Solved: Marvin,

szczyrk80 · ‎12-05-2014

Hi All,

I have a problem with the connection to the inside network/subnet using Anyconnect SSL VPN.

ASA ver. 5515

Please find configuration below:

User Access Verification

ASA1# show running-config
: Saved
:
ASA Version 9.1(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool POOLS-for-AnyConnect 10.0.70.1-10.0.70.50 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.64.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 20
ip address B.B.B.B 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
object network outside_to_inside_FR-Appsrv01
host 192.168.64.232
object network outside_to_dmz_fr-websvr-uat
host 10.20.20.14
object network inside_to_dmz
subnet 192.168.64.0 255.255.255.0
object network gtc-tomcat
host 192.168.64.228
object network USA-Appsrv01-UAT
host 192.168.64.223
object network USA-Websvr-UAT
host 10.20.20.13
object network vpn_to_inside
subnet 10.0.70.0 255.255.255.0
access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any time-exceeded
access-list acl_out extended permit tcp any object outside_to_inside_FR-Appsrv01 eq 3389
access-list acl_out extended permit tcp any object outside_to_inside_FR-Appsrv01 eq 28080
access-list acl_out extended permit tcp any object outside_to_inside_FR-Appsrv01 eq 9876
access-list acl_out extended permit udp any object outside_to_inside_FR-Appsrv01 eq 1720
access-list acl_out extended permit tcp any object outside_to_dmz_fr-websvr-uat eq www
access-list acl_out extended permit tcp any object outside_to_dmz_fr-websvr-uat eq https
access-list acl_out extended permit tcp any object outside_to_dmz_fr-websvr-uat eq 3389
access-list acl_out extended permit tcp any object USA-Appsrv01-UAT eq 9876
access-list acl_out extended permit udp any object USA-Appsrv01-UAT eq 1720
access-list acl_out extended permit tcp any object USA-Websvr-UAT eq www
access-list acl_out extended permit tcp any object USA-Websvr-UAT eq https
access-list acl_out extended permit tcp any object USA-Websvr-UAT eq 3389
access-list acl_out extended permit tcp any object USA-Appsrv01-UAT eq 3389
access-list acl_dmz extended permit icmp any any echo-reply
access-list acl_dmz extended permit ip any any
access-list acl_dmz extended permit tcp object outside_to_dmz_fr-websvr-uat object gtc-tomcat eq 8080
access-list acl_dmz extended permit tcp object outside_to_dmz_fr-websvr-uat object gtc-tomcat eq 8081
access-list acl_dmz extended permit tcp object outside_to_dmz_fr-websvr-uat object gtc-tomcat eq 3389
access-list acl_dmz extended permit tcp object USA-Websvr-UAT object USA-Appsrv01-UAT eq 8080
access-list acl_dmz extended permit tcp object USA-Websvr-UAT object USA-Appsrv01-UAT eq 8081
access-list gtcvpn2 extended permit ip 192.168.64.0 255.255.255.0 10.0.70.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
nat (inside,outside) source static any any destination static vpn_to_inside vpn_to_inside
!
object network outside_to_inside_FR-Appsrv01
nat (inside,outside) static x.x.x.x
object network outside_to_dmz_fr-websvr-uat
nat (dmz,outside) static x.x.x.x
object network USA-Appsrv01-UAT
nat (inside,outside) static x.x.x.x
object network USA-Websvr-UAT
nat (dmz,outside) static x.x.x.x
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 B.B.B.B 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.64.204 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA1
keypair GTCVPN2
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 19897d54
308201cf 30820138 a0030201 02020419 897d5430 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130851 57455354 32343031 17301506 092a8648
86f70d01 09021608 51574553 54323430 301e170d 31343132 30333034 30333237
5a170d32 34313133 30303430 3332375a 302c3111 300f0603 55040313 08515745
53543234 30311730 1506092a 864886f7 0d010902 16085157 45535432 34303081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a2 5e873d21
dfa7cc00 ee438d1d bc400dc5 220f2dc4 39843044 aa896be4 d0521010 88a24454
b4b1f345 84ec0ad3 cac13d47 a71f367a 2e71f5fc 0a9bd55f 05d75648 72bfb9e9
c5379753 26ec523d f2cbc438 d234616f a71e4f4f 42f39dde e4b99020 cfcd00ad
73162ab8 1af6b6f5 fa1b47c6 d261db8b 4a75b249 fa3fbe7c 60556102 03010001
300d0609 2a864886 f70d0101 05050003 8181007a be791b64 a9f0df8f 982d162d
b7c884c1 eb183711 05d676d7 2585486e 5cdd23b9 af774a8f 9623e91a b3d85f10
af85c009 9590c0b3 401cec03 4dccf99a f1ee8c01 1e6f0f3a 6516579c 12d9cbab
59fcead4 63baf64b 7adece49 7799f94c 1865ce1d 2c0f3ced e65fefdc a784dc50
350e8ba2 998f3820 e6370ae5 7e6c543b 6c1ced
quit
telnet 192.168.64.200 255.255.255.255 inside
telnet 192.168.64.169 255.255.255.255 inside
telnet 192.168.64.190 255.255.255.255 inside
telnet 192.168.64.199 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_GTCVPN2 internal
group-policy GroupPolicy_GTCVPN2 attributes
wins-server none
dns-server value 192.168.64.202 192.168.64.201
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value gtcvpn2
default-domain value mydomain.com
username duncan password cHoYQ5ZzE4HJyyq/ encrypted
username admin password Aosl50Zig4zLZm4/ encrypted
username sebol password U7rG3kt653p8ctAz encrypted
tunnel-group GTCVPN2 type remote-access
tunnel-group GTCVPN2 general-attributes
address-pool POOLS-for-AnyConnect
default-group-policy GroupPolicy_GTCVPN2
tunnel-group GTCVPN2 webvpn-attributes
group-alias GTCVPN2 enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 19
subscribe-to-alert-group configuration periodic monthly 19
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0b972b3b751b59085bc2bbbb6b0c2281
: end
ASA1#

I can connect to the ASA from outside using Anyconnect client, split tunneling is working fine unfortunately I can not ping anything in the inside network, VPN subnet: 10.0.70.x 255.255.255.0, inside subnet 192.168.64.x 255.255.255.0

When connecting from outside, cisco anyconnect is showing 192.168.64.0/24 in 'Route details' tab

Do you know if I am missing anything? (vpn subnet to internal subnet route?)

Thank you,

Marvin Rhoads · ‎12-07-2014

Does your internal subnet use the ASA as its default gateway? If not, it will need a route pointing to the ASA inside interface.

Can you perform a packet-tracer like:

packet-tracer input inside tcp 192.168.64.2 80 10.0.70.1 1025

(simulating return traffic from an internal web server to a VPN client)

View solution in original post

Marvin Rhoads · ‎12-08-2014

It may be that but the tracer also highlight that your NAT statements need to be reordered. It shows you r return traffic would hit the interface NAT statement and not the NAT exemption.

Move up the exemption by making it line 1 as follows:

nat (inside,outside) 1 source static any any destination static vpn_to_inside vpn_to_inside

(Reference)

If you need a gateway, the most common syntax would be something like:

ip route 10.0.70.0 255.255.255.0 192.168.64.1

...on your internal switch.

But try the NAT fix first.

View solution in original post

Marvin Rhoads · ‎12-07-2014

Does your internal subnet use the ASA as its default gateway? If not, it will need a route pointing to the ASA inside interface.

Can you perform a packet-tracer like:

packet-tracer input inside tcp 192.168.64.2 80 10.0.70.1 1025

(simulating return traffic from an internal web server to a VPN client)

szczyrk80 · ‎12-08-2014

Hi Marvin,

Thank you for your response, please find the results below:

ASA1# packet-tracer input inside tcp 192.168.64.2 80 10.0.70.1 1025

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
Additional Information:
Dynamic translate 192.168.64.2/80 to 88.151.155.242/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1051460, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

I think this ASA is not a default gateway for a subnet .64.1, could you please tell me what would be a route pointing to the ASA inside interface in my case?

Thank you,

Marvin Rhoads · ‎12-08-2014

It may be that but the tracer also highlight that your NAT statements need to be reordered. It shows you r return traffic would hit the interface NAT statement and not the NAT exemption.

Move up the exemption by making it line 1 as follows:

nat (inside,outside) 1 source static any any destination static vpn_to_inside vpn_to_inside

(Reference)

If you need a gateway, the most common syntax would be something like:

ip route 10.0.70.0 255.255.255.0 192.168.64.1

...on your internal switch.

But try the NAT fix first.

szczyrk80 · ‎12-18-2014

Thank you,

All of the above fixed my problem

Kind Regards,

Sebastian

Marvin Rhoads · ‎12-18-2014

That's great to hear.

Thanks for letting us know and for the rating.

skurczodyna · ‎06-27-2016

Marvin,

Thanks for this info. Two years later and it helped fix my problem. These forums are great.

ASA 5515 - Anyconnect - Inside subnet connection problem