cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2830
Views
0
Helpful
4
Replies

ASA Tunnel Default Gateway Issue

Net77
Level 1
Level 1

Hello experts, was hoping to get some advice on an issue I am having with VPN clients (AnyConnect) and a tunnel default gateway route.  So, I have VPN connectivity up and running - authentication, addressing, etc. are all working.  My setup is as follows.  I have a gateway router connected to the Internet doing all of my NAT for internal to external connectivity.  Off of that router, I have my ASA connected - outside/inside interface.  With a VPN client connected, when I attempt to connect to anything on the inside of my network, it works - two way communication, initiated from either side.  However, when I attempt to connect to something out on the Internet, it isn't working.  For example, ping from the VPN client to 8.8.8.8, doesn't work.  I have a default route configured pointing out the outside interface of the ASA.  And I also have a tunnel default route configured to point to the inside.  So I am trying to find my misconfiguration.  One thing that works - if I create a static route for 8.8.8.8/32 and point it to the inside, connectivity works (my ping example above) - so it's as if my tunnel default route just is not working.  My configuration is below.  Any ideas?

 

ASA Version 9.9(2)36
!
hostname VPN
domain-name test.net
enable password ******
names
ip local pool VPN 192.168.100.2-192.168.100.255 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.150.10 255.255.255.252
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
shutdown
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
shutdown
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
shutdown
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
shutdown
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
shutdown
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
shutdown
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.150.6 255.255.255.252
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.50 inside
domain-name test.net
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network VPN_Network
subnet 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit ip object VPN_Network any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (outside,any) source static VPN_Network VPN_Network
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.150.9 1
route inside 10.0.0.0 255.0.0.0 192.168.150.5 1
route inside 172.16.0.0 255.240.0.0 192.168.150.5 1
route inside 192.168.0.0 255.255.0.0 192.168.150.5 1
route inside 0.0.0.0 0.0.0.0 192.168.150.5 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.100.0 255.255.255.0 inside_1
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite

<CERT INFO CUT>

telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.100.0 255.255.255.0 inside_1
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 1

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.150.5 source inside_1 prefer
ssl trust-point VPN_Identity_SHA256 outside
ssl trust-point VPN_Identity_SHA256 inside_1
ssl trust-point VPN_Identity_SHA256 inside_2
ssl trust-point VPN_Identity_SHA256 inside_3
ssl trust-point VPN_Identity_SHA256 inside_4
ssl trust-point VPN_Identity_SHA256 inside_5
ssl trust-point VPN_Identity_SHA256 inside_6
ssl trust-point VPN_Identity_SHA256 inside_7
ssl trust-point VPN_Identity_SHA256 inside
webvpn
port ***
enable outside
dtls port ***
anyconnect image disk0:/anyconnect-win-4.7.03052-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.7.03052-webdeploy-k9.pkg 2
anyconnect profiles VPN_Internal disk0:/vpn_internal.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy VPN_Internal internal
group-policy VPN_Internal attributes
dns-server value 192.168.100.50
vpn-tunnel-protocol ssl-client
default-domain value test.net
address-pools value VPN
webvpn
anyconnect profiles value VPN_Internal type user
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** privilege 15
username test password *****
username test attributes
vpn-group-policy VPN_Internal
service-type remote-access
tunnel-group VPN_Internal type remote-access
tunnel-group VPN_Internal general-attributes
authentication-server-group (inside) LOCAL
default-group-policy VPN_Internal
username-from-certificate CN
tunnel-group VPN_Internal webvpn-attributes
authentication aaa certificate
pre-fill-username client
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

1 Accepted Solution

Accepted Solutions

Found the "issue".  Removed all BVI config and converted to routed interfaces.  Problem solved.  Not sure what it was about the bridge config, but I was stumped.  I don't need switched interfaces anyway since I am using the ASA for VPN only.  Francesco, thank you for replying.

View solution in original post

4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I'm sorry but can you clarify how everything is connected to together?
You're Internet router doing nat is connected to your asa outside interface? Then what is on your inside?

First, you have a nat (outside,any) avoid using any and specify your interface destination.

Can you run the following command and share the output please:

packet-tracer input outside icmp 192.168.100.2 8 0 8.8.8.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco, thanks for the quick reply.

 

Packet tracer shows next hop of outside interface (going out) and denied by the ACL.  So it definitely is not hitting the tunnel default gateway route.

 

Connections are as follows:

Internet (cable modem) -> NAT router outside interface (has public IP)

NAT router (192.168.150.9/30) -> ASA Outside (192.168.150.10/30)

NAT router (192.168.150.5/30) -> ASA Inside (192.168.150.6/30)

 

On the NAT router, I NAT the connection from AnyConnect clients out on the Internet on the SSL TCP port I specified to the outside interface of the ASA (this is working, you can see a client connected below).  My inside network is on the Inside interface of the ASA through the NAT router.  I can ping anything inside, I am guessing because I have specific private RFC1918 routes pointed to the inside (and I see two way flow when I do captures on the inside interface of the ASA).  However, connecting to anything outside, it just hits the default route on the ASA and not the tunnel default gateway.  It's like it is just ignoring the tunnel default gateway.

 

VPN# packet-tracer input outside icmp 192.168.100.6 8 0 8.8.8.8

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.150.9 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

VPN# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.150.9 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.150.9, outside
S 10.0.0.0 255.0.0.0 [1/0] via 192.168.150.5, inside
S 172.16.0.0 255.240.0.0 [1/0] via 192.168.150.5, inside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.150.5, inside
V 192.168.100.6 255.255.255.255 connected by VPN (advertised), outside
C 192.168.150.4 255.255.255.252 is directly connected, inside
L 192.168.150.6 255.255.255.255 is directly connected, inside
C 192.168.150.8 255.255.255.252 is directly connected, outside
L 192.168.150.10 255.255.255.255 is directly connected, outside
S 0.0.0.0 0.0.0.0 [255/0] via 192.168.150.5, inside tunneled

 

VPN# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : test Index : 38
Assigned IP : 192.168.100.6 Public IP : <CUT>
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 20867 Bytes Rx : 24655
Group Policy : VPN_Internal Tunnel Group : DefaultWEBVPNGroup
Login Time : 21:28:54 CDT Tue Jun 25 2019
Duration : 0h:11m:40s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : *******
Security Grp : none

 

Found the "issue".  Removed all BVI config and converted to routed interfaces.  Problem solved.  Not sure what it was about the bridge config, but I was stumped.  I don't need switched interfaces anyway since I am using the ASA for VPN only.  Francesco, thank you for replying.

Sorry didn't had a lot of time this week to come back and follow-up/answer your post. But I'm glad you found your issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question