Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1473
Views
0
Helpful
7
Replies

Anyconnect VPN PING replies from NAT address

Steve Prescott
Level 1
Level 1

‎11-25-2012 03:28 AM - edited ‎02-21-2020 06:30 PM

I have been attmepting to setup an Anyconnect client to access an internal LAN via an ASA running 8.6(1)2.

The VPN client connects to the ASA successfully, and I get an IP address from the pool on the ASA, so far so good.

I have an issue whereby a ping from a AnyConnect VPN client to an inside host that has a static nat translation is getting a response from the nat (public) address rather than its real (inside) address as below:
C:\ ping 10.191.16.3 (inside host that is natted to lets say 123.123.123.123 on the ASA)

Pinging 10.191.16.3 with 32 bytes of data:
Reply from 123.123.123.123: bytes=32 time=62ms TTL=127

How do I get the response to come from the real address?  Pinging inside hosts that do not have static NAT entries are ok.


Below is what I beleive are the relevant parts of the config..(Let me know if more is needed and I can post)

interface Redundant1
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/3
nameif InsideNet99
security-level 100
ip address 10.191.99.251 255.255.255.0

object network VPNClients
subnet 10.191.18.0 255.255.255.0

object network inside_network
subnet 10.191.16.0 255.255.254.0


nat (inside,outside) source static inside_network inside_network destination static VPNClients VPNClients no-proxy-arp route-lookup

object network inside_network
nat (inside,outside) dynamic interface


route inside 10.191.16.0 255.255.254.0 10.191.99.254 1


nat (inside,outside) source static 10.191.16.3 123.123.123.123

Labels:
0 Helpful
7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-25-2012 03:20 PM

Hello Steve,

Can you share the output

Show run nat ( I need to see the entire output)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Steve Prescott
Level 1
Level 1
In response to Julio Carvajal

‎11-26-2012 03:10 AM

Hi,
Many thanks for taking the time to reply.
Here is the output you requested...
The only things I have changed are public IP's (I changed the names of a few things in the original post).

FIREWALL-01# sh run nat
nat (InsideNet99,outside) source static fp-private fp-public
nat (InsideNet99,outside) source static tmg-private tmg-public
nat (InsideNet99,outside) source static ex-private ex-public
nat (InsideNet99,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.191.18.0_24 NETWORK_OBJ_10.191.18.0_24 no-proxy-arp route-lookup
!
object network VRF-VLAN2
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN3
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN5
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN12
nat (InsideNet99,outside) dynamic interface
object network WIFIPUBLIC
nat (wifipublic,outside) dynamic interface
object network VRF-VLAN11
nat (InsideNet99,outside) dynamic interface
object network VRF-VLAN17
nat (InsideNet99,outside) dynamic interface
FIREWALL-01#

Other info...

object network fp-public
host ***.***.***.***
object network VRF-VLAN11
subnet 10.191.16.0 255.255.254.0
object network fp-private
host 10.191.16.1
object network tmg-private
host 10.191.16.3
object network ex-public
host **.***.***.***
object network tmg-public
host 123.123.123.123
object network ex-private
host 10.191.16.2
object network NETWORK_OBJ_10.191.18.0_24
subnet 10.191.18.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object VRF-VLAN11


The VPN client has address 10.191.18.1, pinging 10.191.16.3 and getting reply from 123.123.123.123 (The public address of 10.191.16.3).
(123.123.123.123 used for purposes of this forum, not real address).

btw, I can PING other devices on 10.191.16.0/23 that do not have static NATs on the ASA and they respond correctly from the real IP.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Steve Prescott

‎11-26-2012 07:02 AM

Hi Steve,

The  10.191.16.0/24 network seems to be reachable via 10.191.99.254 on Interface InsideNet99 as per:

route inside 10.191.16.0 255.255.254.0 10.191.99.254 1

Please make the following change:

1 nat (InsideNet99,outside) source static inside_network inside_network destination static VPNClients VPNClients no-proxy-arp route-lookup

Please let me know what your thoughts are, you may remove the old one:

no nat (inside,outside) source static inside_network inside_network destination static VPNClients VPNClients no-proxy-arp route-lookup

HTH.

Please rate any helpful posts

Portu.

0 Helpful

Steve Prescott
Level 1
Level 1
In response to Javier Portuguez

‎11-26-2012 07:41 AM

Hi Portu,

That is effectively what is in the config at present (I tried to make it easier in my original post, but the post just above yours above shows the ACTUAL lines)...

nat (InsideNet99,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_10.191.18.0_24 NETWORK_OBJ_10.191.18.0_24 no-proxy-arp route-lookup

(Sorry to have confused you)

Steve

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Steve Prescott

‎11-26-2012 07:54 AM

I see, but I thought you were trying to ping 10.191.16.3, no 10.191.18.0/24.

Could you please confirm?

Thanks.

0 Helpful

Steve Prescott
Level 1
Level 1
In response to Javier Portuguez

‎11-26-2012 08:30 AM

Yes I am - From the client (10.191.18.n) to the inside server 10.191.16.3

If I ping 10.191.16.88 (this does not have a static nat on the ASA) then the reply comes from 10.191.16.88.

0 Helpful

Steve Prescott
Level 1
Level 1

‎11-29-2012 04:24 AM

Has nobody never had a similar problem?

0 Helpful
Customers Also Viewed These Support Documents