cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3001
Views
15
Helpful
19
Replies

ASA VPN client unable to reach host via IPSEC tunnel

Calin Cristea
Level 1
Level 1


Hello techs. I have the following scenario:

VPN Client >> ASA >>IPSEC TUNNEL >> Host. VPN client is unable to reach host from remote location via ipsec tunnel (10.10.10.1)
Local users connected to ASA are able to reach remote host via IPSEC TUNNEL (10.10.10.1)
Also VPN client is able to reach all hosts local connected to ASA . ASA Version 9.8.
Here is the scenario.


object-group network NO_NAT_LAN
network-object 1.1.0.0 255.255.0.0
network-object 2.2.0.0 255.255.0.0

object-group network NO_NAT_EXT
network-object 10.10.10.0 255.255.255.0

access-list ACL_VPN extended permit ip 1.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list ACL_VPN extended permit ip 2.2.0.0 255.255.0.0 10.10.10.0 255.255.255.0


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

nat (inside,outside) source static NO_NAT_LAN NO_NAT_LAN destination static NO_NAT_EXT NO_NAT_EXT

 

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key ...

 

crypto map mymap 10 match address ACL_VPN
crypto map mymap 10 set pfs group5
crypto map mymap 10 set peer 3.3.3.3
crypto map mymap 10 set ikev1 transform-set ....


access-list OUT extended permit ip 10.10.10.0 255.255.255.0 1.1.0.0

19 Replies 19

VPN Client mean cisco anyconnect? if yes you need to  define a NAT rule for VPN Client/s to reach the IPSEC tunnel. you would also need to define the vpn client in your access-list and again in remote vpn router you need to add the acl for VPN Client.

please do not forget to rate.

Hello Salim,

Many thanks for you`re answer.
I forgot to mention.

1.1.0.0 is the VPN subnet
2.2.0.0 is the local subnet (behind ASA)

NO_NAT_LAN contains both subnets. I have tried with Cisco vpn client (old version).

Access list on ASA that permits traffic from remote location to both subnets.

access-list OUT extended permit ip 10.10.10.0 255.255.255.0 1.1.0.0
access-list OUT extended permit ip 10.10.10.0 255.255.255.0 2.2.0.0

Question: if i can reach the the remote host - 10.10.10.1 - from local subnet, can i "hide" my vpn subnet behind an local ip (nat) in order to reach that ip.
Explained:

( Subnet 1.1.0.0 ) translated into 2.2.2.2 >> to reach remote 10.10.10.1
I don`t know the sintax for that. Maybe Source nat is the concept.

what is the ASA code you on?

please do not forget to rate.

ASA Version 9.8. Also, on remote location of the IPSEC TUNNEL, both subnets are permited (local and vpn) in Access list.

could you please forward the configuration of your ASA and remote side change/hide the public ip address.

please do not forget to rate.

Hello, other side is not Cisco ASA, is Oracle Cloud. I have no experience on Oracle Cloud, and seems the guy who is managing that equipment has the same experience. But i have looked on his side, and i see logs  from my vpn ip to remote host.

Settings on Oracle cloud are the same on policy and routing ( lan subnet and remote subnet).


object-group network NO_NAT_LAN
network-object 1.1.0.0 255.255.0.0
network-object 2.2.0.0 255.255.0.0
!
object-group network NO_NAT_EXT
network-object 10.10.10.0 255.255.255.0
!
access-list ACL_VPN extended permit ip 1.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list ACL_VPN extended permit ip 2.2.0.0 255.255.0.0 10.10.10.0 255.255.255.0
!
nat (inside,outside) source static NO_NAT_LAN NO_NAT_EXT destin static NO_NAT_LAN NO_NAT_EXT no-proxy-arp route-lookup
!
crypto map OUTSIDE 10 match address ACL_VPN
!

 

 

can you share your asa configuration please.

please do not forget to rate.

Hello, unfortunelly i cannot post the whole config, it contains a lot a vpn tunnels already configured, and other information.

I have altered the  real ip`s, so it would take me days, to recreate the config, but i have done some more debugging.

 

2.2.2.20 - Lan ip behind ASA - working
1.1.1.10 - vpn ip through connected to ASA - not working.
10.10.10.1 - remote host through ipsec tunnel vpn

ASA# packet-tracer input outside icmp 2.2.2.20 8 0 10.10.10.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static NO_NAT_LAN NO_NAT_LAN destination static NO_NAT_EXT NO_NAT_EXT
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.10.1/0 to 10.10.10.1/0

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

ASA# packet-tracer input outside icmp 1.1.1.10 8 0 10.10.10.1

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NO_NAT1_lan NO_NAT1_lan
Additional Information:
NAT divert to egress interface inside
Untranslate 10.10.10.1/0 to 10.10.10.1/0

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

!older group:
object-group network NO_NAT1_lan
network-object 1.1.0.0 255.255.0.0
network-object 2.2.0.0 255.255.0.0
other network objects...

If i do a packet capture from working subnet, i see echo request and reply. From vpn subnet, only echo request.

 

can you try this

 

object network OJB-1.1
HOST 1.1.1.10
!
nat (outside,inside) source dynamic OJB-1.1 2.2.0.1 destin static NO_NAT_EXT NO_NAT_EXT

please do not forget to rate.

Hi Salim,

Thank you for you`re effort.
I am not sure if you`re NAT line is correct. I think you ment:
nat (outside,inside) source dynamic OJB-1.1 OJB-1 destin static NO_NAT_EXT NO_NAT_EXT
I cannot add an ip (2.2.0.1) only an object.
But i did tried that , and no luck. I`m guessing that i might have a problem with ASA`s famous U-Turn or hairpinning.
I think that traffic is comming from ASA`s outside interface (VPN client), then it tries to reach remote host 10.10.10.1 via IPSEC tunnel through the same outside interface.
I also tried this:

access-list TCP-STATE-BYPASS permit ip 1.1.0.0 255.255.255.0 host 10.10.10.1

class-map TCP-STATE-BYPASS
match access-list TCP-STATE-BYPASS

policy-map inside_policy
class TCP-STATE-BYPASS
set connection advanced-options tcp-state-bypass
service-policy inside_policy interface inside


https://community.cisco.com/t5/security-documents/u-turning-hairpinning-on-asa/ta-p/3111388
No luck

 

Sorry its my fault i did not explain.

Correct me if i am getting it right. you have anyconnect client in rage of 1.1.1.x connected to ASA. and From ASA you have a vpn-tunnel site-2-site at remote end and remote-end ip range is 10.10.10.x. I also noted you have a subnet connected/behind ASA 2.2.2.x.

 

if this above network is right. the problem is your anyconnect (vpn client) could not reach the remote tunnel. this could be a cause of NAT rules.

 

if you anyconnect traffic is landing to ASA it can access the local netwrok (2.2.2.x) as you have define a nat rule. now 2.2.2.x need to access the site-to-site vpn at remote end. for this you need to define a NAT rule for vpn-client (anyconnect) to communicate to remote tunnel network.

 

I propose if you use a one ip from 2.2.2.x which is not used anywhere so you can fine tune the anyconnect pool to convert into 2.2.2.30 so this 2.2.2.30 can communicate it to remote site tunnel.

 

so the command should be like this way.

 

nat (outside,inside) source dynamic ANYCONNECT-POOL OBJ-2.2.2.30 destin static REMOTE-VPN-SUBNET REMOTE-VPN-SUBNET

 

please do not forget to rate.

Looking at your nat configuration and packet tracer it shows the asa is doing the nat exemption. but you need to speak to your remote side to make sure the remote end allow yours vpn-clients to communnicate with their local network range.

please do not forget to rate.

Thank you Salim for you`re help. I`ve forwarded the problem to remote location to check they`re settings...

Calin Cristea
Level 1
Level 1

Unfortunelly, from the other side, they told me everything is setup ok.