cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
4
Replies

ASA VPN no internal routing

I have a problem and a question regarding the VPN/Anyconnect for ASA 5505. I have excluded most of the configuration I figured wasn't related to this issue.

What works: VPN connection can be established and I can get an IP address from the DHCP scope. I can ping the gateways for my 2 internal networks from a switch after the ASA with the respective Vlans as source. 

Problem: I can't ping around the network behind the ASA. From the client I can't ping the gateway of the VPN network and I can't ping the server network. From the switch I can't ping 8.8.8.8 and I can't ping between the 2 Vlans. The log when trying to ping: 

6 Jan 07 2008 01:05:27 110002 10.5.250.105 1 Failed to locate egress interface for ICMP from Outside:10.5.250.105/1 to 192.168.100.1/0

My questions: I'm not quite sure how the ASA acts in regards to the ACL. Do I need my second line in my Server and Inside ACL to allow access from the one network to another? Would it be smarter to create the server network on another DHCP device (router) and simply route it into the ASA? And of course, can anyone help getting the configuration to work?

Green is Outside. Red is Server/device area. Blue is VPN connection.

ASA Version 9.1(6)10
!
interface Ethernet0/3
switchport trunk allowed vlan 192,250
switchport mode trunk
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
interface Vlan1
nameif Outside
security-level 0
ip address 1x.2x.1.2x 255.255.255.248
!
object network Outside_IP
host 1x.2x.1.2x
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
interface Vlan192
nameif Server
security-level 100
ip address 192.168.100.1 255.255.255.0
!
access-list Server_access_in extended permit ip 192.168.100.0 255.255.255.0 any
access-list Server_access_in extended permit ip 10.5.250.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list Server_access_in extended permit icmp any any
access-list Server_access_in extended deny ip any any
!
object network Server
subnet 192.168.100.0 255.255.255.0
object network Server
nat (Server,Outside) dynamic interface
!
interface Vlan250
nameif ElevInside
security-level 100
ip address 10.5.250.1 255.255.255.0
!
access-list ElevInside_access_in extended permit ip 10.5.250.0 255.255.255.0 any
access-list ElevInside_access_in extended permit ip 192.168.100.0 255.255.255.0 10.5.250.0 255.255.255.0
access-list ElevInside_access_in extended permit icmp any any
access-list ElevInside_access_in extended deny ip any any
!
object network ElevInside
subnet 10.5.250.0 255.255.255.0
object network ElevInside
nat (ElevInside,Outside) dynamic interface
!
object-group network ElevObject
network-object 10.5.250.0 255.255.255.0
!
access-list ElevSplit remark Elev250
access-list ElevSplit standard permit 10.5.250.0 255.255.255.0
access-list ElevSplit remark Server192
access-list ElevSplit standard permit 192.168.100.0 255.255.255.0
!
nat (ElevInside,Server) source static ElevInside ElevInside destination static Server Server no-proxy-arp
nat (Server,ElevInside) source static Server Server destination static ElevInside ElevInside no-proxy-arp
!
access-group ElevInside_access_in in interface ElevInside
access-group Server_access_in in interface Server
!
route Outside 0.0.0.0 0.0.0.0 1x.2x.1.2x 1
!
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp

4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

I am a little confused regarding the topology. Do the VPN users come in to the ASA on the outside or ElevInside interface? Ideally when VPN users come in from the outside, the routing table should route you to any of your internal interfaces,unless you are using nat rules to route. In your case, you do not need to add any ACL's from outside to inside for VPN traffic (this is bypassed by default with the "sysopt connection permit-vpn" command")

In order to exempt traffic from outside to inside, you can duplicate the nat rules you created before:

nat (Outside,Server) source static VPN VPN destination static Server Server no-proxy-arp route-lookup

Assuming VPN is the object for the  VPN pool subnet.

Maybe I have gotten the topology all wrong, apologies if so :)

VPN users connect on the public IP 1x.2x.1.2x. They get a DHCP address in the ElevInside network. Yes, the ASA should know all the networks and there is, as far as I understand, built in functionality to allow traffic from a more secured (ElevInside) to a less secured (Server) by default. I know the configuration on here says security-level 100 on Server, but I have tried with a lower setting. 

Even though you get a DHCP ip address from the inside subnet range, VPN traffic in coming in from the Public interface, so all policies should be between Public and server interface. Create a NAT rule as below:

nat (Server,Outside) source static Server Server destination static ElevInside ElevInside no-proxy-arp route-lookup

This is a NAT exemption rule to allow traffic to go between Server and Outside interface without any transalation.

Okey, I get that and I see the logic.

I applied the rule, but it didn't change anything. I've attached a small topology for the setup. When I do: ping 192.168.100.1 source vlan 250 from the switch (.10) I get this error. This is the ASA trying to answer the ping, but it's trying to send the respond out the Server interface, instead of ElevInside. 

6 Jan 12 2008 21:14:40 110003 192.168.100.1 0 10.5.250.10 0 Routing failed to locate next hop for icmp from Server:192.168.100.1/0 to Server:10.5.250.10/0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: