ASA Anyconnect VPN

jrnngit · ‎08-26-2022

Hi I have posted my config below in hopes someone can help. End goal is to be able to have anyconnect clients be able to access my internal subnets on a separate router as well as the inside interface subnet on this ASA. I am able to ping the inside interface ip as well as clients on the inside interface subnet, however I am unable to ping the interface named UDMPRiser or anything connected on the other side of that connection (behind the separate router). What am I missing here?

Config below

!
hostname xxxx-5545X-FW1
domain-name xxxx.com
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool AnyConnect_VPNSubnet 172.16.201.10-172.16.201.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1.200
vlan 200
nameif INSIDE
security-level 100
ip address 172.16.200.1 255.255.255.0
!
interface GigabitEthernet0/1.203
vlan 203
nameif UDMPRiser
security-level 0
ip address 172.16.203.2 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description MGMT-Port
management-only
nameif management
security-level 100
ip address 192.168.3.12 255.255.255.240
!
interface BVI1
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-14-4-12-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxit.com
same-security-traffic permit intra-interface
object network internal_lan
subnet 172.16.200.0 255.255.255.0
object network obj-vpnpool
subnet 172.16.201.0 255.255.255.0
object network obj-local
subnet 172.16.200.0 255.255.255.0
object network OBJ-ANYCONNECT
subnet 172.16.201.0 255.255.255.0
access-list outside_in extended deny ip any any log
access-list Inside_net extended permit ip object internal_lan any log disable
access-list OUTSIDE_access_in extended permit ip any any
access-list split-tunnel standard permit 172.16.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu UDMPRiser 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface INSIDE
no monitor-interface UDMPRiser
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp deny any OUTSIDE
asdm image disk0:/asdm-openjre-7171-155.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
nat (INSIDE,OUTSIDE) source static any any destination static OBJ-ANYCONNECT OBJ-ANYCONNECT no-proxy-arp route-lookup
!
object network internal_lan
nat (INSIDE,OUTSIDE) dynamic interface
object network obj-vpnpool
nat (OUTSIDE,OUTSIDE) dynamic interface
access-group outside_in in interface OUTSIDE
route management 0.0.0.0 0.0.0.0 192.168.3.1 1
route OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication login-history
http server enable
http 192.168.3.0 255.255.255.240 management
http 172.16.100.0 255.255.255.0 management
http redirect OUTSIDE 80
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 172.16.100.0 255.255.255.0 management
console timeout 0
management-access INSIDE
dhcpd dns 8.8.8.8
!
dhcpd address 172.16.200.15-172.16.200.254 INSIDE
dhcpd dns 8.8.8.8 8.8.4.4 interface INSIDE
dhcpd lease 604800 interface INSIDE
dhcpd enable INSIDE
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable OUTSIDE
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.10.05111-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_xxxx_VPN internal
group-policy GroupPolicy_xxxx_VPN attributes

wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value xxxxit.com
dynamic-access-policy-record DfltAccessPolicy
username xxxx password ***** encrypted privilege 15
username xxxx password ***** encrypted privilege 15
username xxxx password ***** pbkdf2
tunnel-group xxxx_VPN type remote-access
tunnel-group xxxx_VPN general-attributes
address-pool AnyConnect_VPNSubnet
default-group-policy GroupPolicy_xxxx_VPN
tunnel-group xxxx_VPN webvpn-attributes
group-alias xxxx_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
password encryption aes
hpm topN enable
:end

Rob Ingram · ‎08-26-2022

@jrnngit assuming your UDMPRiser interface is an internal interface, change the security level to 100, as it's currently set to 0.

interface GigabitEthernet0/1.203
 vlan 203
 nameif UDMPRiser
 security-level 100

jrnngit · ‎08-26-2022

Hi Rob Ingram and MHM Cisco World ,

As suggested by Rob I updated the security level on the UDMPRiser interface, that is the interface that's directly connected to my layer 3 device (Unifi Dream Machine Pro) , I am still unable to ping anything that sits on my UDMP or even the 172.16.203.2 interface (UDMPRiser on the ASA) . As Mentioned by Rob we are tunneling all traffic and want to get this squared away before split tunneling the traffic. Any other suggestions or ideas?

Rob Ingram · ‎08-26-2022

@jrnngit Can the devices connected to the inside of the UDMPRiser interface ping the ASA's local interface IP - 172.16.203.2?

Please run packet-tracer from the CLI simulating traffic from the VPN IP pool (an unused IP address) to a device behind the ASA's UDMPRiser interface (not the ASA itself).

I wouldn't be suprised you can't ping from the VPN client to the UDMPRiser interface IP address, as you've configured "management-acess inside" this would allow you to ping only the "inside" interface over a VPN.

jrnngit · ‎08-26-2022

Hi Rob,

See below. Worth noting I can't ping 172.16.203.2 (ASA UDMPRiser interface) even from a client connected to my inside interface (172.16.200.0/24) on the ASA itself. I can ping 172.16.203.1 (UDM Pro interface) if I source from the UDMPRiser interface on the ASA , using ping UDMPRiser 172.16.203.1. I cannot ping from any device behind the UDM Pro to the ASA UDMPRiser interface.

xxxx-5545X-FW1# packet-tracer input OUTSIDE icmp 172.16.201.1 11 1 172.16.203.1 (172.16.203.1 is the UDMPRiser interface IP on the UDM Pro)

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 172.16.203.1 using egress ifc UDMPRiser

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_in in interface OUTSIDE
access-list outside_in extended deny ip any any log
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055b9f00678ec flow (NA)/NA

Rob Ingram · ‎08-26-2022

@jrnngit you would never be able to ping the UDMPRiser interface from a device connected behind another ASA interface (inside) thats by design. You can only ping the interface closest to the client, so a device on the inside of the ASA can only ping the inside ASA interface IP address.

For testing you are always best to send traffic through the ASA, to devices behind the ASA.

The packet-tracer confirms the traffic is denied by your ACL on the outside interface "outside_in", either permit the traffic in the ACL or confirm "sysopt connection permit-vpn" is enabled to bypass the outside interface ACL for VPN traffic.

jrnngit · ‎08-26-2022

Made the change to the ACL, I now see this. I also added the command sysopt connection permit-vpn but I am unable to see it in the config. Is there a reason why I would be able to ping 172.16.200.1(Inside) from the VPN but not 172.16.203.2(UDMPRiser on the ASA)?

packet-tracer input OUTSIDE icmp 172.16.201.11 11 1 172.16.203.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 172.16.203.1 using egress ifc UDMPRiser

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface OUTSIDE
access-list outside_in extended permit ip object OBJ-ANYCONNECT any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055b9f006c529 flow (NA)/NA

Rob Ingram · ‎08-26-2022

@jrnngit because .....you've configured "management-acess inside" this would allow you to ping only the "inside" interface over a VPN.

Run the following:-

packet-tracer input OUTSIDE icmp 172.16.201.11 8 0 172.16.203.1

or generate real traffic from a connected client.

jrnngit · ‎08-26-2022

Hi Rob, see below, however I still can't ping from anyconnect vpn client to 172.16.203.1. I can ping 172.16.203.1 (UDMP interface) from other clients behind that layer 3 device.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 172.16.203.1 using egress ifc UDMPRiser

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface OUTSIDE
access-list outside_in extended permit ip object OBJ-ANYCONNECT any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 59947, packet dispatched to next module

Phase: 8
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 172.16.203.1 using egress ifc UDMPRiser

Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface OUTSIDE
access-list outside_in extended permit ip object OBJ-ANYCONNECT any
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 172.16.203.1 using egress ifc UDMPRiser

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 172.16.203.1 on interface UDMPRiser
Adjacency :Active
MAC address 74ac.b91b.d070 hits 15027 reference 1

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: UDMPRiser
output-status: up
output-line-status: up
Action: allow

Rob Ingram · ‎08-26-2022

@jrnngit this output confirms that the ASA thinks that simulated packet should work. So confirm that the UDM has a route via the ASA for the AnyConnect pool or 0.0.0.0/0.

Take a packet capture on the UDM pro to confirm a real packet is received. Check the UDM Pro is not blocking the packet either.

You've no Auto NAT rule (for internet access) so a NAT exemption rule would not be required here to resolve this specific issue and packet-tracer does not confirm a NAT issue either. If you want internet access from the UDMPRiser interface you'd need to create an Auto NAT rule and then you'd need the NAT exemption rule as example provided.

MHM Cisco World · ‎08-26-2022

access-list split-tunnel standard permit 172.16.200.0 255.255.255.0 <<- I see only one prefix in split ACL ? if you need Anyconenct to access more than Inside then you need to add ACE to Split ACL

Rob Ingram · ‎08-26-2022

@MHM Cisco World wrote:

access-list split-tunnel standard permit 172.16.200.0 255.255.255.0 <<- I see only one prefix in split ACL ? if you need Anyconenct to access more than Inside then you need to add ACE to Split ACL

@MHM Cisco World the split-tunnel ACL is not referenced in the group-policy, so not in use.

MHM Cisco World · ‎08-26-2022

nat (INSIDE,OUTSIDE) source static <LAN><LAN> destination static OBJ-ANYCONNECT OBJ-ANYCONNECT no-proxy-arp route-lookup
nat (UDMPRiser,OUTSIDE) source static <UDMRP><UDMPR> destination static OBJ-ANYCONNECT OBJ-ANYCONNECT no-proxy-arp route-lookup

are there any other prefix you need to reach via UDMRP and connect to ASA via L3SW or R?

jrnngit · ‎08-26-2022

Hi MHM Cisco World I will try this now. All subnets I need to reach via the anyconnect vpn are behind the Unifi Dream Machine Pro (Router) I have a direct connection from ASA to UDMP.

MHM Cisco World · ‎08-26-2022

nat (UDMPRiser,OUTSIDE) source static <ALL prefix UDMRP><ALL prefix UDMPR> destination static OBJ-ANYCONNECT OBJ-ANYCONNECT no-proxy-arp route-lookup

Note:- in router you need to sure that have static route for VPN POOL toward ASA interface
NOTE:- ASA must have route for all prefix connect to UDMRP router