Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1306
Views
0
Helpful
3
Replies

ASA AnyConnect can't reach inside network

talmadari
Level 1
Level 1

‎12-10-2013 12:38 AM - edited ‎02-21-2020 07:22 PM

Hi,

i have configured an ASA with very simple setup and AnyConnect access, my client manage to connect and recive an IP but i can't access resources in the inside network.

here is the configuration:

ASA Version 8.0(4)

!

hostname ASA-LAB

enable password XXXXXX encrypted

passwd XXXXXX encrypted

names

name 192.168.31.0 ANYCONNECT

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 212.1.1.1 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.86.220 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

same-security-traffic permit intra-interface

access-list INSIDE standard permit 10.10.86.0 255.255.255.0

access-list NETWORK extended permit ip ANYCONNECT 255.255.255.0 10.10.86.0 255.255.255.0

access-list DAP extended permit ip any any

access-list inside_access_in extended permit ip ANYCONNECT 255.255.255.0 10.10.86.0 255.255.255.0

access-list inside_access_in extended permit ip 10.10.86.0 255.255.255.0 ANYCONNECT 255.255.255.0

access-list outside_access_in extended permit ip ANYCONNECT 255.255.255.0 10.10.86.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip ANYCONNECT 255.255.255.0 10.10.86.0 255.255.255.0

access-list outside_nat0_outbound_1 extended permit ip ANYCONNECT 255.255.255.0 10.10.86.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.86.0 255.255.255.0 ANYCONNECT 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool ANYCONNECT-NET 192.168.31.1-192.168.31.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

nat (outside) 0 access-list outside_nat0_outbound_1

nat (inside) 0 access-list inside_nat0_outbound outside

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 212.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.6005-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value INSIDE

address-pools value ANYCONNECT-NET

username XXX password XXXXX encrypted privilege 15

username XXX password XXXXX encrypted privilege 15

tunnel-group ANYCONNECT type remote-access

tunnel-group ANYCONNECT general-attributes

address-pool ANYCONNECT-NET

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d59d1d1aaa629c4ab51ff671a3182b7c

: end

when the client connects he recive 192.168.31.1 and try to ping 10.10.86.2 but without success.

any ideas?

Cheers,

Tal

Labels:
0 Helpful
3 Replies 3

m.kafka
Level 4
Level 4

‎12-10-2013 07:42 AM

Pleae verify:

access-list hit-counters, do you see hits on both ingres and egres access-lists?

what does the packet tracer say for an inbound icmp echo-request on interface outside and the echo-reply on interface inside?

what does the "show crypto ipsec sa" say about packets encapsulated and decapsulated, do you see counters rising when you send echo requests?

I don't see a need for "nat (outside) 0" command, you don't have any outside nat configured. In fact you don't use nat at all.

8.0 is quite old and I lost track about specific commands and defaults of the last years but do you have an "no nat control" global command available? If so, you can configure it and you don't need to worry about any nat related issues.

I hope I could you give you some pointers how to resolve your issue.

Rgds, MiKa

0 Helpful

talmadari
Level 1
Level 1
In response to m.kafka

‎12-10-2013 11:13 PM

Hi MiKa,

here are the outputs:

ASA-LAB# show vpn-sessiondb svc

Session Type: SVC

Username     : xxxx                   Index        : 22

Assigned IP  : 192.168.31.1           Public IP    : x.x.x.x

Protocol     : Clientless SSL-Tunnel DTLS-Tunnel

License      : SSL VPN

Encryption   : RC4 AES128             Hashing      : SHA1

Bytes Tx     : 34913                  Bytes Rx     : 180199

Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup

Login Time   : 20:37:21 UTC Wed Feb 12 2003

Duration     : 0h:02m:57s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

ASA-LAB# packet-tracer input inside icmp 10.10.86.2 0 8 192.168.31.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.31.1    255.255.255.255 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 10.10.86.0 255.255.255.0 ANYCONNECT 255.255.255.0

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: WEBVPN-SVC

Subtype: out

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:     

Result: ALLOW

Config:

Additional Information:

New flow created with id 3912, packet dispatched to next module

Phase: 8

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 212.150.150.185 using egress ifc outside

adjacency Active

next-hop mac address 001b.d43c.1691 hits 879

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ASA-LAB#  packet-tracer input outside icmp 192.168.31.1 0 8 10.10.86.2

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.86.0      255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip ANYCONNECT 255.255.255.0 10.10.86.0 255.255.255.0

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

i saw the ACL drop but i can't understand why?! my FW policy allow traffic between 192.168.31.0/24 and 10.10.86.0/24...

0 Helpful

m.kafka
Level 4
Level 4
In response to talmadari

‎12-11-2013 12:31 AM

Please verify your webvpn-svc configuration, phase 6 drops the packet, not an access-list/access-group configuration.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents