cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
3463
Views
0
Helpful
13
Replies

Anyconnect VPN users cannot reach LAN

jshojayi
Level 1
Level 1

I know this topic has been beat to death, but I've beat myself to death trying to get it to work. I had this working, but didn't save, then the FW did a reboot when the breaker flipped. I can log in with the VPN client. I can't reach any of the LAN resources. I believe I need a NAT exemption and I believe that I have that configured correctly, but it's not working. From the logs I can see the VPN IP pool going to the external IP interface, which means NAT is happening, when it shouldn't be. What am I missing?

ip local pool vpn_pool 10.0.251.10-10.0.251.254 mask 255.255.255.0
!
interface Ethernet0/0
description OUTSIDE INTERFACE
duplex full
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
description INSIDE INTERFACE
duplex full
nameif inside
security-level 100
ip address 10.0.250.1 255.255.255.0
!

boot system disk0:/asa914-k8.bin

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network vpn-pool
subnet 10.0.251.0 255.255.255.0
object network VPN-POOL
subnet 10.0.251.0 255.255.255.0
object network LAN
subnet 10.0.250.0 255.255.255.0

object-group network PAT-SOURCE
network-object 10.0.250.0 255.255.255.0
network-object 10.0.251.0 255.255.255.0
access-list OUTSIDE_IN extended deny ip any4 any4 log debugging
access-list INSIDE_OUT extended permit ip object-group PAT-SOURCE any4 log debugging

ip verify reverse-path interface outside

no arp permit-nonconnected

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
nat (outside,outside) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL
!
nat (any,outside) after-auto source dynamic PAT-SOURCE interface
access-group OUTSIDE_IN in interface outside
access-group INSIDE_OUT in interface inside

13 Replies 13

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Configurations that you have shown above seem fine.

I would be more interested in seeing the actual logs you mention?

Sounds to me like you are saying that the VPN Pool IP address is translated to public IP address, if so why would this happen if you are connecting from "outside" to "inside" and not from "outside" to "outside"? There is no translation above that should translate the VPN user traffic.

Are you saying that your traffic from VPN user is being forwarded to "outside" ? I guess the logs should give us a bit more clue what to look at. Naturally the above is not the complete configuration so there might be something were missing.

- Jouni

firewall(config)# logging console 7

Jan 07 2014 14:41:49: %ASA-5-111008: User 'jshojayi' executed the 'logging console 7' command.

Jan 07 2014 14:41:49: %ASA-5-111010: User 'jshojayi', running 'CLI' from IP 0.0.0.0, executed 'logging console 7'

firewall(config)# Jan 07 2014 14:41:49: %ASA-6-302016: Teardown UDP connection 2097 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)

Jan 07 2014 14:41:50: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]

Jan 07 2014 14:41:50: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/60524 to outside:99.66.187.4/60524

Jan 07 2014 14:41:50: %ASA-6-302015: Built outbound UDP connection 2098 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)

Jan 07 2014 14:41:50: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361

Jan 07 2014 14:41:50: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/61361 laddr 99.66.187.4/61361

Jan 07 2014 14:41:50: %ASA-6-302015: Built inbound UDP connection 2100 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)

Jan 07 2014 14:41:51: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(60524) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]

Jan 07 2014 14:41:51: %ASA-6-302015: Built outbound UDP connection 2101 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/60524 (99.66.187.4/60524)

Jan 07 2014 14:41:51: %ASA-6-302016: Teardown UDP connection 2100 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)

Jan 07 2014 14:41:51: %ASA-6-305012: Teardown dynamic TCP translation from any:10.0.250.34/16140 to outside:99.66.187.4/16140 duration 0:01:01

Jan 07 2014 14:41:51: %ASA-6-302013: Built inbound TCP connection 2102 for outside:10.0.251.10/52558 (10.0.251.10/52558)(LOCAL\jshojayi) to inside:10.0.250.15/3389 (10.0.250.15/3389) (jshojayi)

Jan 07 2014 14:41:52: %ASA-6-302015: Built inbound UDP connection 2103 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)

Jan 07 2014 14:41:52: %ASA-4-410001: Dropped UDP DNS request from inside:10.0.250.22/54745 to outside:157.56.106.189/3544; label length 128 bytes exceeds protocol limit of 63 bytes

Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/62857 to outside:99.66.187.4/62857 duration 0:00:31

Jan 07 2014 14:41:52: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/61237 to outside:99.66.187.4/61237 duration 0:00:31

Jan 07 2014 14:41:52: %ASA-6-302016: Teardown UDP connection 2103 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)

Jan 07 2014 14:41:53: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061

Jan 07 2014 14:41:53: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355

Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/63938(LOCAL\jshojayi) to outside:99.66.187.4/63938

Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2105 for outside:10.0.251.10/63938 (99.66.187.4/63938)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)

Jan 07 2014 14:41:53: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/28061 laddr 99.66.187.4/28061

Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2060 for outside:10.0.251.10/60840(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 165 (jshojayi)

Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2106 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)

Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2061 for outside:10.0.251.10/58388(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 335 (jshojayi)

Jan 07 2014 14:41:53: %ASA-6-302016: Teardown UDP connection 2105 for outside:10.0.251.10/63938(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 134 (jshojayi)

Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/55378(LOCAL\jshojayi) to outside:99.66.187.4/55378

Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2107 for outside:10.0.251.10/55378 (99.66.187.4/55378)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)

Jan 07 2014 14:41:53: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51560(LOCAL\jshojayi) to outside:99.66.187.4/51560

Jan 07 2014 14:41:53: %ASA-6-302015: Built inbound UDP connection 2108 for outside:10.0.251.10/51560 (99.66.187.4/51560)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)

Jan 07 2014 14:41:54: %ASA-7-710005: UDP request discarded from 10.0.251.10/61776 to outside:224.0.0.252/5355

Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2106 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)

Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2107 for outside:10.0.251.10/55378(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 196 (jshojayi)

Jan 07 2014 14:41:54: %ASA-6-302016: Teardown UDP connection 2108 for outside:10.0.251.10/51560(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 160 (jshojayi)

Jan 07 2014 14:41:54: %ASA-6-302015: Built inbound UDP connection 2109 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2109 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)

Jan 07 2014 14:41:55: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.156.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]

Jan 07 2014 14:41:55: %ASA-6-305011: Built dynamic UDP translation from any:10.0.250.22/54078 to outside:99.66.187.4/54078

Jan 07 2014 14:41:55: %ASA-6-302015: Built outbound UDP connection 2110 for outside:68.94.156.1/53 (68.94.156.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)

Jan 07 2014 14:41:55: %ASA-6-302015: Built inbound UDP connection 2111 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2072 for outside:10.0.251.10/58472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2080 for outside:10.0.251.10/62680(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2073 for outside:10.0.251.10/59472(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2076 for outside:10.0.251.10/60425(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:10 bytes 210 (jshojayi)

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2096 for outside:10.0.251.10/52985(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:07 bytes 175 (jshojayi)

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2075 for outside:10.0.251.10/53507(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)

Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(59472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60425)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(53507)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2077 for outside:10.0.251.10/57569(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2078 for outside:10.0.251.10/54477(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)

Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(62680)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:55: %ASA-6-302016: Teardown UDP connection 2079 for outside:10.0.251.10/56608(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 210 (jshojayi)

Jan 07 2014 14:41:55: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(56608)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(54477)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(52985)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(57569)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58472)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2111 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)

Jan 07 2014 14:41:59: %ASA-7-106100: access-list INSIDE_OUT permitted udp inside/10.0.250.22(54078) -> outside/68.94.157.1(53) hit-cnt 1 first hit [0x2ee9b03d, 0x15ffa408]

Jan 07 2014 14:41:59: %ASA-6-302015: Built outbound UDP connection 2112 for outside:68.94.157.1/53 (68.94.157.1/53) to inside:10.0.250.22/54078 (99.66.187.4/54078)

Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935

Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/5935 laddr 99.66.187.4/5935

Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(60840)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:59: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(58388)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2114 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)

Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2114 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)

Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/52140 to outside:99.66.187.4/52140 duration 0:00:31

Jan 07 2014 14:41:59: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64609 to outside:99.66.187.4/64609 duration 0:02:32

Jan 07 2014 14:41:59: %ASA-6-302016: Teardown UDP connection 2092 for outside:10.0.251.10/51932(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:11 bytes 198 (jshojayi)

Jan 07 2014 14:41:59: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/57116(LOCAL\jshojayi) to outside:99.66.187.4/57116

Jan 07 2014 14:41:59: %ASA-6-302015: Built inbound UDP connection 2115 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)

Jan 07 2014 14:41:59: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793

Jan 07 2014 14:41:59: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/55793 laddr 99.66.187.4/55793

Jan 07 2014 14:42:00: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> outside/10.0.251.10(51932)(LOCAL\jshojayi) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:42:00: %ASA-6-302016: Teardown UDP connection 2115 for outside:10.0.251.10/57116(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:01 bytes 99 (jshojayi)

Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2117 for outside:10.0.251.10/57116 (99.66.187.4/57116)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)

Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/58663(LOCAL\jshojayi) to outside:99.66.187.4/58663

Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2118 for outside:10.0.251.10/58663 (99.66.187.4/58663)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)

Jan 07 2014 14:42:00: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/49740(LOCAL\jshojayi) to outside:99.66.187.4/49740

Jan 07 2014 14:42:00: %ASA-6-302015: Built inbound UDP connection 2119 for outside:10.0.251.10/49740 (99.66.187.4/49740)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)

Jan 07 2014 14:42:00: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355

Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2098 for outside:68.94.156.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 176

Jan 07 2014 14:42:04: %ASA-7-710005: UDP request discarded from 10.0.251.10/60970 to outside:224.0.0.252/5355

Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2118 for outside:10.0.251.10/58663(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 148 (jshojayi)

Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2119 for outside:10.0.251.10/49740(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 142 (jshojayi)

Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0

Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2101 for outside:68.94.157.1/53 to inside:10.0.250.22/60524 duration 0:00:11 bytes 220

Jan 07 2014 14:42:04: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533

Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/63533 laddr 99.66.187.4/63533

Jan 07 2014 14:42:04: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2122 for outside:10.0.251.10/138 (10.0.251.10/138)(LOCAL\jshojayi) to outside:10.0.251.255/138 (10.0.251.255/138) (jshojayi)

Jan 07 2014 14:42:04: %ASA-6-305011: Built dynamic UDP translation from any:10.0.251.10/51200(LOCAL\jshojayi) to outside:99.66.187.4/51200

Jan 07 2014 14:42:04: %ASA-6-302015: Built inbound UDP connection 2123 for outside:10.0.251.10/51200 (99.66.187.4/51200)(LOCAL\jshojayi) to outside:68.94.156.1/53 (68.94.156.1/53) (jshojayi)

Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2122 for outside:10.0.251.10/138(LOCAL\jshojayi) to outside:10.0.251.255/138 duration 0:00:00 bytes 0 (jshojayi)

Jan 07 2014 14:42:04: %ASA-6-302021: Teardown ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0

Jan 07 2014 14:42:04: %ASA-6-302016: Teardown UDP connection 2123 for outside:10.0.251.10/51200(LOCAL\jshojayi) to outside:68.94.156.1/53 duration 0:00:00 bytes 182 (jshojayi)

Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/53977 to outside:99.66.187.4/53977 duration 0:00:30

Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/64875 to outside:99.66.187.4/64875 duration 0:00:43

Jan 07 2014 14:42:04: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/58618 to outside:99.66.187.4/58618 duration 0:00:43

Jan 07 2014 14:42:04: %ASA-6-302015: Built outbound UDP connection 2124 for outside:192.168.1.254/67 (192.168.1.254/67) to identity:99.66.187.4/68 (99.66.187.4/68)

Jan 07 2014 14:42:05: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(60524) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:42:05: %ASA-6-305012: Teardown dynamic UDP translation from any:10.0.250.22/60404 to outside:99.66.187.4/60404 duration 0:00:43

Jan 07 2014 14:42:05: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510

Jan 07 2014 14:42:05: %ASA-6-302021: Teardown ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/17510 laddr 99.66.187.4/17510

Jan 07 2014 14:42:06: %ASA-6-302016: Teardown UDP connection 2110 for outside:68.94.156.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 132

Jan 07 2014 14:42:07: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.156.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:42:07: %ASA-6-302020: Built outbound ICMP connection for faddr 68.94.157.1/0 gaddr 99.66.187.4/0 laddr 10.0.250.22/0

Jan 07 2014 14:42:07: %ASA-6-302016: Teardown UDP connection 2112 for outside:68.94.157.1/53 to inside:10.0.250.22/54078 duration 0:00:11 bytes 165

+Jan 07 2014 14:42:08: %ASA-7-106100: access-list OUTSIDE_IN denied udp outside/68.94.157.1(53) -> inside/10.0.250.22(54078) hit-cnt 1 first hit [0x97487378, 0x0]

Jan 07 2014 14:42:08: %ASA-6-302020: Built outbound ICMP connection for faddr 99.66.184.1/0 gaddr 99.66.187.4/14848 laddr 99.66.187.4/14848

The VPN peer IP is 10.0.251.10. What I was trying to attempt was 10.0.250.13:X to 10.0.250.15:3389 (RDP). But it looks like the ASA is not observing the NAT exemption and going straight to dynamic NAT.

Hi,

There are a lot of log messages generated by the broadcast traffic from the VPN Client host. There is also some DNS traffic that doesnt seem to be related to this connection.

The only log message of your RDP connection I can find is this

Jan 07 2014 14:41:51: %ASA-6-302013: Built inbound TCP connection 2102  for outside:10.0.251.10/52558 (10.0.251.10/52558)(LOCAL\jshojayi) to  inside:10.0.250.15/3389 (10.0.250.15/3389) (jshojayi)

Though this is only half. The "Teardown" message would tell us why the connection failed. It might be SYN Timeout which would mean that the destination host is not responding or there is some problem with return routing from the host back to the ASA and back to the VPN Client.

The above log message tells us that the NAT has been bypassed. I mean that no NAT has been performed since we see the real source/destination IP address both in the message and inside the "("

So the ASA logs are atleast telling us that the connection attempt is allowed through the ASA and it also seems to match the correct NAT configuration.

- Jouni

I should have cleaned the logs up more. I might have noticed the connection you found. I kept over looking it and looking at all of the connection where .10 was going to the outside. That was the entire log, the teardown didn't occur and must have timed out. Here's my routing.

firewall# show running-config | in route
ip address dhcp setroute
route outside 0.0.0.0 0.0.0.0 99.66.184.1 1 track 1
firewall# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 99.66.184.1 to network 0.0.0.0

C    99.66.184.0 255.255.252.0 is directly connected, outside
C    10.0.250.0 255.255.255.0 is directly connected, inside
S    10.0.251.10 255.255.255.255 [1/0] via 99.66.184.1, outside
d*   0.0.0.0 0.0.0.0 [1/0] via 99.66.184.1, outside

I don't understand the static connection. 10 is my VPN IP, and 184.1 is the ISP GW.

Where did the static router above come from since it's not defined in the config? Is there a basic part of technology that I'm not understanding? The 'd*' route is what the ASA gets from DHCP. My static route statement mirrored it, with it's real purpose of using SLA. Assuming NAT exemption is configured correctly and there's only the default route that the ASA receives via DHCP, what else would keep the VPN-POOL from reaching the LAN pool?

Hi,

You should see a Teardown message whatever happens to the connection. Even if the TCP handshake/sync times out.

The static route is added by the ASA automatically for all the VPN Client users connected to the ASA. This is normal behaviour.

It would be easiest to go through the actual configuration to determine if there is any problems there.

There should not be many things needed to enable traffic between a VPN Client and a LAN host

  • Would have to make sure VPN Client is either Full Tunnel or that the LAN network is correctly configured to the Split Tunnel ACL
  • Make sure that there is a NAT0 configuration for the LAN <-> VPN
  • Make sure that the above NAT0 is ordered correctly at the top so that no other NAT configurations overrides it
  • Make sure that the VPN Client has all the necesary routes on its local routing table and that the VPN Client software shows traffic being tunneled.

If your case we have seen a RDP attempt come from the VPN Client and get through the ASA according to the log messages. This tells us that there should be no configuration problem to stop the connection attempt.

This would indicate a problem on the actual LAN host rather than on the ASA.

- Jouni

I started wireshark on the host and watched for the attempt from the vpn client, but it never got to the host. Here's my NAT configuration:

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

nat (outside,outside) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL

!

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

NAT0 looks to be configured correctly. The VPN client can surf the internet, it just can't reach the LAN network.

I've tried both 9.1.3 and 9.1.4. So, the router has been rebooted. What can I show you from my config? It's something simple I'm missing and I just can't see it.

Thank you.

Joe

Jan 20 2014 10:16:11: %ASA-6-302013: Built inbound TCP connection 65374 for outside:10.0.251.10/54787 (10.0.251.10/54787) to inside:10.0.250.15/3389 (10.0.250.15/3389)

Jan 20 2014 10:16:42: %ASA-6-302014: Teardown TCP connection 65374 for outside:10.0.251.10/54787 to inside:10.0.250.15/3389 duration 0:00:30 bytes 0 SYN Timeout

It's not getting a response. I've ran wireshark on the destination and it doesn't see the request. It's as if the ASA is not 'aware' of the egress interface, although it's directly connected to it.

firewall/kcwifi.com(config)# show ip address 

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Ethernet0/0              outside                99.66.187.4     255.255.252.0   DHCP 

Ethernet0/1.250          inside                 10.0.250.1      255.255.255.0   CONFIG

Ethernet0/1.251          vpn_net                10.0.251.1      255.255.255.0   CONFIG

Gateway of last resort is 99.66.184.1 to network 0.0.0.0

C    99.66.184.0 255.255.252.0 is directly connected, outside

C    10.0.250.0 255.255.255.0 is directly connected, inside

C    10.0.251.0 255.255.255.0 is directly connected, vpn_net

S    10.0.251.10 255.255.255.255 [1/0] via 99.66.184.1, outside

d*   0.0.0.0 0.0.0.0 [1/0] via 99.66.184.1, outside

Packet tracer fails, when I test by the outside interface, but that's the source when it's a VPN session.

firewall# packet-tracer input outside tcp 10.0.251.10 5000 10.0.250.15 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.250.0      255.255.255.0   inside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL route-lookup

Additional Information:

NAT divert to egress interface inside

Untranslate 10.0.250.15/3389 to 10.0.250.15/3389

Phase: 4

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group global_access global

access-list global_access extended deny ip any any log debugging

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

firewall# show access-list

access-list cached ACL log flows: total 158, denied 94 (deny-flow-max 4096)

            alert-interval 300

access-list DAP-ip-user-50265D00 line 1 extended permit ip any any log debugging interval 300 (hitcnt=11) 0x30e40526

access-list inside_access_in line 1 extended permit ip any any log debugging interval 300 (hitcnt=29004) 0xa925365e

access-list global_access line 1 extended deny ip any any log debugging interval 300 (hitcnt=25026) 0x0cac2fd5

access-list ALL line 1 extended permit ip any any log debugging interval 300 (hitcnt=0) 0xe91a36e3

access-list vpn_net_access_in line 1 extended permit ip any any log debugging interval 300 (hitcnt=1) 0x033ec384

NAT0 is working correctly.

firewall/kcwifi.com# show nat

Manual NAT Policies (Section 1)

1 (outside) to (outside) source static VPN-POOL VPN-POOL   destination static VPN-POOL VPN-POOL

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static LAN LAN   destination static VPN-POOL VPN-POOL route-lookup

    translate_hits = 8, untranslate_hits = 9

Manual NAT Policies (Section 3)

1 (any) to (outside) source dynamic PAT-SOURCE interface 

    translate_hits = 40972, untranslate_hits = 30331

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network VPN-POOL

subnet 10.0.251.0 255.255.255.0

object network LAN

subnet 10.0.250.0 255.255.255.0

object-group network PAT-SOURCE

network-object 10.0.250.0 255.255.255.0

network-object 10.0.251.0 255.255.255.0

nat (outside,outside) source static VPN-POOL VPN-POOL destination static VPN-POOL VPN-POOL

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL route-lookup

!

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

access-group inside_access_in in interface inside

access-group vpn_net_access_in in interface vpn_net

access-group global_access global

What am I missing to enable vpn access to the local LAN? Is the ASA sending the traffic source from 10.0.251.0 destined to 10.0.250.0 out the outside interface? That's what the routing table shows, but the ASA doesn't allow me to put a static route telling it not to when it's a directly connected interface. The ASA injects that default route into the routing table for the vpn connections, but I don't understand why. I'm sure there's a reason, but I don't know what it is. Any help would be greatly appreciated. I use this network to simply testing. It allows me to do dozens of hours worth of testing in a few minutes.

Thank you.

Joe

Hi,

You dont need the NAT in both direction. A single command is needed as the NAT configuration is bidirectional.

Also the configurations are different than compared to the original ones. For example you dont seem to have an "outside" ACL anymore.

Also, the "packet-tracer" tells us one clear problem. The traffic is blocked by the Global ACL. The Global ACL is matched because you have no interface specific ACL on the "outside" so it uses the Global ACL for the ingress traffic.

Therefore you would probably need to add the ACL line

access-list global_access line 1 permit ip 10.0.251.0 255.255.255.0 10.0.250.0 255.255.255.0

Judging by the traffic hitting an ACL would seem to indicate that you have the "no sysopt connection permit-vpn" command in your configuration also. Since this will prevent the connections incoming through VPN from bypassing the ACL.

- Jouni

I'm letting the global access list deny the traffic for the outside interface.

Wouldn't I need both NAT statements for VPN to VPN traffic and then for VPN to LAN traffic?

I applied the global ACL and packet-tracer shows the connection going all the way through now. Which does make sense to me. I did have an outside ACL exactly the same as the global you suggested, but that didn't allow it to go through. I did apply a permit ip any any on the global as a test and then tried my rdp connection, but it had failed. I removed that ACE before I re-posted this morning.

I'm still getting a SYN timeout.

Jan 20 2014 11:08:07: %ASA-6-302013: Built inbound TCP connection 67478 for outside:10.0.251.10/54812 (10.0.251.10/54812) to inside:10.0.250.15/3389 (10.0.250.15/3389)

Jan 20 2014 11:08:39: %ASA-6-302014: Teardown TCP connection 67478 for outside:10.0.251.10/54812 to inside:10.0.250.15/3389 duration 0:00:30 bytes 0 SYN Timeout

The destination is up and reachable from the firewall.

firewall# ping 10.0.250.15

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.250.15, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Hi,

Actually you would not need any ACL to block the traffic coming from behind "outside". If its "security-level" is set to 0 all traffic will be denied from behind it by default.

You wont need the NAT statement both ways. Its never been that way either in the old NAT format or in the new one. Whichever direction the traffic is initiated, this NAT rule will be matched.

I would suggest now doing the capture on the destination host with the setting on the ASA that shows the traffic passing all checks. There should be no reason the initial TCP SYN should not reach the actual host if there is no other filtering device between the destination host and the VPN Client.

- Jouni

Hi,

Have you had the change to test this out again?

- Jouni