ASA 5510 "inside" and vpn IP address pool can be the same (subnet)?

AstraJingga3444 · ‎09-24-2020

Greetings:

I have an ASA 5510 with the ip address pool for "inside" set to be 192.168.0.x

Can the remote access VPN (L2TP from "outside") address pool also from the 192.168.0.x pool?

Rob Ingram · ‎09-24-2020

Yes it can, you need to ensure that if you have an internal DHCP server, that it does no distribute IP addresses from within the VPN Pool, otherwise there will be conflicts.

However, best practice would be to define a separate IP Pool for VPN access.

HTH

AstraJingga3444 · ‎09-25-2020

Hi @Rob Ingram :

If you don't mind reviewing the config below and the access-list nonat-in

...

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any interface outside
access-list vpnusers_spitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

ip local pool l2tp-ipsec_address 192.168.5.1-192.168.5.10 mask 255.255.255.0

dhcpd address 192.168.0.5-192.168.0.199 inside

..

change config to

...

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any interface outside
access-list vpnusers_spitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

ip local pool l2tp-ipsec_address 192.168.0.226-192.168.0.235 mask 255.255.255.0

dhcpd address 192.168.0.5-192.168.0.199 inside

...

Much appreciated

Stephen

Rob Ingram · ‎09-25-2020

Hi @AstraJingga3444

That looks ok.

I assume you are using ASA pre version 8.3?

AstraJingga3444 · ‎09-25-2020

Hello @Rob Ingram ,

Yes, the ASA version is 8.2(5)55

The outside device connects on VPN and gets IP 192.168.0.226. It can't ping 192.168.0.x devices. The device can ping Cisco ASA through the other network "outside)

The Cisco ASA can ping other 192.168.0.x (from CLI) and also the device at 192.168.0.226 or its outside ip address.

I suspect I did not set the "access-list" or some NAT settings properly.

...

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any interface outside
access-list vpnusers_spitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

ip local pool l2tp-ipsec_address 192.168.0.226-192.168.0.235 mask 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat-in
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

dhcpd address 192.168.0.5-192.168.0.199 inside

...

Much appreciated,

Stephen

AstraJingga3444 · ‎10-01-2020

Hello All:

Any recommendation on how to set the NAT or access-list above to allow traffic between "dhcpd address 192.168.0.5-192.168.0.199 inside" and "ip local pool l2tp-ipsec_address 192.168.0.226-192.168.0.235 mask 255.255.255.0"?

The ASA is 8.2(5)55

Much appreciated

Stephen

Rob Ingram · ‎10-02-2020

I haven't used 8.2 for a very long time and the commands are different from 8.3+, but I think what you already had would work.

access-list nonat-in extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list nonat-in

Are you having an issue still? If so, run packet-tracer from the CLI and provide the output. You could also run "show nat detail" and provide the output.

AstraJingga3444 · ‎10-02-2020

Yes, I still can't access 192.168.0.1 / 192.168.0.86 from 192.168.0.226 (the VPN ip address)

Thank you for the packet-tracer, show nat info and ping tries, the txt file contains the detailed.

In summary:

packet-tracer input inside icmp 192.168.0.1 0 0 192.168.0.226 detailed
packet-tracer input inside icmp 192.168.0.226 0 0 192.168.0.1 detailed

packet-tracer input inside icmp 192.168.0.86 0 0 192.168.0.1 detailed
packet-tracer input inside icmp 192.168.0.1 0 0 192.168.0.86 detailed

packet-tracer input inside icmp 192.168.0.88 0 0 192.168.0.86 detailed
packet-tracer input inside icmp 192.168.0.86 0 0 192.168.0.88 detailed

packet-tracer input inside icmp 192.168.0.226 0 0 192.168.0.86 detailed
packet-tracer input inside icmp 192.168.0.86 0 0 192.168.0.226 detailed

ciscoasa# show nat outside inside
ERROR: No matching NAT policy found

ciscoasa# show nat inside outside
match ip inside any outside any
dynamic translation to pool 1 (192.168.1.138 [Interface PAT])
translate_hits = 88, untranslate_hits = 58

ciscoasa# ping outside 192.168.0.226
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/26/100 ms

ciscoasa# ping inside 192.168.0.226
Success rate is 0 percent (0/5)

ciscoasa# ping outside 192.168.0.86
Success rate is 0 percent (0/5)

ciscoasa# ping inside 192.168.0.86
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ciscoasa# ping inside 192.168.0.226
Success rate is 0 percent (0/5)

ciscoasa# ping outside 192.168.0.226
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/28/120 ms

Rob Ingram · ‎10-02-2020

It looks like there is only 1 NAT rule, which is interface PAT. I assume the NAT exemption rule was added ok?

AstraJingga3444 · ‎10-02-2020

Hello @Rob Ingram:

I mistyped: "nat (inside) 0 access-list nonat-in", it is in the configuration now and the VPN client 192.168.0.226 can access the 192.168.86, 192.168.0.88 except for 192.168.0.1.

Pardon the follow-up question. Is there any other setting to enable the 192.168.0.1 (to respond to ping)?

Stephen

Rob Ingram · ‎10-02-2020

Good to hear.

Not sure on the old 8.2 code tbh, but check you are permitting icmp. The command to check for starts "icmp permit|deny....." ensure you can ping from your local network on the correct interface name.

AstraJingga3444 · ‎10-02-2020

I checked the config file, there's no item with "icmp permit" but 192.168.0.86 or 192.168.0.88 or 192.168.0.10 (any from dhcp pool) can ping 192.168.0.1 or 192.168.0.226 (vpn client from pool).

192.168.0.226 can ping any address from the dhcp pool but not 192.168.0.1.

Note:

I tried configuring "icmp permit any 0 inside", the 192.168.0.1 does not response to any ping from inside 192.168.0.88 / 192.168.0.1

Cheers

Stephen

AstraJingga3444 · ‎10-02-2020

Just in case I missed the line item, attached is the running-config.

Stephen

Rob Ingram · ‎10-02-2020

Add the command "management-access <interface-name>" to permit ping, ssh or http to the inside interface over a VPN tunnel.

HTH