Solved: Cisco ASA 5505 Anyconnect Client NAT'ing question

nhchelpdesk · ‎02-20-2011

Hello,

We have a RA Vpn split_tunnel setup in one of our locations which is working fine in all areas except for traffic destinged for one specific website using https. This vendor only allows the HTTPS connections to them to come from certain outside IP addresses.

Essentially it should work like this:

RAVPN_client (10.4.4.0/27) --> https request to vendor_ip (208.x.x.x) ---> ASA55XX --> NAT_to_outside_ip --> https request to vendor_ip (208.x.x.x)

I need to understand how you would go about NATing ONLY this specific https traffic from the RA VPN while not having to alter the setup otherwise.

Internal hosts (aka behind the ASA physically) do not have any issue getting to this site, as its nat'd to the outside ip address as we expect.

Here is what we are using for the NAT Exemption list he 10.2.2.x, 192.168.100.x and 172.23.2.x are other remote sites that we have. RA VPN users are using the 10.4.4.0/27 do not have any issues connecting to them, no matter the protocol:

access-list inside_nat0_outbound remark Things that should not be Nat'd

access-list inside_nat0_outbound extended permit ip 10.12.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.12.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.12.1.0 255.255.255.0 172.23.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.12.1.0 255.255.255.0 10.4.4.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip 10.4.4.0 255.255.255.224 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.4.4.0 255.255.255.224 10.2.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.4.4.0 255.255.255.224 172.23.2.0 255.255.255.192

Here is the list of interesting traffic we are pushing to the clients to go over the RA VPN connection tunnel.

access-list VPN_splitunnel extended permit ip 192.168.100.0 255.255.255.0 any

access-list VPN_splitunnel extended permit ip 10.2.2.0 255.255.255.0 any

access-list VPN_splitunnel extended permit ip 10.12.1.0 255.255.255.0 any

access-list VPN_splitunnel extended permit ip 172.23.2.0 255.255.255.192 any

access-list VPN_splitunnel extended permit ip 10.4.4.0 255.255.255.224 any

access-list VPN_splitunnel extended permit ip host 208.x.x.x any log <- this is the Vendors external IP address (obfuscated for security but you get the idea).

Here is the rest of the nat setup:

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

The RA VPN configuration:

ip local pool VPNPool 10.4.4.5-10.4.4.30 mask 255.255.255.224

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2001-k9.pkg.zip 2

svc enable

tunnel-group-list enable

group-policy RAVPN internal

group-policy RAVPN attributes

banner value Unauthorized access prohibited

banner value All connections and commands are logged

banner value This system is the property of MYCOMPANY

banner value Disconnect IMMEDIATELY if you are not an authorized user!

wins-server value 10.12.1.11 10.2.2.11

dns-server value 10.12.1.11 10.2.2.11

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_splitunnel

tunnel-group RAVPN type remote-access

tunnel-group RAVPN general-attributes

address-pool VPNPool

authentication-server-group NHCGRPAD

default-group-policy RAVPN

tunnel-group RAVPN webvpn-attributes

group-alias RAVPN enable

Can someone please direct me as to what I'm doing wrong? I was assuming that since I DON'T have the 208.x.x.x Ip address in the inside_nat0_outbound list that it WOULD be NAT'd, but that doesnt seem to be the case (packet-tracer output below)

packet-tracer input outside tcp 10.4.4.6 34567 208.x.x.x https detailed

*****************************************************************************

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip VPN_ips 255.255.255.224 host 208.x.x.x log

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7bd3b20, priority=12, domain=permit, deny=false

hits=2, user_data=0xd613bf80, cs_id=0x0, flags=0x0, protocol=0

src ip=VPN_ips, mask=255.255.255.224, port=0

dst ip=208.x.x.x, mask=255.255.255.255, port=0, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7df8fa0, priority=0, domain=inspect-ip-options, deny=true

hits=2256686, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd87c8fc8, priority=12, domain=ipsec-tunnel-flow, deny=true

hits=550, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7dfbd28, priority=0, domain=host-limit, deny=false

hits=1194, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xd7df8fa0, priority=0, domain=inspect-ip-options, deny=true

hits=2256688, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2380213, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

*****************************************************************************

Thanks,

Jason

Jennifer Halim · ‎02-20-2011

You are on the right path with you split tunnel configuration. What you would need to add is the VPN Client pool to be NATed to your outside interface ip address, ie: same as your ASA local users when it's trying to access the vendor IP (208.x.x.x), plus allowing traffic in and out of the same interface for the u-turn traffic.

Here is what you will need to configure:

same-security-traffic permit intra-interface

access-list nat-to-vendor permit ip 10.4.4.0 255.255.255.224 host 208.x.x.x

nat (outside) 101 access-list nat-to-vendor

The above will allow the VPN pool to be NATed to your ASA outside interface ip address when accessing the vendor (208.x.x.x).

1 minor correction to your split tunnel ACL:

- The following line is incorrect and should be removed from the split tunnel ACL:

access-list VPN_splitunnel extended permit ip 10.4.4.0 255.255.255.224 any

(As 10.4.4.0/27 is your VPN Client pool, you do not add those subnet to your split tunnel list. Split tunnel list are only the network that you are trying to access and sent through your VPN tunnel).

Hope that helps.

View solution in original post

Jennifer Halim · ‎02-20-2011

You are on the right path with you split tunnel configuration. What you would need to add is the VPN Client pool to be NATed to your outside interface ip address, ie: same as your ASA local users when it's trying to access the vendor IP (208.x.x.x), plus allowing traffic in and out of the same interface for the u-turn traffic.

Here is what you will need to configure:

same-security-traffic permit intra-interface

access-list nat-to-vendor permit ip 10.4.4.0 255.255.255.224 host 208.x.x.x

nat (outside) 101 access-list nat-to-vendor

The above will allow the VPN pool to be NATed to your ASA outside interface ip address when accessing the vendor (208.x.x.x).

1 minor correction to your split tunnel ACL:

- The following line is incorrect and should be removed from the split tunnel ACL:

access-list VPN_splitunnel extended permit ip 10.4.4.0 255.255.255.224 any

(As 10.4.4.0/27 is your VPN Client pool, you do not add those subnet to your split tunnel list. Split tunnel list are only the network that you are trying to access and sent through your VPN tunnel).

Hope that helps.

nhchelpdesk · ‎02-20-2011

Well all I can say is youve made my night, thank you Jennifer!

same-security-traffic permit intra-interface <- should have mentioned this was already present..

This was the fix:

access-list nat-to-vendor permit ip 10.4.4.0 255.255.255.224 host 208.x.x.x

nat (outside) 101 access-list nat-to-vendor <- cant believe i missed this.

I also took this line out as well, thanks for pointing that one out too:

access-list VPN_splitunnel extended permit ip 10.4.4.0 255.255.255.224 any

Jason

Jennifer Halim · ‎02-20-2011

Perfect, great to hear it's working now, and thanks for the rating.