

object network mail_server

nat (DMZ,outside1) static mail_server_outside

object network jabber_server

nat (server,outside1) static jabber_server_outside

object network vcse_server

nat (DMZ,outside1) static vcse_server_outside

access-group internal_access_out out interface server

access-group internal_access_out out interface DMZ

access-group internal_access_out out interface data

access-group outside_access_in in interface outside1

access-group outside_access_in in interface outside2

route outside1 0.0.0.0 0.0.0.0 2.2.2.9 1 track 1

route outside2 0.0.0.0 0.0.0.0 3.3.3.4 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http Data_Net 255.255.240.0 data

http 10.1.1.0 255.255.255.128 server

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=myasa01

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 1c514351

: SNIP SNIP!

6f420613 87069234 595bb589 4d6dc051 1042dea0 94c2

quit

!

track 1 rtr 123 reachability

telnet Data_Net 255.255.240.0 data

telnet timeout 60

ssh 10.1.1.0 255.255.255.128 server

ssh Data_Net 255.255.240.0 data

ssh timeout 5

console timeout 0

management-access data

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.2.15.254

ssl encryption 3des-sha1 aes256-sha1 rc4-md5 rc4-sha1

ssl trust-point ASDM_TrustPoint0 outside1

webvpn

enable outside1

anyconnect-essentials

anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 1

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 10.1.1.15 10.1.1.13

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

default-domain value company.internal

group-policy "GroupPolicy_company HK" internal

group-policy "GroupPolicy_company HK" attributes

wins-server none

dns-server value 10.1.1.15 10.1.1.10

vpn-tunnel-protocol ssl-client

default-domain value company.internal

username frances attributes

vpn-group-policy GroupPolicy_MH2

service-type admin

username admin password boooooooooooooo encrypted privilege 1

:

all user acount names have been deleted from this post.

:

tunnel-group MH2 type remote-access

tunnel-group MH1 type remote-access

tunnel-group "company" type remote-access

tunnel-group "company" general-attributes

address-pool vpn_ip

default-group-policy "GroupPolicy_company"

tunnel-group "company" webvpn-attributes

group-alias "company" enable

!

class-map mgcp_port

match access-list 100

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect mgcp voip

parameters

call-agent 10.1.1.57 1

call-agent jab.my-domain.com 2

gateway 10.0.0.2 1

command-queue 150

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect mgcp

inspect icmp

class class-default

user-statistics accounting

policy-map inbound_policy

class mgcp_port

inspect mgcp voip

!

service-policy global_policy global

service-policy inbound_policy interface server

service-policy inbound_policy interface voice

prompt hostname context

no call-home reporting anonymous

: end

Javier Portuguez · ‎03-24-2013

Hi Albert,

Try this out:

nat (server,outside1) 1 source static any any destination static NETWORK_OBJ_10.2.16.0_24 NETWORK_OBJ_10.2.16.0_24 no-proxy-arp route-lookup

Let me know how it goes.

HTH.

Portu.

View solution in original post

Javier Portuguez · ‎03-24-2013

Hi Albert,

Try this out:

nat (server,outside1) 1 source static any any destination static NETWORK_OBJ_10.2.16.0_24 NETWORK_OBJ_10.2.16.0_24 no-proxy-arp route-lookup

Let me know how it goes.

HTH.

Portu.

Albert Wong · ‎04-17-2013

that fixed it right of the bat... Why was the necessary...?

Jouni Forss · ‎04-17-2013

Hi,

You have configured majority of your NAT rules in Section 1 of the NAT

nat (data,outside2) source dynamic any interface

nat (server,outside2) source dynamic any interface

nat (DMZ,outside2) source dynamic any interface

nat (server,outside1) source dynamic any interface (This command was previously probably causing problems)

nat (DMZ,outside1) source dynamic any interface

nat (guestwifi,outside1) source dynamic any interface

nat (data,outside1) source dynamic any interface

What Javier suggested was to create the NAT rule at the very top of the NAT rules. Notice the number "1" which defines the order number for the NAT rule. This makes sure that the NAT for the VPN is always checked first instead of the long list of Dynamic NATs.

- Jouni