06-03-2015 01:08 PM
*** Update ***
My co-worker tried to install the ASA, however when she plugged it in, it was DOA..
Had to RMA it.
Will be attempting to setup the new one soon.
Thanks for all the help so far.
So, got another new project. I need to setup a 5505 ASA for a remote site. I need to be able to anyconnect to it for admin/support purposes.
When connected I need to be on a split tunnel. As well I need to be able to SSH/HTTPS/ASDM on to multiple devices inside the network.
What I get now is connect to the ASA, and shows split tunnel but does not allow me access to the internet. As well I cannot get to any site internally, including the ASA. However I can ping the ASA.
I have attached the config file.
Any help is appreciated.
Stacey
06-03-2015 06:15 PM
Hi Stacey,
Your split tunnel configuration is to send all traffic over VPN except local LAN. Assuming that is fine, the nat exempt ACL needs to be corrected
access-list outside_nat0_outbound extended permit ip TEC-VPN-Clients 255.255.255.240 any
Replace source with inside networks and destination as Anyconnect VPN pool.
Also make sure internal network has return route for VPN pool pointing to ASA inside.
HTH
Abaji.
06-04-2015 07:30 AM
Abaji,
I only want the actual traffic for the 192.168.1.0/24 network to go over the VPN. All other traffic needs to be sent out via the local lan.
Unfortunately I'm not sure how to setup a static route for all anyconnect clients.
Currently when I connect I get
Secured Route
192.168.2.0/28
Non-Secured route
0.0.0.0/0
Needless to say I can surf the internet now, but I am unable to get thru the vpn at all now.
06-04-2015 09:31 AM
You need to include all subnets you need under split tunnel ACL. Refer http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html for example.
HTH
Abaji.
06-04-2015 11:49 AM
I did a packet-trace on this and it gets stopped here
Phase: 4
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaf60558, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=15, user_data=0x1e000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.2.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
** Did a change of plans, I don't care about split tunnel as long as I can tunnel in. The issue now is I can tunnel in but only get to the internet and not the intranet. I can ping the ASA itself but cannot get into any other device.
One of the error messages I'm getting is
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.3.1/138 dst outside:192.168.3.255/138 denied due to NAT reverse path failure
I was trying to get into 192.168.1.3, the switch inside of the network.
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 VPN-Clients 255.255.255.0
TECASA(config)# show nat
NAT policies on Interface inside:
match ip inside 192.168.1.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (207.229.2.132 [Interface PAT])
translate_hits = 605, untranslate_hits = 1
match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface outside:
match ip outside VPN-Clients 255.255.255.0 outside any
dynamic translation to pool 1 (207.229.2.132 [Interface PAT])
translate_hits = 153, untranslate_hits = 1
Help please
06-05-2015 04:33 AM
Hello, Stacey.
1. Please, change the NAT exception rule to:
no access-list outside_nat0_outbound extended permit ip TEC-VPN-Clients 255.255.255.240 any
access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 TEC-VPN-Clients 255.255.255.240
end
clear xlate
2. Correct the split-tunnel rule:
no access-list Split standard permit host 0.0.0.0
access-list Split extended permit ip 192.168.0.0 255.255.252.0 any
group-policy TEC-Group-Policy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
3. Add the permition for inside_access_in (optionaly)
access-list inside_access_in extended permit ip 192.168.0.0 255.255.252.0 TEC-VPN-Clients 255.255.255.240
And, I believe, it should work.
To verify slit tunneling on remote host (if it is Windows maschine), you can use route print command from cmd. For example:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide