10-31-2016 05:44 PM - edited 02-21-2020 09:02 PM
Hi everyone!
I have some issue with the connection from OUTSIDE (in my case EXTERNA) to INSIDE (interna) networks, I'm using Anyconnect Client with Windows 7 as a client (Anyconnect client version 3.1), I can connect the VPN client, but the thing is when I want to get resources from inside I cannot reach. I think I need some NAT config, 'cause I can't ping or reach my inside network, do you guys know what can it be? Configured from ASDM. I reconfigure two times the ASA sending the device to defaults but without success. I have just two interfaces
VPN pool is 10.209.100.0/24
INTERNA 192.168.252.0/24
EXTERNA 172.30.1.0/24
ASA Version 9.1(3)
!
hostname FW1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool 10-209-100-0 10.209.100.1-10.209.100.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
speed 100
nameif EXTERNA
security-level 0
ip address 172.30.1.118 255.255.255.0
!
interface GigabitEthernet0/1
nameif INTERNA
security-level 100
ip address 192.168.252.197 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network NETWORK_OBJ_10.209.100.0_24
subnet 10.209.100.0 255.255.255.0
object network RED-REMOTA
subnet 192.168.102.0 255.255.255.0
object network RED-LOCAL
subnet 192.168.101.0 255.255.255.0
object network obj-AnyconnectPool
subnet 10.209.100.0 255.255.255.0
object network obj-inside
subnet 192.168.252.0 255.255.255.0
access-list ACCESO-REMOTO-A-LA-LAN remark ACCESO A LA LAN
access-list ACCESO-REMOTO-A-LA-LAN standard permit host 0.0.0.0
pager lines 24
logging asdm informational
mtu EXTERNA 1500
mtu INTERNA 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INTERNA,EXTERNA) source static any any destination static NETWORK_OBJ_10.209.100.0_24 NETWORK_OBJ_10.209.100.0_24 no-proxy-arp route-lookup
nat (any,any) source static any any
nat (INTERNA,EXTERNA) source static RED-LOCAL RED-LOCAL destination static RED-REMOTA RED-REMOTA
!
object network obj-AnyconnectPool
nat (any,EXTERNA) dynamic interface
object network obj-inside
nat (any,EXTERNA) dynamic interface
route EXTERNA 0.0.0.0 0.0.0.0 192.168.0.12 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.250.163 255.255.255.255 INTERNA
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpool policy
telnet timeout 50
ssh 192.168.250.0 255.255.255.0 INTERNA
ssh 192.168.250.163 255.255.255.255 INTERNA
ssh 192.168.1.1 255.255.255.255 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable EXTERNA
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_VPN-INMUEBLES internal
group-policy GroupPolicy_VPN-INMUEBLES attributes
wins-server none
dns-server value 172.30.1.118
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value ACCESO-REMOTO-A-LA-LAN
default-domain none
username ovalverde password o0mB0KOXscaR9jdA encrypted privilege 15
tunnel-group VPN-INMUEBLES type remote-access
tunnel-group VPN-INMUEBLES general-attributes
address-pool 10-209-100-0
default-group-policy GroupPolicy_VPN-INMUEBLES
tunnel-group VPN-INMUEBLES webvpn-attributes
group-alias VPN-INMUEBLES enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5fee313cbd5f7bfc6764aff88e5e664d
: end
FW1#
Thanks for your help
OVB
10-31-2016 08:36 PM
Hi ovalverde,
Try removing the following:
no nat (any,any) source static any any ---> this nat does not makes any sense
object network obj-AnyconnectPool
no nat (any,EXTERNA) dynamic interface
nat (EXTERNA,EXTERNA) dynamic interface
Besides that the NAT looks good and you have what you need to have this working, if after following my suggestions you still get issues with the traffic you can take a capture on the inside interface of the ASA to make sure the traffic is getting to the host on you inside and coming back:
example
cap test interface inside match ip host <insideip> host <anyconnectclientip>
cap drop ty as all cir
sh cap test
sh cap drop | in <anyconnectip>
If you have problems with the captures you can share the outputs and i will help you with that.
Hope this info helps!!
Rate if helps you!!
-JP-
11-01-2016 05:05 PM
11-01-2016 08:13 PM
Omar,
Try running a packet tracer on the ASA in order to check the traffic flow:
packet-tracer input INTERNA icmp 192.168.252.163 8 0 10.209.100.1
Make sure you have a client connected through AnyConnect and if is getting a different ip that 10.209.100.1 change it on the packet tracer.
There is no need to rebuild the whole config since what you have now looks good.
The fact that you can see the icmp request reaching the inside interface of the ASA means the AnyConnect is doing what is supposed to do.
Let me know as soon as you have the output of the packet tracer.
Also you can configure the capture of drop previously suggested so you can make sure the ASA is not dropping any traffic.
Hope this info helps!!
Rate if helps you!!
-JP-
11-03-2016 09:40 AM
Hi JP,
The result of packet-tracer is:
11-03-2016 12:06 PM
Hi Omar,
So taking a look to the packet tracer everything looks good, and considering the capture the traffic is getting in and just not coming back, can you try with a ping to the inside interface of the ASA, make sure you have the command management-access inside. If the ping works you need to check you internal routing or maybe a firewall on the destination.
Hope this info helps!!
Rate if helps you!!
-JP-
11-03-2016 01:21 PM
Hi JP! Hopping everything is well for you
Worked :), I could ping from the AnyConnect Client (10.209.100.1) to the ASA inside interface (192.168.252.197).
I tried to ping another host on the LAN from outside but it still doesn't get any response, both of the firewall's machines are opened and I dont have any firewall on the LAN :|
I send the scratch just as info...
Dont you think the problem could be on some ACL that is missing?
Omar
11-03-2016 01:32 PM
Sounds good Omar,
Now i will recommend you to try the capture of drop on the ASA:
cap drop ty asp all cir
cap drop | in <sourceip>
cap drop | in <destip>
Hope this info helps!!
Rate if helps you!!
-JP-
11-03-2016 04:32 PM
Didn't find the command cap drop | in <sourceip>
Instead I put capture DROP match ip 192.168.252.163 255.255.255.255 10.209.100.1 255.255.255.255
FW1# capture DROP type asp-drop all circular-buffer
FW1# capture DROP match ip 192.168.252.163 255.255.255.255 10.209.100.1 255.255.255.255
The result in some points:
1221: 14:57:12.424767 192.168.252.109.137 > 192.168.252.255.137: udp 50
1222: 14:57:12.784627 fe80::bd1f:1ccc:1637:9940.546 > ff02::1:2.547: udp 91 [hlim 1]
1223: 14:57:13.017806 802.3 encap packet
1224: 14:57:13.113611 10.209.100.1.138 > 10.209.100.255.138: udp 212
1225: 14:57:13.177801 192.168.252.109.137 > 192.168.252.255.137: udp 50
1226: 14:57:13.783971 192.168.252.70.138 > 192.168.252.255.138: udp 201
1227: 14:57:14.007613 802.3 encap packet
1228: 14:57:14.305205 802.3 encap packet
1229: 14:57:14.317030 192.168.252.118.137 > 192.168.252.255.137: udp 50
1230: 14:57:14.745215 192.168.252.121.138 > 192.168.252.255.138: udp 201
1231: 14:57:14.997339 802.3 encap packet
1232: 14:57:15.066189 192.168.252.118.137 > 192.168.252.255.137: udp 50
1233: 14:57:15.180074 802.3 encap packet
1234: 14:57:15.816257 192.168.252.118.137 > 192.168.252.255.137: udp 50
1235: 14:57:15.912336 192.168.252.23.138 > 192.168.252.255.138: udp 201
1236: 14:57:16.054944 802.3 encap packet
1237: 14:57:16.664440 192.168.252.109.138 > 192.168.252.255.138: udp 201
1238: 14:57:16.793049 fe80::bd1f:1ccc:1637:9940.546 > ff02::1:2.547: udp 91 [hlim 1]
1239: 14:57:16.807773 192.168.252.54.137 > 192.168.252.255.137: udp 50
1240: 14:57:16.930127 192.168.252.38.137 > 192.168.252.255.137: udp 50
1241: 14:57:17.558152 192.168.252.54.137 > 192.168.252.255.137: udp 50
1242: 14:57:17.611403 192.168.252.20.137 > 192.168.252.255.137: udp 50
1243: 14:57:18.104029 fe80::bd1f:1ccc:1637:9940.57072 > ff02::1:3.5355: udp 22 [hlim 1]
1244: 14:57:18.104074 10.209.100.1.52647 > 224.0.0.252.5355: udp 22
1245: 14:57:18.212437 fe80::bd1f:1ccc:1637:9940.57072 > ff02::1:3.5355: udp 22 [hlim 1]
1246: 14:57:18.212543 10.209.100.1.52647 > 224.0.0.252.5355: udp 22
1247: 14:57:18.308455 192.168.252.54.137 > 192.168.252.255.137: udp 50
1248: 14:57:18.371059 192.168.252.20.137 > 192.168.252.255.137: udp 50
1249: 14:57:18.415673 172.30.1.12.137 > 172.30.1.255.137: udp 50
1250: 14:57:18.415902 10.209.100.1.137 > 10.209.100.255.137: udp 50
1251: 14:57:19.135353 192.168.252.20.137 > 192.168.252.255.137: udp 50
1252: 14:57:19.179113 172.30.1.12.137 > 172.30.1.255.137: udp 50
1253: 14:57:19.179540 10.209.100.1.137 > 10.209.100.255.137: udp 50
1254: 14:57:19.680628 192.168.252.150.137 > 192.168.252.255.137: udp 50
1255: 14:57:19.943386 172.30.1.12.137 > 172.30.1.255.137: udp 50
1256: 14:57:19.943692 10.209.100.1.137 > 10.209.100.255.137: udp 50
1257: 14:57:20.352642 192.168.252.20.137 > 192.168.252.255.137: udp 50
1258: 14:57:20.420067 192.168.252.150.137 > 192.168.252.255.137: udp 50
1259: 14:57:20.722283 fe80::bd1f:1ccc:1637:9940.49245 > ff02::1:3.5355: udp 22 [hlim 1]
1260: 14:57:20.722344 10.209.100.1.53453 > 224.0.0.252.5355: udp 22
1261: 14:57:20.817142 fe80::bd1f:1ccc:1637:9940.49245 > ff02::1:3.5355: udp 22 [hlim 1]
1262: 14:57:20.817401 10.209.100.1.53453 > 224.0.0.252.5355: udp 22
1263: 14:57:21.020262 172.30.1.12.137 > 172.30.1.255.137: udp 50
1264: 14:57:21.020552 10.209.100.1.137 > 10.209.100.255.137: udp 50
1265: 14:57:21.116235 192.168.252.20.137 > 192.168.252.255.137: udp 50
1266: 14:57:21.169913 192.168.252.150.137 > 192.168.252.255.137: udp 50
1267: 14:57:21.783772 172.30.1.12.137 > 172.30.1.255.137: udp 50
1268: 14:57:21.784169 10.209.100.1.137 > 10.209.100.255.137: udp 50
1269: 14:57:21.880462 192.168.252.20.137 > 192.168.252.255.137: udp 50
1270: 14:57:22.281113 192.168.252.54.137 > 192.168.252.255.137: udp 50
1271: 14:57:22.548128 172.30.1.12.137 > 172.30.1.255.137: udp 50
1272: 14:57:22.548448 10.209.100.1.137 > 10.209.100.255.137: udp 50
1273: 14:57:22.646252 192.168.252.20.137 > 192.168.252.255.137: udp 50
1274: 14:57:22.988809 192.168.252.174.137 > 192.168.252.255.137: udp 50
1275: 14:57:23.008620 192.168.252.170.137 > 192.168.252.255.137: udp 50
1276: 14:57:23.031156 192.168.252.54.137 > 192.168.252.255.137: udp 50
1277: 14:57:23.327039 fe80::bd1f:1ccc:1637:9940.65225 > ff02::1:3.5355: udp 22 [hlim 1]
1278: 14:57:23.327116 10.209.100.1.59105 > 224.0.0.252.5355: udp 22
1279: 14:57:23.409051 192.168.252.20.137 > 192.168.252.255.137: udp 50
1280: 14:57:23.421868 fe80::bd1f:1ccc:1637:9940.65225 > ff02::1:3.5355: udp 22 [hlim 1]
1281: 14:57:23.421944 10.209.100.1.59105 > 224.0.0.252.5355: udp 22
1282: 14:57:23.624906 172.30.1.12.137 > 172.30.1.255.137: udp 50
1283: 14:57:23.625196 10.209.100.1.137 > 10.209.100.255.137: udp 50
1284: 14:57:23.734825 192.168.252.174.137 > 192.168.252.255.137: udp 50
1285: 14:57:23.771017 192.168.252.170.137 > 192.168.252.255.137: udp 50
1286: 14:57:23.781133 192.168.252.54.137 > 192.168.252.255.137: udp 50
1287: 14:57:24.173330 192.168.252.20.137 > 192.168.252.255.137: udp 50
1288: 14:57:24.388499 172.30.1.12.137 > 172.30.1.255.137: udp 50
1289: 14:57:24.388895 10.209.100.1.137 > 10.209.100.255.137: udp 50
1290: 14:57:24.495122 192.168.252.174.137 > 192.168.252.255.137: udp 50
1291: 14:57:24.535342 192.168.252.170.137 > 192.168.252.255.137: udp 50
1292: 14:57:24.794423 fe80::bd1f:1ccc:1637:9940.546 > ff02::1:2.547: udp 91 [hlim 1]
1293: 14:57:25.152839 172.30.1.12.137 > 172.30.1.255.137: udp 50
1294: 14:57:25.153190 10.209.100.1.137 > 10.209.100.255.137: udp 50
1295: 14:57:25.710839 192.168.252.33.138 > 192.168.252.255.138: udp 201
1296: 14:57:25.931622 fe80::bd1f:1ccc:1637:9940.65511 > ff02::1:3.5355: udp 22 [hlim 1]
1297: 14:57:25.931653 10.209.100.1.61657 > 224.0.0.252.5355: udp 22
1298: 14:57:26.026640 fe80::bd1f:1ccc:1637:9940.65511 > ff02::1:3.5355: udp 22 [hlim 1]
1299: 14:57:26.026716 10.209.100.1.61657 > 224.0.0.252.5355: udp 22
1300: 14:57:26.229663 172.30.1.12.137 > 172.30.1.255.137: udp 50
1301: 14:51:21.959255 192.168.252.210.137 > 192.168.252.255.137: udp 50
2473: 14:58:53.032621 192.168.252.42.137 > 192.168.252.255.137: udp 50
2474: 14:58:53.163642 192.168.252.77.137 > 192.168.252.255.137: udp 50
2475: 14:58:53.448188 fe80::bd1f:1ccc:1637:9940.54737 > ff02::1:3.5355: udp 22 [hlim 1]
2476: 14:58:53.448295 10.209.100.1.54868 > 224.0.0.252.5355: udp 22
2477: 14:58:53.557130 fe80::bd1f:1ccc:1637:9940.54737 > ff02::1:3.5355: udp 22 [hlim 1]
2478: 14:58:53.557237 10.209.100.1.54868 > 224.0.0.252.5355: udp 22
2479: 14:58:53.760229 172.30.1.12.137 > 172.30.1.255.137: udp 50
2480: 14:58:53.760458 10.209.100.1.137 > 10.209.100.255.137: udp 50
2481: 14:58:53.793370 192.168.252.42.137 > 192.168.252.255.137: udp 50
2482: 14:58:53.927823 192.168.252.77.137 > 192.168.252.255.137: udp 50
2483: 14:58:54.464987 192.168.252.109.137 > 192.168.252.255.137: udp 50
2484: 14:58:54.523715 172.30.1.12.137 > 172.30.1.255.137: udp 50
2485: 14:58:54.524158 10.209.100.1.137 > 10.209.100.255.137: udp 50
Is it sending a broadcast?
Omar
11-03-2016 07:04 PM
Omar,
Port 137 is netbios, i don't think that has anything to do with your testing, as far as i understand you are testing with icmp so if you can't see any drops that means the ASA is not dropping any traffic, i will recommend you to check the path from the ASA to the to the end user or server that you are trying to ping, as per all the test you have done here there is no issue with the ASA.
Hope this info helps!!
Rate if helps you!!
-JP-
11-04-2016 05:43 PM
Hi JP
Bingo..!! Ping is working, annyconnect is pinging to INSIDE, actually I do a Remote Desktop session to my INSIDE host and works
Remember I told you I was working on another ASA? Well, that one worked, what I just did was only routing and default gateways on machines, the ASA and in the Router.
I attach the network map
I attach the images that shows when the client is not connected and when it does.
I didn't do anything on NAT rules, I didn't do anything on ACL's...
It is weird, 'cause you told me packets were arriving to ASA interfaces.
Anyway, below are the config for the ASA I am using:
I was thinking about NAT, but it doesn't matters... I just add default routes.
Now I had to apply it to my production network and get some resources :|
Thanks a lot !
Best
Omar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide