Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
5
Helpful
5
Replies

Anyconnet vpn client unable to access ASA interface

Mohammed Ashraf Ali
Level 1
Level 1

‎02-14-2023 01:45 AM


Hi Expert,

 

I have configured cisco ASA 5516anyconnect ssl vpn and it is able to access internal network, The problem is the ssl vpn client is unable to access the inside interface of the ASA for management purpose (ssh/http).
Even though the following configuration is in place.

1. The inside interface subnet is mentioned in the split-tunnel acl.

2. The traffic from vpn client to the inside interface is allowed for http/ssh using ACL applied on outside interface.

3. (Management-access inside) command is applied

4. ssh <vpn client subnet> inside AND http <vpn client subnet> inside is applied in ASA.

5. The nat configuration ( nat (any,outside) source static any any destination static <vpn-subnet> <vpn-subnet> no-proxy-arp route-lookup) is applied

Could any one please suggest if anything is missing in my configuration , which could allow vpn client to access the ssh/http of inside ASA interface .

 


Below is the configuration :


int gi0/0
nameif inside
sec 100
ip add 10.6.1.1 255.255.255.0

int gi0/1
nameif outside
sec 0
ip add 88.88.88.1 255.255.255.249


route outside 0.0.0.0 0.0.0.0 88.88.88.2
route outside 10.10.1.0 255.255.255.0 88.88.88.2


http server enable
http 17.16.1.0 255.255.255.0 inside
http 17.16.11.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 inside

ssh 17.16.1.0 255.255.255.0 inside
ssh 17.16.11.0 255.255.255.0 inside
ssh 10.10.1.0 255.255.255.0 inside


management-access inside

 

object network 10.10.1.0
subnet 10.10.1.0 255.255.255.0


ip local pool VPN_Pool 10.10.1.1-10.10.1.200 mask 255.255.255.0

access-list VPN_Split_tunnel extended permit ip object-group ALL_Network object 10.10.1.0
access-list VPN_Split_tunnel extended permit tcp host 10.6.1.1 object 10.10.1.0


access-list outside_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 443
access-list outside_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 22
access-list outside_access_in extended permit ip object VPN_Pool object-group All_Network

access-group outside_access_in in interface outside

access-list DAP_Network_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 443
access-list DAP_Network_access_in extended permit tcp object VPN_Pool host 10.6.1.1 eq 22
access-list DAP_Network_access_in extended permit ip object VPN_Pool object-group All_Network

username user1 password $sha512$5000$S4ViGn84NVQ==77k2n9HlE7Rig==pbkdf2
username user1 attributes
vpn-simultaneous-logins 1
vpn-framed-ip-address 10.10.1.1 255.255.255.0
service-type remote-access

dynamic-access-policy-record DAP_Network_Mgmt
description "Network Team"
network-acl DAP_Network_access_in
priority 40

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 4
anyconnect image disk0:/anyconnect-macos-4.6.00362-webdeploy-k9.pkg 5
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable


group-policy Anyconnect internal
group-policy Anyconnect attributes
banner value Warning!
banner value This is a private system. Unauthorized access to or use of this system is strictly prohibited. By continuing, you acknowledge your awareness of and concurrence with the Logical Access Control Policy of GOC. All Access will be logged. Unauthorized access and illegal use of this system will be subject to criminal prosecution under the law and are subject to disciplinary action.
banner value Warning!
wins-server none
dns-server value 10.11.11.11 10.11.11.12
vpn-simultaneous-logins 1
vpn-idle-timeout 720
vpn-session-timeout 1440
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Split_tunnel
default-domain value goc.gov.qa
webvpn
anyconnect profiles value AnyConnect_client_profile type user


tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool VPN_Pool
default-group-policy Anyconnect
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable

crypto ipsec ikev2 ipsec SSLVPN
protocol esp encryption aes-256
protocol esp integrity sha-256

cyrpto dynamic-map DMAP 10 set ikev2 ipsec SSLVPN
crypto dynamic-map DMAP 10 set reverse-route

crypto map MAP 100 ipsec dynamic DMAP
crypto map MAP interface outside

crypto ikev2 enable outside client port 443
crypto ikev2 remote trustpoint SSLVPN-TP

nat (any,outside) source static any any destination static 10.10.1.0 10.10.1.0 no-proxy-arp route-lookup

---------------------------------------------------------------
traffic log while trying for ssh (22)

<163>%ASA-3-710003: TCP access denied by ACL from 10.10.1.1/1144 to outside:10.6.1.1.1/22
<166>%ASA-6-110002: Failed to locate egress interface for TCP from outside:10.10.1.1/1144 to 10.6.1.1/22


traffic log while trying for ssh (443)

<166>%ASA-6-106102: access-list DAP_Network_Mgmt permitted tcp for user 'user1' outside/10.10.1.1(1160) -> identity/10.6.1.1(443) hit-cnt 1 first hit [0x7dcb3524, 0xe93914dd]
<166>%ASA-6-110002: Failed to locate egress interface for TCP from outside:10.10.1.1/1160 to 10.6.1.1/443

Preview file
5 KB
5 Replies 5

dyakovsky
Level 1
Level 1

‎02-14-2023 03:17 AM

what ASA software are you using?

ASA has this bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd31960

Also you need to configure Twice NAT

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html

 

 

0 Helpful

Mohammed Ashraf Ali
Level 1
Level 1

‎02-14-2023 04:58 AM

the ASA is using 9.8.2 version , and as you can see in the above configuration   there is already a Twice NAT configured with route-lookup option.

" nat (any,outside) source static any any destination static 10.10.1.0 10.10.1.0 no-proxy-arp route-lookup"

0 Helpful

dyakovsky
Level 1
Level 1

‎02-14-2023 06:04 AM

It's too old version, you need to update it.
Here is an example:

! Enable hairpin for non-split-tunneled VPN client traffic:
same-security-traffic permit intra-interface

! Enable management access on inside ifc:
management-access inside

! Identify local VPN network, & perform object interface PAT when going to Internet:
object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface

! Identify inside network, & perform object interface PAT when going to Internet:
object network inside_nw subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface

! Use twice NAT to pass traffic between the inside network and the VPN client without
! address translation (identity NAT), w/route-lookup:
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup

0 Helpful

MHM Cisco World
VIP
VIP

‎02-14-2023 06:07 AM

http 10.10.1.0 255.255.255.0 outside  <<- did you try this 

0 Helpful
Customers Also Viewed These Support Documents