Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2113
Views
0
Helpful
4
Replies

Anyconnect tunnel all NAT

broadleon
Level 1
Level 1

‎03-24-2020 02:57 PM - edited ‎03-24-2020 03:09 PM

Hi

 

I decided to set up a new ASA 5516 Firewall with a VPN connection using anyconnect. Normally i would let all traffic route through to the inside interface for other networks including internet so i wouldnt need a NAT setup. However, a new requirement came along where i needed to hairpin the internet traffic back out to the internet on the same Firewall (outside interface). I have that portion of the network working fine, and then route just certian networks to the inside interface and beyond.

 

I can ping ip address on the internet and i can see the traffic flowing through the via the ASDM logs. I can't ping any network connected on the inside interface and i cant reach the DNS Server conected on the inside netwrok to resolve querys.

 

Following certian articles on tunnel-all approaches i have devised some NAT rules which i am lead to belive should resolve the sollution. However connecting to anything conected on the inside interface does not work. Have i done something wrong ?

 

ip local pool PegasusClients 10.200.210.1-10.200.210.30 mask 255.255.255.224

!
interface GigabitEthernet1/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1.1001
 vlan 1001
 nameif Outside
 security-level 0
 ip address ###.###.###.### 255.255.255.248 
!
interface GigabitEthernet1/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2.843
 vlan 843
 nameif Inside
 security-level 100
 ip address 10.200.10.3 255.255.255.0 
!
interface GigabitEthernet1/3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address ###.###.###.### 255.255.255.0 
!
boot system disk0:/asa983-29-lfbff-k8.SPA
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
 expire-entry-timer minutes 60
 name-server 10.92.60.102 Inside
 name-server 10.92.60.101 Inside
 domain-name #########
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network MobileClients
 subnet ########## 255.255.255.0
 description Mobile O2 Clients
object network VRRPGateway
 host 192.168.192.254
 description Primary & Secondary Virtual Interface
object network DC3
 host 10.255.255.101
 description Domain Controller DC3 (RODC)
object network Site-to-Site-Link-Router
 host 10.200.10.254
 description Router 2 to DMZ Zone
object network DC1
 host 10.92.60.101
 description Domain Controller DC1 (GC)
object network dc3.###.#####
 fqdn dc3.###.#####
 description DNS Resolution
object network api-#######.duosecurity.com
 fqdn v4 api-########.duosecurity.com
object network dc1.###.######
 fqdn v4 dc1.####.######
 description DNS Resolution
object network CorporateNetwork
 subnet 10.92.60.0 255.255.255.0
object network VPN_Pool
 subnet 10.200.210.0 255.255.255.224
object network Obj-Inside
 subnet 10.92.60.0 255.255.255.0
 description Corporate Network
object network Obj-AnyconnectPool
 subnet 10.200.210.0 255.255.255.224
object network obj-AnyconnectPool
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
access-list Inside_access_in extended permit object-group TCPUDP any any 
access-list Inside_access_in extended permit tcp any object dc3.###.##### eq domain 
access-list Inside_access_in extended permit tcp any object api-#######.duosecurity.com eq ldaps 
access-list Inside_access_in extended deny ip any any 
access-list outside_access_in extended deny ip any any 
access-list Split-Tunnel standard permit 10.92.60.0 255.255.255.0 
access-list Outside_access_in extended deny ip any any 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
no monitor-interface management
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,Outside) source static Obj-Inside Obj-Inside destination static Obj-AnyconnectPool Obj-AnyconnectPool
nat (Outside,Outside) source static Obj-AnyconnectPool Obj-AnyconnectPool destination static Obj-AnyconnectPool Obj-AnyconnectPool
!
object network Obj-Inside
 nat (Inside,Outside) dynamic interface
object network Obj-AnyconnectPool
 nat (Outside,Outside) dynamic interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 ############## 1
route Inside 10.92.60.0 255.255.255.0 10.200.10.254 1
route Inside 10.255.255.101 255.255.255.255 10.200.10.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
ldap attribute-map MAP-ANYCONNECT-LOGIN
  map-name  memberOf Group-Policy
  map-value memberOf CN=AuthorisedAAAUsers,CN=Users,DC=####,DC=##### GroupPolicy_Pegasus
aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (Inside) host 10.255.255.101
 timeout 30
 ldap-base-dn dc=###,dc=#####
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Cisco Authentication,CN=Users,DC=###,DC=####
 server-type microsoft
 ldap-attribute-map MAP-ANYCONNECT-LOGIN
 group-search-timeout 30
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (Outside) host api-#######.duosecurity.com
 timeout 180
 server-port 636
 ldap-base-dn dc=#############,dc=duosecurity,dc=com
 ldap-naming-attribute cn
 ldap-login-password *****
 ldap-login-dn dc=##############,dc=duosecurity,dc=com
 ldap-over-ssl enable
 server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa local authentication attempts max-fail 3
aaa authentication login-history
http server enable
http ############  255.255.255.0 management
no snmp-server location
no snmp-server contact
service sw-reset-button

telnet timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable Outside
 hostscan image disk0:/hostscan_4.7.01076-k9.pkg
 hostscan enable
 anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
 anyconnect profiles Pegasus disk0:/pegasus.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy NoAccess2 internal
group-policy NoAccess2 attributes
 dns-server value 10.92.60.102 10.92.60.101
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol ssl-client ssl-clientless
 webvpn
  customization value CiscoDuo
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_Pegasus internal
group-policy GroupPolicy_Pegasus attributes
 wins-server none
 dns-server value 10.92.60.102 10.92.60.101
 vpn-simultaneous-logins 25
 vpn-tunnel-protocol ssl-client 
 password-storage disable
 split-tunnel-policy tunnelall
 split-tunnel-network-list value Split-Tunnel
 default-domain value ###########
 split-tunnel-all-dns enable
 webvpn
  anyconnect ssl dtls enable
  anyconnect ssl compression lzs
  anyconnect dtls compression lzs
  anyconnect modules value dart,posture
  anyconnect profiles value Pegasus type user
  customization value CiscoDuo
dynamic-access-policy-record DfltAccessPolicy
 action terminate
dynamic-access-policy-record PegasusACL
 description "Pegasus Allowed Clients"
tunnel-group Pegasus type remote-access
tunnel-group Pegasus general-attributes
 address-pool PegasusClients
 authentication-server-group LDAPSERVERS LOCAL
 secondary-authentication-server-group Duo-LDAP use-primary-username
 default-group-policy NoAccess2
tunnel-group Pegasus webvpn-attributes
 customization CiscoDuo
 group-alias Pegasus enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
 class class-default
  user-statistics accounting
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global

 

 

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎03-24-2020 06:49 PM

Hi

Can you share the output of sh run all sysopt?
Also can you run the following command and share the output:
packet-tracer input Inside icmp 10.92.60.102 8 0 10.200.210.1

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

broadleon
Level 1
Level 1
In response to Francesco Molino

‎03-25-2020 12:38 AM - edited ‎03-25-2020 01:21 AM

sh run all sysopt:
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp Outside
no sysopt noproxyarp Inside
no sysopt noproxyarp management

 

 

Result of the command: "packet-tracer input Inside icmp 10.92.60.102 8 0 10.200.210.1"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static Obj-Inside Obj-Inside destination static Obj-AnyconnectPool Obj-AnyconnectPool
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.200.210.1/0 to 10.200.210.1/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended deny ip any any
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

even though there is a deny, when modifying the acl to allow, traffic from the vpn side is not flowing.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to broadleon

‎03-25-2020 02:14 AM

Hi,

 

   Allow the traffic in the ingress ACL applied on the inside interface, and simulate traffic initiation both ways. It should work and likewise traffic flow:

"packet-tracer input inside tcp 10.92.60.102 20000  10.200.210.1 80"

"packet-tracer input outside tcp 10.200.210.1 20000 10.92.60.102 80"

 

  Also, ensure that the downstream layer 3 device, on the inside of your ASA, has a route (specific or default), for the AnyConnect IP Pool range (10.200.210.0/y), towards the ASA inside IP address.

 

Regards,

Cristian Matei.

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to broadleon

‎03-25-2020 06:44 PM

As Christian already replied, allow this traffic and rerun the packet-tracer on both side to see what happens.
Also if routing on downstream router/switch is correct, this traffic allowed and still not working, can you run a capture on the inside interface to validate we see both ways traffic on the firewall.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents