Solved: Cant access LAN devices when on anyconnect VPN

peat · ‎08-30-2017

Hi,

I am very new to firewalls and have been trying to figure out how to get anyconnect vpn working on my ASA5506 for weeks.

my network setup is (from outside to in) cisco 887 - ASA5506 - HP1920 switch - Cisco371 WAPs with Private and public Wifi.

Anyconnect will connect (albeit flakey as it keeps disconnecting for first 5 or 6 times) but I cant get webaccess to switch or WAPs and I cant SSH to the Router or ASA. (this all works when physically connected to the Private LAN)

I thought I had figured out the problem as being the nonat command but from what I can tell that is in my config.

Can anyone advise what I have done wrong or missed out? Thanks

ASA Config

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

ASA Version 9.7(1)4

hostname
domain-name
enable password
names
ip local pool vpnpool 192.168.15.116-192.168.15.125 mask 255.255.255.0

interface GigabitEthernet1/1
nameif WAN
security-level 0
ip address 192.168.9.249 255.255.255.248

interface GigabitEthernet1/2
no nameif
security-level 100
no ip address

interface GigabitEthernet1/3
nameif Private
security-level 100
ip address 192.168.10.253 255.255.255.0

interface GigabitEthernet1/4
nameif Public
security-level 50
ip address 192.168.20.253 255.255.255.0

interface GigabitEthernet1/5
no nameif
security-level 100
no ip address

interface GigabitEthernet1/6
no nameif
security-level 100
no ip address

interface GigabitEthernet1/7
no nameif
security-level 100
no ip address

interface GigabitEthernet1/8
no nameif
security-level 100
no ip address

interface Management1/1
management-only
no nameif
no security-level
no ip address

interface BVI1
no nameif
no security-level
no ip address

ftp mode passive
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.15.112_28
subnet 192.168.15.112 255.255.255.240
object network PrivateLAN
subnet 192.168.10.0 255.255.255.0
object network Public
subnet 192.168.20.0 255.255.255.0
object network vpnpool
subnet 192.168.15.0 255.255.255.0
access-list split-tunnel standard permit host 192.168.10.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list OUTSIDE extended permit icmp any4 any4 echo-reply
access-list OUTSIDE extended permit icmp any4 any4 time-exceeded
access-list OUTSIDE extended permit icmp any4 any4 timestamp-reply
access-list OUTSIDE extended permit icmp any4 any4 unreachable
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu Private 1500
mtu Public 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Private,WAN) source static any any destination static NETWORK_OBJ_192.168.15.112_28 NETWORK_OBJ_192.168.15.112_28 no-proxy-arp route-lookup
nat (Private,WAN) source static PrivateLAN PrivateLAN destination static vpnpool vpnpool

nat (Private,WAN) after-auto source dynamic any interface
nat (Public,WAN) after-auto source dynamic any interface
access-group OUTSIDE in interface WAN
route WAN 0.0.0.0 0.0.0.0 192.168.9.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 Private
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=WLASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate d8ef9e59
xxxxxxxxx
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable WAN client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.10.0 255.255.255.0 Private
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config WAN

dhcpd address 192.168.10.5-192.168.10.115 Private
dhcpd dns 8.8.8.8 8.8.4.4 interface Private
dhcpd lease 86400 interface Private
dhcpd enable Private

dhcpd address 192.168.20.5-192.168.20.115 Public
dhcpd dns 8.8.8.8 8.8.4.4 interface Public
dhcpd lease 86400 interface Public
dhcpd enable Public

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 WAN
ssl trust-point ASDM_TrustPoint0 Private
ssl trust-point ASDM_TrustPoint0 Public
webvpn
enable WAN
anyconnect image disk0:/anyconnect-win-4.5.01044-webdeploy-k9.pkg 1
anyconnect profiles ACwestlands_client_profile disk0:/ACwestlands_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_ACwestlands internal
group-policy GroupPolicy_ACwestlands attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value
webvpn
anyconnect profiles value ACwestlands_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username password
tunnel-group ACwestlands type remote-access
tunnel-group ACwestlands general-attributes
address-pool vpnpool
default-group-policy GroupPolicy_ACwestlands
tunnel-group ACwestlands webvpn-attributes
group-alias ACwestlands enable

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options

service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
end
no asdm history enable

Marvin Rhoads · ‎08-30-2017

For the ssh (and ASDM properly done) issue, please add the command "management-access Private". You may need to also add "route-lookup" to your NAT exemption for the vpnpool. With those in place you should be able to remove the ACL entry.

There is a good article explaining the use of the above commands here:

https://www.petenetlive.com/KB/Article/0000984

View solution in original post

Marvin Rhoads · ‎08-30-2017

Is the internal network setup to route all of its traffic through the ASA as a gateway?

Is eveything internal on 192.168.10.0/24 subnet?

peat · ‎08-30-2017

Ive set the internal privatelan gateway as the inside interface on the firewall. This is where the switch connects to.

The privatelan is 192.168.10.0/24 subnet and the devices I want to manage whilst connected to the VPN are:

ASA = 192.168.10.253 (via ASDM)

switch = 192.168.10.250 (via webpage)

WAP cluster = 192.168.10.245 (via webpage)

Router = 192.168.9.254 (via SSH using putty)

Interestingly I have just made a tiny breakthrough!

I noticed on my OUTSIDE ACL there would be everything bar the ping stuff as being denied.

So I added in

access-list OUTSIDE extended permit ip any4 object PrivateLAN

I then was able to get ASDM to connect and work whilst connected on the VPN.

I still cant access the management webpages or ssh though and i am worried that command i have just added could be a security issue?

Marvin Rhoads · ‎08-30-2017

You definitely do NOT want to open up your ACL like that. That defeats the whole purpose of having a VPN.

Your ASA is set (using the "http" and "ssh" commands) to only allow management from hosts in the 192.168.109.0/24 network. That does not include your VPN client addresses.

I know you said inside hosts use the ASA as gateway - probably with DHCP. Did you set the switch and autnomous APs to also use the ASA as gateway?

peat · ‎08-30-2017

Yes that sorted the web access to the switch and WAPs. I had previously setup the network before introducing the Firewall and hadnt changed the gateway to be the firewalls inside interface!

Thanks very much. :)

Getting there now!

Only things left is the ssh connection to the router and restricting that permit command I have put on the OUTSIDE ACL so its not as insecure. I am guessing I restrict it down to port 443 and my public ip as the source?

Marvin Rhoads · ‎08-30-2017

For the ssh (and ASDM properly done) issue, please add the command "management-access Private". You may need to also add "route-lookup" to your NAT exemption for the vpnpool. With those in place you should be able to remove the ACL entry.

There is a good article explaining the use of the above commands here:

https://www.petenetlive.com/KB/Article/0000984

peat · ‎08-30-2017

thanks.
I've put those commands in and completely removed the ACL OUTSIDE.
ASDM and web management still works.
but unfortunately SSH still doesn't. I will have a read of that link see if it sheds any light.

Marvin Rhoads · ‎08-30-2017

Did you add "ssh 192.168.15.0 255.255.255.0 Private" to allow the VPNpool access?

peat · ‎08-30-2017

Yes just ran through that link and added that.

I can now ssh to the firewall inside interface 192.168.10.253 so that is ssh at least working on the vpn

but cant ssh to the router inside interface of 192.168.9.254.

Marvin Rhoads · ‎08-30-2017

The router will be tricky since you are not using tunnelall.

Your VPN traffic would have to "hairpin" on the ASA to get back out. It would be simpler to just an inside host as a "jump box" to launch ssh to the router. Otherwise you wouldhave to add the outside subnet to your tunnelspecified. BUT doing that would break the VPN access unless you are using an upstream NAT for that subnet.