cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
130
Views
0
Helpful
5
Replies
Stacey Hummer
Beginner

ASA 5505 Issues

*** Update ***

My co-worker tried to install the ASA, however when she plugged it in, it was DOA..

Had to RMA it.

Will be attempting to setup the new one soon.

Thanks for all the help so far.

 

So, got another new project. I need to setup a 5505 ASA for a remote site. I need to be able to anyconnect to it for admin/support purposes.

When connected I need to be on a split tunnel. As well I need to be able to SSH/HTTPS/ASDM on to multiple devices inside the network.

What I get now is connect to the ASA, and shows split tunnel but does not allow me access to the internet. As well I cannot get to any site internally, including the ASA. However I can ping the ASA.

I have attached the config file.

 

Any help is appreciated.

Stacey

 

5 REPLIES 5
Abaji Rawool
Participant

Hi Stacey,

Your split tunnel configuration is to send all traffic over VPN except local LAN. Assuming that is fine, the nat exempt ACL needs to be corrected

 

access-list outside_nat0_outbound extended permit ip TEC-VPN-Clients 255.255.255.240 any 

 

Replace source with inside networks and destination as Anyconnect VPN pool.

Also make sure internal network has return route for VPN pool pointing to ASA inside.

HTH

Abaji.

 

 

 

Abaji,

I only want the actual traffic for the 192.168.1.0/24 network to go over the VPN. All other traffic needs to be sent out via the local lan.

Unfortunately I'm not sure how to setup a static route for all anyconnect clients.

Currently when I connect I get

Secured Route

192.168.2.0/28

Non-Secured route

0.0.0.0/0

Needless to say I can surf the internet now, but I am unable to get thru the vpn at all now.

 

I did a packet-trace on this and it gets stopped here

 

Phase: 4
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcaf60558, priority=70, domain=svc-ib-tunnel-flow, deny=false
        hits=15, user_data=0x1e000, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.2.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

 

** Did a change of plans, I don't care about split tunnel as long as I can tunnel in. The issue now is I can tunnel in but only get to the internet and not the intranet. I can ping the ASA itself but cannot get into any other device.

One of the error messages I'm getting is

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.3.1/138 dst outside:192.168.3.255/138 denied due to NAT reverse path failure

I was trying to get into 192.168.1.3, the switch inside of the network.

nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 VPN-Clients 255.255.255.0

 

TECASA(config)# show nat

NAT policies on Interface inside:
  match ip inside 192.168.1.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (207.229.2.132 [Interface PAT])
    translate_hits = 605, untranslate_hits = 1
  match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface outside:
  match ip outside VPN-Clients 255.255.255.0 outside any
    dynamic translation to pool 1 (207.229.2.132 [Interface PAT])
    translate_hits = 153, untranslate_hits = 1

 

Help please

Hello, Stacey.

1. Please, change the NAT exception rule to:

no access-list outside_nat0_outbound extended permit ip TEC-VPN-Clients 255.255.255.240 any

access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 TEC-VPN-Clients 255.255.255.240

end

clear xlate

2. Correct the split-tunnel rule:

no access-list Split standard permit host 0.0.0.0 

access-list Split extended permit ip 192.168.0.0 255.255.252.0 any

group-policy TEC-Group-Policy attributes

 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split

3. Add the permition for inside_access_in (optionaly)

access-list inside_access_in extended permit ip 192.168.0.0 255.255.252.0 TEC-VPN-Clients 255.255.255.240

 

And, I believe, it should work.

To verify slit tunneling on remote host (if it is Windows maschine), you can use route print command from cmd. For example:

 

Content for Community-Ad