Hi JP

Omar Valverde · ‎10-31-2016

Hi everyone!

I have some issue with the connection from OUTSIDE (in my case EXTERNA) to INSIDE (interna) networks, I'm using Anyconnect Client with Windows 7 as a client (Anyconnect client version 3.1), I can connect the VPN client, but the thing is when I want to get resources from inside I cannot reach. I think I need some NAT config, 'cause I can't ping or reach my inside network, do you guys know what can it be? Configured from ASDM. I reconfigure two times the ASA sending the device to defaults but without success. I have just two interfaces

VPN pool is 10.209.100.0/24

INTERNA 192.168.252.0/24

EXTERNA 172.30.1.0/24

ASA Version 9.1(3)
!
hostname FW1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool 10-209-100-0 10.209.100.1-10.209.100.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
speed 100
nameif EXTERNA
security-level 0
ip address 172.30.1.118 255.255.255.0
!
interface GigabitEthernet0/1
nameif INTERNA
security-level 100
ip address 192.168.252.197 255.255.255.0
!

interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network NETWORK_OBJ_10.209.100.0_24
subnet 10.209.100.0 255.255.255.0
object network RED-REMOTA
subnet 192.168.102.0 255.255.255.0
object network RED-LOCAL
subnet 192.168.101.0 255.255.255.0
object network obj-AnyconnectPool
subnet 10.209.100.0 255.255.255.0
object network obj-inside
subnet 192.168.252.0 255.255.255.0
access-list ACCESO-REMOTO-A-LA-LAN remark ACCESO A LA LAN
access-list ACCESO-REMOTO-A-LA-LAN standard permit host 0.0.0.0
pager lines 24
logging asdm informational
mtu EXTERNA 1500
mtu INTERNA 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INTERNA,EXTERNA) source static any any destination static NETWORK_OBJ_10.209.100.0_24 NETWORK_OBJ_10.209.100.0_24 no-proxy-arp route-lookup
nat (any,any) source static any any
nat (INTERNA,EXTERNA) source static RED-LOCAL RED-LOCAL destination static RED-REMOTA RED-REMOTA
!
object network obj-AnyconnectPool
nat (any,EXTERNA) dynamic interface
object network obj-inside
nat (any,EXTERNA) dynamic interface
route EXTERNA 0.0.0.0 0.0.0.0 192.168.0.12 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.250.163 255.255.255.255 INTERNA
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpool policy
telnet timeout 50
ssh 192.168.250.0 255.255.255.0 INTERNA
ssh 192.168.250.163 255.255.255.255 INTERNA
ssh 192.168.1.1 255.255.255.255 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable EXTERNA
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_VPN-INMUEBLES internal
group-policy GroupPolicy_VPN-INMUEBLES attributes
wins-server none
dns-server value 172.30.1.118
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value ACCESO-REMOTO-A-LA-LAN
default-domain none
username ovalverde password o0mB0KOXscaR9jdA encrypted privilege 15
tunnel-group VPN-INMUEBLES type remote-access
tunnel-group VPN-INMUEBLES general-attributes
address-pool 10-209-100-0
default-group-policy GroupPolicy_VPN-INMUEBLES
tunnel-group VPN-INMUEBLES webvpn-attributes
group-alias VPN-INMUEBLES enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5fee313cbd5f7bfc6764aff88e5e664d
: end
FW1#

Thanks for your help

OVB

JP Miranda Z · ‎10-31-2016

Hi ovalverde,

Try removing the following:

no nat (any,any) source static any any ---> this nat does not makes any sense

object network obj-AnyconnectPool

no nat (any,EXTERNA) dynamic interface

nat (EXTERNA,EXTERNA) dynamic interface

Besides that the NAT looks good and you have what you need to have this working, if after following my suggestions you still get issues with the traffic you can take a capture on the inside interface of the ASA to make sure the traffic is getting to the host on you inside and coming back:

example

cap test interface inside match ip host <insideip> host <anyconnectclientip>

cap drop ty as all cir

sh cap test

sh cap drop | in <anyconnectip>

If you have problems with the captures you can share the outputs and i will help you with that.

Hope this info helps!!

Rate if helps you!!

-JP-

Omar Valverde · ‎11-01-2016

Hi JP Miranda Z thanks for your reply! I appreciate your help.

Below are the thinghs I did ->

I remove all the lines you wrote me:

no nat (any,any) source static any any --> I suppose it will pass from inside to outside and viceversa, I did it just to watch over if the request gets to the inside network

object network obj-AnyconnectPool

no nat (any,EXTERNA) dynamic interface

nat (EXTERNA,EXTERNA) dynamic interface -> I didn't found this line on my config

When I connect the VPN client AnyConnect and then I try to ping from EXTERNA to my INTERNA network (192.168.252.0/24)

I see that the packet is trying to leave from the VPN network, which is correct:

Haciendo ping a 192.168.252.42 con 32 bytes de datos:
Respuesta desde 10.209.100.1: Host de destino inaccesible.
Respuesta desde 10.209.100.1: Host de destino inaccesible.
Respuesta desde 10.209.100.1: Host de destino inaccesible.
Respuesta desde 10.209.100.1: Host de destino inaccesible.

Estadisticas de ping para 192.168.252.42:
Paquetes enviados = 4, recibidos = 4, perdidos = 0
<0% perdidos>,

But then after I remove the lines you told me:

Haciendo ping a 192.168.252.42 con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.

Estadisticas de ping para 192.168.252.42:
Paquetes enviados = 4, recibidos = 0, perdidos = 4
<100% perdidos>,

And the capture shows this:

FW1(config)# sho cap TCPDUMP

4 packets captured

   1: 15:31:29.161154       10.209.100.1 > 192.168.252.163: icmp: echo request
   2: 15:31:33.694284       10.209.100.1 > 192.168.252.163: icmp: echo request
   3: 15:31:38.702752       10.209.100.1 > 192.168.252.163: icmp: echo request
   4: 15:31:43.695642       10.209.100.1 > 192.168.252.163: icmp: echo request
4 packets shown
FW1(config)#

What I have as indisdeip = 192.168.252.163, anyconnectip = 10.209.100.1
My inside host is firewall open.

Don't you think that it should be a route problem on the anyconnect machine client? I dont know if I'm missing default route 0 0... or some ip route on the ASA?

I attach this, can be usefull...this is the route print of the anyconnect client machine:

IPv4 Tabla de enrutamiento
===========================================================================
Rutas activas:
Destino de red        Máscara de red   Puerta de enlace   Interfaz Métrica
          0.0.0.0          0.0.0.0                 172.30.1.118         172.30.1.12    276
          0.0.0.0          0.0.0.0                 10.209.100.2     10.209.100.1      2
     10.209.100.0     255.255.255.0      En vínculo      10.209.100.1        257
     10.209.100.1    255.255.255.255  En vínculo      10.209.100.1        257
   10.209.100.255 255.255.255.255  En vínculo      10.209.100.1        257
        127.0.0.0        255.0.0.0              En vínculo         127.0.0.1           306
        127.0.0.1        255.255.255.255  En vínculo         127.0.0.1          306
127.255.255.255 255.255.255.255  En vínculo         127.0.0.1           306
       172.30.1.0       255.255.255.0      En vínculo       172.30.1.12         276
      172.30.1.12      255.255.255.255 En vínculo       172.30.1.12         276
     172.30.1.118     255.255.255.255  En vínculo       172.30.1.12         21
     172.30.1.255     255.255.255.255  En vínculo       172.30.1.12         276
        224.0.0.0        240.0.0.0              En vínculo         127.0.0.1           306
        224.0.0.0        240.0.0.0              En vínculo       172.30.1.12         276
        224.0.0.0        240.0.0.0              En vínculo      10.209.100.1       257
255.255.255.255 255.255.255.255  En vínculo         127.0.0.1           306
255.255.255.255 255.255.255.255      En vínculo       172.30.1.12     276
255.255.255.255 255.255.255.255      En vínculo      10.209.100.1    257
===========================================================================
Rutas persistentes:
Dirección de red Máscara de red Dirección de puerta de enlace Métrica
          0.0.0.0          0.0.0.0     172.30.1.118 Predeterminada
          0.0.0.0          0.0.0.0     10.209.100.2       1
===========================================================================

IPv6 Tabla de enrutamiento
===========================================================================
Rutas activas:
Ninguno
Rutas persistentes:
Ninguno

C:\Users\REDES_TM>

What I see there is that the route from client to ASA is ok, also because the requests are received on the capture, but I cant find the solution.

Would you like to do all the config again? Setting config-default the ASA?

Thanks a lot again!

Omar

JP Miranda Z · ‎11-01-2016

Omar,

Try running a packet tracer on the ASA in order to check the traffic flow:

packet-tracer input INTERNA icmp 192.168.252.163 8 0 10.209.100.1

Make sure you have a client connected through AnyConnect and if is getting a different ip that 10.209.100.1 change it on the packet tracer.

There is no need to rebuild the whole config since what you have now looks good.

The fact that you can see the icmp request reaching the inside interface of the ASA means the AnyConnect is doing what is supposed to do.

Let me know as soon as you have the output of the packet tracer.

Also you can configure the capture of drop previously suggested so you can make sure the ASA is not dropping any traffic.

Hope this info helps!!

Rate if helps you!!

-JP-

Omar Valverde · ‎11-03-2016

Hi JP,

The result of packet-tracer is:

FW1# packet-tracer input INTERNA icmp 192.168.252.163 8 0 10.209.100.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.209.100.1 255.255.255.255 EXTERNA

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INTERNA,EXTERNA) source static any any destination static NETWORK_OBJ_10.209.100.0_24 NETWORK_OBJ_10.209.100.0_24 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface EXTERNA
Untranslate 10.209.100.1/0 to 10.209.100.1/0

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INTERNA,EXTERNA) source static any any destination static NETWORK_OBJ_10.209.100.0_24 NETWORK_OBJ_10.209.100.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.252.163/0 to 192.168.252.163/0

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: WEBVPN-SVC
Subtype: out
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INTERNA,EXTERNA) source static any any destination static NETWORK_OBJ_10.209.100.0_24 NETWORK_OBJ_10.209.100.0_24 no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 422, packet dispatched to next module

Result:
input-interface: INTERNA
input-status: up
input-line-status: up
output-interface: EXTERNA
output-status: up
output-line-status: up
Action: allow

FW1#

I mention that the VPN anyconnect client took again the 10.209.100.1.

Yo know what? It is weird but I try to connect to ASA from ASDM installed on the 192.168.252.163 and I cannot connect

Tuesday I start up another ASA appliance from config-default but now with a Router in the middle. I thought it was a problem related with some routing... I hadn't connected neither :(. But the client in this scenario took the AnyConnect 10.209.100.2 client, which was correct, so what I did was only add a default route, but no matters, lets back to our case.

Omar

JP Miranda Z · ‎11-03-2016

Hi Omar,

So taking a look to the packet tracer everything looks good, and considering the capture the traffic is getting in and just not coming back, can you try with a ping to the inside interface of the ASA, make sure you have the command management-access inside. If the ping works you need to check you internal routing or maybe a firewall on the destination.

Hope this info helps!!

Rate if helps you!!

-JP-

Omar Valverde · ‎11-03-2016

Hi JP! Hopping everything is well for you

Worked :), I could ping from the AnyConnect Client (10.209.100.1) to the ASA inside interface (192.168.252.197).

I tried to ping another host on the LAN from outside but it still doesn't get any response, both of the firewall's machines are opened and I dont have any firewall on the LAN :|

I send the scratch just as info...

Dont you think the problem could be on some ACL that is missing?

Omar

JP Miranda Z · ‎11-03-2016

Sounds good Omar,

Now i will recommend you to try the capture of drop on the ASA:

cap drop ty asp all cir

cap drop | in <sourceip>

cap drop | in <destip>

Hope this info helps!!

Rate if helps you!!

-JP-

Omar Valverde · ‎11-03-2016

Didn't find the command cap drop | in <sourceip>

Instead I put capture DROP match ip 192.168.252.163 255.255.255.255 10.209.100.1 255.255.255.255

FW1# capture DROP type asp-drop all circular-buffer

FW1# capture DROP match ip 192.168.252.163 255.255.255.255 10.209.100.1 255.255.255.255

The result in some points:

1221: 14:57:12.424767       192.168.252.109.137 > 192.168.252.255.137: udp 50
1222: 14:57:12.784627       fe80::bd1f:1ccc:1637:9940.546 > ff02::1:2.547: udp 91 [hlim 1]
1223: 14:57:13.017806       802.3 encap packet
1224: 14:57:13.113611       10.209.100.1.138 > 10.209.100.255.138: udp 212
1225: 14:57:13.177801       192.168.252.109.137 > 192.168.252.255.137: udp 50
1226: 14:57:13.783971       192.168.252.70.138 > 192.168.252.255.138: udp 201
1227: 14:57:14.007613       802.3 encap packet
1228: 14:57:14.305205       802.3 encap packet
1229: 14:57:14.317030       192.168.252.118.137 > 192.168.252.255.137: udp 50
1230: 14:57:14.745215       192.168.252.121.138 > 192.168.252.255.138: udp 201
1231: 14:57:14.997339       802.3 encap packet
1232: 14:57:15.066189       192.168.252.118.137 > 192.168.252.255.137: udp 50
1233: 14:57:15.180074       802.3 encap packet
1234: 14:57:15.816257       192.168.252.118.137 > 192.168.252.255.137: udp 50
1235: 14:57:15.912336       192.168.252.23.138 > 192.168.252.255.138: udp 201
1236: 14:57:16.054944       802.3 encap packet
1237: 14:57:16.664440       192.168.252.109.138 > 192.168.252.255.138: udp 201
1238: 14:57:16.793049       fe80::bd1f:1ccc:1637:9940.546 > ff02::1:2.547: udp 91 [hlim 1]
1239: 14:57:16.807773       192.168.252.54.137 > 192.168.252.255.137: udp 50
1240: 14:57:16.930127       192.168.252.38.137 > 192.168.252.255.137: udp 50
1241: 14:57:17.558152       192.168.252.54.137 > 192.168.252.255.137: udp 50
1242: 14:57:17.611403       192.168.252.20.137 > 192.168.252.255.137: udp 50
1243: 14:57:18.104029       fe80::bd1f:1ccc:1637:9940.57072 > ff02::1:3.5355: udp 22 [hlim 1]
1244: 14:57:18.104074       10.209.100.1.52647 > 224.0.0.252.5355: udp 22
1245: 14:57:18.212437       fe80::bd1f:1ccc:1637:9940.57072 > ff02::1:3.5355: udp 22 [hlim 1]
1246: 14:57:18.212543       10.209.100.1.52647 > 224.0.0.252.5355: udp 22
1247: 14:57:18.308455       192.168.252.54.137 > 192.168.252.255.137: udp 50
1248: 14:57:18.371059       192.168.252.20.137 > 192.168.252.255.137: udp 50
1249: 14:57:18.415673       172.30.1.12.137 > 172.30.1.255.137: udp 50
1250: 14:57:18.415902       10.209.100.1.137 > 10.209.100.255.137: udp 50
1251: 14:57:19.135353       192.168.252.20.137 > 192.168.252.255.137: udp 50
1252: 14:57:19.179113       172.30.1.12.137 > 172.30.1.255.137: udp 50
1253: 14:57:19.179540       10.209.100.1.137 > 10.209.100.255.137: udp 50
1254: 14:57:19.680628       192.168.252.150.137 > 192.168.252.255.137: udp 50
1255: 14:57:19.943386       172.30.1.12.137 > 172.30.1.255.137: udp 50
1256: 14:57:19.943692       10.209.100.1.137 > 10.209.100.255.137: udp 50
1257: 14:57:20.352642       192.168.252.20.137 > 192.168.252.255.137: udp 50
1258: 14:57:20.420067       192.168.252.150.137 > 192.168.252.255.137: udp 50
1259: 14:57:20.722283       fe80::bd1f:1ccc:1637:9940.49245 > ff02::1:3.5355: udp 22 [hlim 1]
1260: 14:57:20.722344       10.209.100.1.53453 > 224.0.0.252.5355: udp 22
1261: 14:57:20.817142       fe80::bd1f:1ccc:1637:9940.49245 > ff02::1:3.5355: udp 22 [hlim 1]
1262: 14:57:20.817401       10.209.100.1.53453 > 224.0.0.252.5355: udp 22
1263: 14:57:21.020262       172.30.1.12.137 > 172.30.1.255.137: udp 50
1264: 14:57:21.020552       10.209.100.1.137 > 10.209.100.255.137: udp 50
1265: 14:57:21.116235       192.168.252.20.137 > 192.168.252.255.137: udp 50
1266: 14:57:21.169913       192.168.252.150.137 > 192.168.252.255.137: udp 50
1267: 14:57:21.783772       172.30.1.12.137 > 172.30.1.255.137: udp 50
1268: 14:57:21.784169       10.209.100.1.137 > 10.209.100.255.137: udp 50
1269: 14:57:21.880462       192.168.252.20.137 > 192.168.252.255.137: udp 50
1270: 14:57:22.281113       192.168.252.54.137 > 192.168.252.255.137: udp 50
1271: 14:57:22.548128       172.30.1.12.137 > 172.30.1.255.137: udp 50
1272: 14:57:22.548448       10.209.100.1.137 > 10.209.100.255.137: udp 50
1273: 14:57:22.646252       192.168.252.20.137 > 192.168.252.255.137: udp 50
1274: 14:57:22.988809       192.168.252.174.137 > 192.168.252.255.137: udp 50
1275: 14:57:23.008620       192.168.252.170.137 > 192.168.252.255.137: udp 50
1276: 14:57:23.031156       192.168.252.54.137 > 192.168.252.255.137: udp 50
1277: 14:57:23.327039       fe80::bd1f:1ccc:1637:9940.65225 > ff02::1:3.5355: udp 22 [hlim 1]
1278: 14:57:23.327116       10.209.100.1.59105 > 224.0.0.252.5355: udp 22
1279: 14:57:23.409051       192.168.252.20.137 > 192.168.252.255.137: udp 50
1280: 14:57:23.421868       fe80::bd1f:1ccc:1637:9940.65225 > ff02::1:3.5355: udp 22 [hlim 1]
1281: 14:57:23.421944       10.209.100.1.59105 > 224.0.0.252.5355: udp 22
1282: 14:57:23.624906       172.30.1.12.137 > 172.30.1.255.137: udp 50
1283: 14:57:23.625196       10.209.100.1.137 > 10.209.100.255.137: udp 50
1284: 14:57:23.734825       192.168.252.174.137 > 192.168.252.255.137: udp 50
1285: 14:57:23.771017       192.168.252.170.137 > 192.168.252.255.137: udp 50
1286: 14:57:23.781133       192.168.252.54.137 > 192.168.252.255.137: udp 50
1287: 14:57:24.173330       192.168.252.20.137 > 192.168.252.255.137: udp 50
1288: 14:57:24.388499       172.30.1.12.137 > 172.30.1.255.137: udp 50
1289: 14:57:24.388895       10.209.100.1.137 > 10.209.100.255.137: udp 50
1290: 14:57:24.495122       192.168.252.174.137 > 192.168.252.255.137: udp 50
1291: 14:57:24.535342       192.168.252.170.137 > 192.168.252.255.137: udp 50
1292: 14:57:24.794423       fe80::bd1f:1ccc:1637:9940.546 > ff02::1:2.547: udp 91 [hlim 1]
1293: 14:57:25.152839       172.30.1.12.137 > 172.30.1.255.137: udp 50
1294: 14:57:25.153190       10.209.100.1.137 > 10.209.100.255.137: udp 50
1295: 14:57:25.710839       192.168.252.33.138 > 192.168.252.255.138: udp 201
1296: 14:57:25.931622       fe80::bd1f:1ccc:1637:9940.65511 > ff02::1:3.5355: udp 22 [hlim 1]
1297: 14:57:25.931653       10.209.100.1.61657 > 224.0.0.252.5355: udp 22
1298: 14:57:26.026640       fe80::bd1f:1ccc:1637:9940.65511 > ff02::1:3.5355: udp 22 [hlim 1]
1299: 14:57:26.026716       10.209.100.1.61657 > 224.0.0.252.5355: udp 22
1300: 14:57:26.229663       172.30.1.12.137 > 172.30.1.255.137: udp 50
1301: 14:51:21.959255       192.168.252.210.137 > 192.168.252.255.137: udp 50

2473: 14:58:53.032621       192.168.252.42.137 > 192.168.252.255.137: udp 50
2474: 14:58:53.163642       192.168.252.77.137 > 192.168.252.255.137: udp 50
2475: 14:58:53.448188       fe80::bd1f:1ccc:1637:9940.54737 > ff02::1:3.5355: udp 22 [hlim 1]
2476: 14:58:53.448295       10.209.100.1.54868 > 224.0.0.252.5355: udp 22
2477: 14:58:53.557130       fe80::bd1f:1ccc:1637:9940.54737 > ff02::1:3.5355: udp 22 [hlim 1]
2478: 14:58:53.557237       10.209.100.1.54868 > 224.0.0.252.5355: udp 22
2479: 14:58:53.760229       172.30.1.12.137 > 172.30.1.255.137: udp 50
2480: 14:58:53.760458       10.209.100.1.137 > 10.209.100.255.137: udp 50
2481: 14:58:53.793370       192.168.252.42.137 > 192.168.252.255.137: udp 50
2482: 14:58:53.927823       192.168.252.77.137 > 192.168.252.255.137: udp 50
2483: 14:58:54.464987       192.168.252.109.137 > 192.168.252.255.137: udp 50
2484: 14:58:54.523715       172.30.1.12.137 > 172.30.1.255.137: udp 50
2485: 14:58:54.524158       10.209.100.1.137 > 10.209.100.255.137: udp 50

Is it sending a broadcast?

Omar

JP Miranda Z · ‎11-03-2016

Omar,

Port 137 is netbios, i don't think that has anything to do with your testing, as far as i understand you are testing with icmp so if you can't see any drops that means the ASA is not dropping any traffic, i will recommend you to check the path from the ASA to the to the end user or server that you are trying to ping, as per all the test you have done here there is no issue with the ASA.

Hope this info helps!!

Rate if helps you!!

-JP-

Omar Valverde · ‎11-04-2016

Hi JP

Bingo..!! Ping is working, annyconnect is pinging to INSIDE, actually I do a Remote Desktop session to my INSIDE host and works

Remember I told you I was working on another ASA? Well, that one worked, what I just did was only routing and default gateways on machines, the ASA and in the Router.

I attach the network map

I attach the images that shows when the client is not connected and when it does.

I didn't do anything on NAT rules, I didn't do anything on ACL's...

It is weird, 'cause you told me packets were arriving to ASA interfaces.

Anyway, below are the config for the ASA I am using:

ciscoasa(config)# sho running-config
: Saved
:
: Serial Number: FCH19267R0G
: Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2792 MHz, 1 CPU (8 cores)
:
ASA Version 9.2(2)4
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool ANY-CONN-VPN-POOL 10.200.100.1-10.200.100.254 mask 255.255.255.0
!
interface GigabitEthernet0/0
speed 100
nameif OUTSIDE
security-level 0
ip address 200.77.1.2 255.255.255.252
!
interface GigabitEthernet0/1
speed 100
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network NETWORK_OBJ_10.200.100.0_24
subnet 10.200.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source static any any destination static NETWORK_OBJ_10.200.100.0_24 NETWORK_OBJ_10.200.100.0_24 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 200.77.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.20 255.255.255.255 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_INMUEBLES internal
group-policy GroupPolicy_INMUEBLES attributes
wins-server none
dns-server none
vpn-tunnel-protocol ssl-client
default-domain none
username ovalverde password o0mB0KOXscaR9jdA encrypted privilege 15
tunnel-group INMUEBLES type remote-access
tunnel-group INMUEBLES general-attributes
address-pool ANY-CONN-VPN-POOL
default-group-policy GroupPolicy_INMUEBLES
tunnel-group INMUEBLES webvpn-attributes
group-alias INMUEBLES enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c873e5670d7d422ece1cc1e0c608943
: end
ciscoasa(config)#

I was thinking about NAT, but it doesn't matters... I just add default routes.

Now I had to apply it to my production network and get some resources :|

Thanks a lot !

Best

Omar

Cant reach inside network from outside with VPN anyconnect client