Solved: Cisco ASA 8.4(3) Remote Access VPN - client connects but cannot

mattr1973 · ‎05-22-2012

I am having issues accessing resources on the inside network when connecting with Cisco client VPN to a Cisco ASA 5510 running 8.4(3) version of the IOS. I have tried all of the new 8.4 NAT commands but cannot access the inside network. I can see traffic in the logs when pinging. I can only assume I have the NAT wrong or it is because the inside interface of the ASA is on the same /24 subnet as the inside network?? Please see config below, any suggestions would be appreciated. I have configured a site to site VPN to this same 5510 and it is running fine

Thanks

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.88.10.254 255.255.255.0

!

interface Management0/0

shutdown

nameif management

security-level 0

no ip address

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network PAT_to_Outside_ClassA

subnet 10.88.0.0 255.255.0.0

object network PAT_to_Outside_ClassB

subnet 172.16.0.0 255.240.0.0

object network PAT_to_Outside_ClassC

subnet 192.168.0.0 255.255.240.0

object network LocalNetwork

subnet 10.88.0.0 255.255.0.0

object network RemoteNetwork1

subnet 192.168.0.0 255.255.0.0

object network RemoteNetwork2

subnet 172.16.10.0 255.255.255.0

object network RemoteNetwork3

subnet 10.86.0.0 255.255.0.0

object network RemoteNetwork4

subnet 10.250.1.0 255.255.255.0

object network NatExempt

subnet 10.88.10.0 255.255.255.0

object-group network Site_to_SiteVPN1

network-object 192.168.4.0 255.255.254.0

network-object 172.16.10.0 255.255.255.0

network-object 10.0.0.0 255.0.0.0

access-list outside_access_in extended deny ip any any

access-list inside_access_in extended permit ip any any

access-list 11 extended permit ip 10.250.1.0 255.255.255.0 any

access-list outside_1_cryptomap extended permit ip 10.88.0.0 255.255.0.0 object-group Site_to_SiteVPN1

ip local pool Admin_Pool 10.250.1.1-10.250.1.254 mask 255.255.255.0

nat (inside,outside) source static NatExempt NatExempt

nat (inside,outside) source static any any destination static RemoteNetwork4 RemoteNetwork4 route-lookup

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork1 RemoteNetwork1

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork2 RemoteNetwork2

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork3 RemoteNetwork3

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork4 RemoteNetwork4 route-lookup

!

object network PAT_to_Outside_ClassA

nat (inside,outside) dynamic interface

object network PAT_to_Outside_ClassB

nat (inside,outside) dynamic interface

object network PAT_to_Outside_ClassC

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

dynamic-access-policy-record DfltAccessPolicy

sysopt connection timewait

service resetoutside

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set bh-set esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set pfs

crypto dynamic-map dynmap 10 set ikev1 transform-set bh-set

crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800

crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set reverse-route

crypto map mymap 1 match address outside_1_cryptomap

crypto map mymap 1 set peer x.x.x.x

crypto map mymap 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map mymap 1 set security-association lifetime seconds 86400

crypto map mymap 1 set security-association lifetime kilobytes 4608000

crypto map mymap 100 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp nat-traversal 30

crypto ikev1 enable outside

crypto ikev1 ipsec-over-tcp port 10000

crypto ikev1 policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto ikev1 policy 50

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy BACKDOORVPN internal

group-policy BACKDOORVPN attributes

vpn-filter value 11

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

default-domain value bh.uk

tunnel-group BACKDOORVPN type remote-access

tunnel-group BACKDOORVPN general-attributes

address-pool Admin_Pool

default-group-policy BACKDOORVPN

tunnel-group BACKDOORVPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

rizwanr74 · ‎05-23-2012

excellent.

Please rate helpful post.

thanks

Rizwan Rafeek

View solution in original post

rizwanr74 · ‎05-22-2012

Hi Matt,

If you are running a L3 switch behind your ASA, please make sure that you have a static-route in place to push "10.250.1.0/24 " to 10.88.10.254.

Please let me know, if this helps.

Thanks

Rizwan Rafeek

Kevin P Sheahan · ‎05-22-2012

New ASA code is buggy with 'any any' on NATs.

Try changing....

nat (inside,outside) source static any any destination static RemoteNetwork4 RemoteNetwork4 route-lookup

To

nat(inside,outside) source static RemoteNetwork4 RemoteNetwork4 static LocalNetwork LocalNetwork route-lookup

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

mattr1973 · ‎05-22-2012

Thanks Rizwan - the L3 switch default gateway is 10.88.10.254....but good to double check

Kevin - thanks for your reply also. I have now changed the NAT config to the below as you suggested;

nat (inside,outside) source static RemoteNetwork4 RemoteNetwork4 destination static LocalNetwork LocalNetwork route-lookup

I then ran a telnet from remote client to inside host on port 80 - this is what I got in the ASA logs;

May 22 2012 16:28:15: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.250.1.1/53229(LOCAL\mrichards) dst inside:10.88.10.11/80 denied due to NAT reverse path failure

May 22 2012 16:28:15: %ASA-7-710005: UDP request discarded from 10.250.1.1/51022 to outside:224.0.0.252/5355

May 22 2012 16:28:18: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.250.1.1/53229(LOCAL\mrichards) dst inside:10.88.10.11/80 denied due to NAT reverse path failure

May 22 2012 16:28:15: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.250.1.1/53229(LOCAL\mrichards) dst inside:10.88.10.11/80 denied due to NAT reverse path failure
May 22 2012 16:28:15: %ASA-7-710005: UDP request discarded from 10.250.1.1/51022 to outside:224.0.0.252/5355
May 22 2012 16:28:18: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.250.1.1/53229(LOCAL\mrichards) dst inside:10.88.10.11/80 denied due to NAT reverse path failure

rizwanr74 · ‎05-22-2012

Hi Matt,

Please post the output from below traceroute.

packet-tracer input outside icmp 10.250.1.2 8 0 10.88.10.2

If you do see the passthrough in every stage in the output from above, then you most likely missing a route on your ASA.

So, please add a static-route on your ACL as shown below.

route inside 10.88.0.0 255.255.0.0 10.88.10.x <--- x = your L3 switch's ip address which is connected to ASA.

FYI...

Your orignal no-nat your have had configured is fine with me, there is no need to change it.

Please update.

thanks.

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

mattr1973 · ‎05-23-2012

Hi Rizwan

Please see output from packet trace - getting dropped by outside interface ACL;

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.88.10.0 255.255.255.0 inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork4 RemoteNetwork4 route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.88.10.2/0 to 10.88.10.2/0

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any

Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Here is the configured NAT on the ASA;

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork4 RemoteNetwork4 route-lookup

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork1 RemoteNetwork1

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork2 RemoteNetwork2

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork3 RemoteNetwork3

The configured PAT;

object network PAT_to_Outside_ClassA
nat (inside,outside) dynamic interface
object network PAT_to_Outside_ClassB
nat (inside,outside) dynamic interface
object network PAT_to_Outside_ClassC
nat (inside,outside) dynamic interface

And the routing table;

C    x.x.x.x 255.255.255.240 is directly connected, outside
C    10.88.10.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

muranskycotech · ‎05-23-2012

This thread helped me a couple years ago, and it sounds like you might be having the same issue... hopefully it will help you... https://supportforums.cisco.com/message/2017097#2017097

mattr1973 · ‎05-23-2012

Thanks for your response, however the intercept-dhcp enable command did not resolve the issue

When connected with the VPN client and running a ping from VPN host to inside network host, I get the following in the ASA logs but I do not get reply;

May 23 2012 14:12:00: %ASA-6-302020: Built inbound ICMP connection for faddr 10.250.1.1/1(LOCAL\mrichards) gaddr 10.88.10.250/0 laddr 10.88.10.250/0 (mrichards)

May 23 2012 14:12:00: %ASA-6-302020: Built outbound ICMP connection for faddr 10.250.1.1/1(LOCAL\mrichards) gaddr 10.88.10.250/0 laddr 10.88.10.250/0

May 23 2012 14:12:02: %ASA-6-302021: Teardown ICMP connection for faddr 10.250.1.1/1(LOCAL\mrichards) gaddr 10.88.10.250/0 laddr 10.88.10.250/0 (mrichards)

May 23 2012 14:12:02: %ASA-6-302021: Teardown ICMP connection for faddr 10.250.1.1/1(LOCAL\mrichards) gaddr 10.88.10.250/0 laddr 10.88.10.250/0

rizwanr74 · ‎05-23-2012

Hi Matt,

Please remote the highlighted line in the no-nat statement below "route-lookup"

nat (inside,outside) source static LocalNetwork LocalNetwork destination static RemoteNetwork4 RemoteNetwork4 route-lookup

Please let me know.

Thanks

mattr1973 · ‎05-23-2012

Guys....it is working now....thanks for all your comments

The original site to site object group (SIte-to_SiteVPN1) was causing the issue as I had the full class A subnet specified for the site to site tunnel

I changed this object group to;

network-object 192.168.4.0 255.255.254.0

network-object 172.16.10.0 255.255.255.0

network-object 10.86.0.0 255.255.0.0

network-object 10.87.0.0 255.255.0.0

And it is working now.....

Thanks again!

rizwanr74 · ‎05-23-2012

excellent.

Please rate helpful post.

thanks

Rizwan Rafeek

mattr1973 · ‎05-23-2012

Thanks Rizwan....

Cisco ASA 8.4(3) Remote Access VPN - client connects but cannot access inside network