Re: ASA Anyconnect client is not able to ping specific network

Rakesh Tiwari · ‎04-18-2020

Hi,

I am able to ping network 172.16.12.0/22 from ASA 5505. But I am not able to ping it from my anyconnect client.

I have put below settings on ASA for this network.

route inside 172.16.12.0 255.255.252.0 172.16.4.202 1

access-list split-tunnel standard permit 172.16.12.0 255.255.252.0

access-list split-tunnel standard permit 172.16.4.0 255.255.252.0
access-list split-tunnel standard permit 172.16.186.0 255.255.254.0

Ping is working for other network like 172.16.4.0/22,172.16.186.0/23. 172.16.4.202 is core router and 172.16.12.0 is subnet for remote site.

Rob Ingram · ‎04-18-2020

Hi,
It's possibly a NAT issue, in that you may have a NAT rule that is inadvertently natting the traffic.

Please provide the output of "show nat detail" and indicate what your RAVPN network is.

HTH

Rakesh Tiwari · ‎04-18-2020

Hi,

Output of "show nat detail" is as below.

------------------------------------

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside-net interface
translate_hits = 86955, untranslate_hits = 1268
Source - Origin: 172.16.4.0/22, 10.10.8.0/24, Translated: 124.30.94.130/26
2 (inside) to (outside) source static inside-net inside-net destination static NETWORK_OBJ_192.168.254.0_24 NETWORK_OBJ_192.168.254.0_24 no-proxy-arp route-lookup
translate_hits = 676540, untranslate_hits = 682235
Source - Origin: 172.16.4.0/22, 10.10.8.0/24, Translated: 172.16.4.0/22, 10.10.8.0/24
Destination - Origin: 192.168.254.0/24, Translated: 192.168.254.0/2

Rob Ingram · ‎04-18-2020

Yes, your traffic will be probably match the first NAT rule. You will need to define a NAT exemption rule

Rakesh Tiwari · ‎04-18-2020

Hi,

I have done. But its still not working.

Please find the attached output of "show nat detail"

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside-net interface
translate_hits = 87075, untranslate_hits = 1269
Source - Origin: 172.16.4.0/22, 10.10.8.0/24, 172.16.112.0/22, 172.16.12.0/22, Translated: 124.30.94.130/26
2 (inside) to (outside) source static inside-net inside-net destination static NETWORK_OBJ_192.168.254.0_24 NETWORK_OBJ_192.168.254.0_24 no-proxy-arp route-lookup
translate_hits = 676593, untranslate_hits = 682288
Source - Origin: 172.16.4.0/22, 10.10.8.0/24, 172.16.112.0/22, 172.16.12.0/22, Translated: 172.16.4.0/22, 10.10.8.0/24, 172.16.112.0/22, 172.16.12.0/22
Destination - Origin: 192.168.254.0/24, Translated: 192.168.254.0/24

Rob Ingram · ‎04-18-2020

Move that first NAT rule to last, using the commands:-

no nat (inside,outside) source dynamic inside-net interface
nat (inside,outside) after-auto source dynamic inside-net interface

This will then process the more specific rules above. Assuming your NAT exempt rule is correct, traffic from RAVPN users to the LAN should not be natted.

Rakesh Tiwari · ‎04-18-2020

its still not working.

Please find the attached output of "show nat detail"

1 (inside) to (outside) source static inside-net inside-net destination static NETWORK_OBJ_192.168.254.0_24 NETWORK_OBJ_192.168.254.0_24 no-proxy-arp route-lookup
translate_hits = 679215, untranslate_hits = 684918
Source - Origin: 172.16.4.0/22, 10.10.8.0/24, 172.16.112.0/22, 172.16.12.0/22, Translated: 172.16.4.0/22, 10.10.8.0/24, 172.16.112.0/22, 172.16.12.0/22
Destination - Origin: 192.168.254.0/24, Translated: 192.168.254.0/24

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic inside-net interface
translate_hits = 38, untranslate_hits = 0
Source - Origin: 172.16.4.0/22, 10.10.8.0/24, 172.16.112.0/22, 172.16.12.0/22, Translated: 124.30.94.130/26

Rob Ingram · ‎04-18-2020

So does NETWORK_OBJ_192.168.254.0_24 actually represent the RAVPN network?
Do you have ACL or VPN Filter defined that could restrict the traffic?
Does the local switch know to route the RAVPN network to the ASA? ....Is the ASA the default gateway for all outbound traffic?

Provide your full configuration
Run packet-tracer from the CLI and provide the output

Rakesh Tiwari · ‎04-18-2020

pls find the attached reply.

NETWORK_OBJ_192.168.254.0_24 actually represent the RAVPN network :Yes
Do you have ACL or VPN Filter defined that could restrict the traffic :Check config file
Does the local switch know to route the RAVPN network to the ASA? :Yes

Is the ASA the default gateway for all outbound traffic? No .Its 172.16.4.202

Rob Ingram · ‎04-18-2020

What is the output from packet-tracer?

I assume 172.16.4.202 has a default route or a static route for 192.168.254.0/24 which points to the ASA?

When you say "172.16.12.0 is subnet for remote site." ....how is that site connected?
Does that site have a route for the RAVPN network?

Rakesh Tiwari · ‎04-18-2020

Hi

I am submitting network diagram. It will give more clear picture.

Rakesh Tiwari · ‎04-20-2020

Hi RJI,

Please find the attached output of packet-tracer.

#packet-tracer input inside icmp 192.168.254.38 0 0 172.16.12.69

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW

Config:
Additional Information:
in 172.16.12.0 255.255.252.0 via 172.16.4.202, inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd5365a0, priority=111, domain=permit, deny=true
hits=8, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Please help me to get it resolved.

Rob Ingram · ‎04-20-2020

Your packet-tracer is incorrect, try this.

packet-tracer input OUTSIDE icmp 192.168.254.38 8 0 172.16.12.69

Please provide the configuration of the switch and the router.

Rakesh Tiwari · ‎04-20-2020

Hi RJI,

Thanks for your response.

Please find the attached output of command

# packet-tracer input OUTSIDE icmp 192.168.254.38 8 0 172.16.12.69 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 172.16.12.0 255.255.252.0 via 172.16.4.202, inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside-net inside-net destination static NETWORK_OBJ_192.168.254.0_24 NETWORK_OBJ_192.168.254.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.12.69/0 to 172.16.12.69/0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcca4d170, priority=11, domain=permit, deny=true
hits=1396, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Please suggest.