- Cisco Community
- Technology and Support
- Security
- VPN
- Assigned VPN clients cannot reach the Internet
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Assigned VPN clients cannot reach the Internet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2016 12:10 AM
Greetings,
We use AnyConnect with split tunneling to access the company network and our partner's network. We have a client, who introduced IP filtering on their Internet facing infrastructure. To let our roaming users to connect still to the client, we would like to add the clien'ts address to the the split tunnel configuration and on the ASA send that traffic out directly to the Internet. With this solution we could guarantee, that our roaming users are presented by the same IP (The AS ouside IP) on the clients infrastructure. To achieve that, I have added the client's IP to the split tunnel configuration, enabled same interface in and out, configured ACL and NAT.
For the VPN clients we have a pool, 192.168.128.0 255.255.255.0.
When I am running packet trace from this pool, the flow and result is different based on the IP assignment. The difference start in Phase 6.
If the IP is not assigned yet, then I get:
*********************************************************************************
Result of the command: "packet-tracer input outside tcp 192.168.128.99 1 193.246.XXX.XX 443 detailed"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,outside) source static Remote_Access_VPN_Pool Remote_Access_VPN_Pool destination static SwissReVW SwissReVW no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 193.246.XXX.XX/443 to 193.246.XXX.XX/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object sidenis_zur_vpn_net any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4f762a0, priority=13, domain=permit, deny=false
hits=7, user_data=0x2aaab880a1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source static Remote_Access_VPN_Pool Remote_Access_VPN_Pool destination static SwissReVW SwissReVW no-proxy-arp
Additional Information:
Static translate 192.168.128.99/1 to 192.168.128.99/1
Forward Flow based lookup yields rule:
in id=0x2aaac5b2f4a0, priority=6, domain=nat, deny=false
hits=5, user_data=0x2aaac3d1bf50, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=193.246.238.30, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaab447a230, priority=1, domain=nat-per-session, deny=true
hits=1755182, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaabfe7c9a0, priority=0, domain=inspect-ip-options, deny=true
hits=1222745, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac3885790, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=158399, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source static Remote_Access_VPN_Pool Remote_Access_VPN_Pool destination static SwissReVW SwissReVW no-proxy-arp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac510f4c0, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0x2aaac419c010, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=193.246.238.30, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaab447a230, priority=1, domain=nat-per-session, deny=true
hits=1755184, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaabfe7c9a0, priority=0, domain=inspect-ip-options, deny=true
hits=1222747, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1902829, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: allow
******************************************************************
In case the IP is assigned, I get:
*******************************************************************
Result of the command: "packet-tracer input outside tcp 192.168.128.99 1 193.246.238.30 443 detailed"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,outside) source static Remote_Access_VPN_Pool Remote_Access_VPN_Pool destination static SwissReVW SwissReVW no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 193.246.238.30/443 to 193.246.238.30/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object sidenis_zur_vpn_net any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4f762a0, priority=13, domain=permit, deny=false
hits=7, user_data=0x2aaab880a1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source static Remote_Access_VPN_Pool Remote_Access_VPN_Pool destination static SwissReVW SwissReVW no-proxy-arp
Additional Information:
Static translate 192.168.128.99/1 to 192.168.128.99/1
Forward Flow based lookup yields rule:
in id=0x2aaac5b2f4a0, priority=6, domain=nat, deny=false
hits=5, user_data=0x2aaac3d1bf50, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=193.246.238.30, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaab447a230, priority=1, domain=nat-per-session, deny=true
hits=1755182, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaabfe7c9a0, priority=0, domain=inspect-ip-options, deny=true
hits=1222745, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac3885790, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=158399, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source static Remote_Access_VPN_Pool Remote_Access_VPN_Pool destination static SwissReVW SwissReVW no-proxy-arp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac510f4c0, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0x2aaac419c010, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=193.246.238.30, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaab447a230, priority=1, domain=nat-per-session, deny=true
hits=1755184, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaabfe7c9a0, priority=0, domain=inspect-ip-options, deny=true
hits=1222747, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1902829, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Result of the command: "packet-tracer input outside tcp 192.168.128.2 1 193.246.XXX.XX 443 detailed"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,outside) source static Remote_Access_VPN_Pool Remote_Access_VPN_Pool destination static SwissReVW SwissReVW no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 193.246.XXX.XX/443 to 193.246.XXX.XX/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object sidenis_zur_vpn_net any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4f762a0, priority=13, domain=permit, deny=false
hits=8, user_data=0x2aaab880a1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source static Remote_Access_VPN_Pool Remote_Access_VPN_Pool destination static SwissReVW SwissReVW no-proxy-arp
Additional Information:
Static translate 192.168.128.2/1 to 192.168.128.2/1
Forward Flow based lookup yields rule:
in id=0x2aaac5b2f4a0, priority=6, domain=nat, deny=false
hits=6, user_data=0x2aaac3d1bf50, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.128.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=193.246.238.30, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaab447a230, priority=1, domain=nat-per-session, deny=true
hits=1758089, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaabfe7c9a0, priority=0, domain=inspect-ip-options, deny=true
hits=1225097, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac7f13f40, priority=79, domain=punt, deny=true
hits=544, user_data=0x2aaabc050150, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.128.2, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4eaaa70, priority=71, domain=svc-ib-tunnel-flow, deny=false
hits=544, user_data=0x1af000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.128.2, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop
***********************************************************************
Any clue is appreciated.
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2016 12:54 AM
Can you share your config
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2016 02:03 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2016 10:16 PM
Any idea?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide