Solved: EZVPN nem mode - Internet Access

tomas roberton · ‎10-04-2013

Hello,

I have a cisco 881 router and an asa 5520 SW 8.4

I have configured EZVPN using NEM mode between the ASA & 881 router. However the 881 can access network resources on the inside interface of the ASA where it is terminating. However the site using the 881 cannot access the internet. I know I could configure split tunnel and the site would only use the tunnel for our internal network (10.0.0.0). However I would like this site to use our ASA to access the internet so that the restrictions will apply to this site too. I apologise in advance if I have not provided enough information.

Config for the 881 router is below, ASA config is too big to post but if you tell me what precisely you would like me to post i will;

no ip domain lookup

ip domain name yourdomain.com

ip cef

no ipv6 cef

!

license udi pid CISCO881-K9 sn FCZ17219082

!

username netadmin privilege 15 secret 4 N2rcMRAZjsOjF7Kp/KUkH4cfBtBYp.1Cc.V8E0utmSI

!

crypto ipsec client ezvpn EZVPN

connect auto

group TG_EZVPN key ourkey

mode network-extension

peer FIREWALL IP

username user password password

xauth userid mode local

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description *** Outside Interface ***

ip address dhcp

duplex auto

speed auto

crypto ipsec client ezvpn EZVPN

!

interface Vlan1

description *** EZVPN Inside ***

ip address 172.16.217.1 255.255.255.0

ip helper-address 10.1.4.60

ip helper-address 10.1.4.61

ip tcp adjust-mss 1452

crypto ipsec client ezvpn EZVPN inside

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 dhcp

Jouni Forss · ‎10-04-2013

Hi,

Provided that traffic destined to any other network other than the remote sites own network flows through the VPN connection then the most typical things that the central ASA might be missing are the following

same-security-traffic permit intra-interface

Whether this configurations is already in use can be checked with

show run same-security-traffic

The setting mentioned above enables the ASA to pass a packet incoming on an interface back through that same interface it came initially. Without this setting its not possible.

Then you will naturally need to have a NAT configurations for the users connections from the remote LAN

If we were to use Auto NAT / Network Object NAT (since I dont know how you have built the basic Dynamic PAT for your central site ASA) the configuration could look something like this

object network REMOTE-SITE-PAT

subnet 172.16.217.0 255.255.255.0

nat (outside,outside) dynamic interface

The above should provide the Dynamic PAT to the "outside" interface of the central ASA when the hosts are connecting to the Internet.

Since the NEM Mode VPN is probably connected at this moment you can test what would happen to an Internet bound packet coming through the VPN connection (before even changing any of the above settings)

packet-tracer input outside tcp 172.16.217.100 12345 8.8.8.8 80

This should tell what would happen to the packet. If you are missing the first command I suggest the "packet-tracer" output will be very short and should see a Phase with DROP pretty soon

- Jouni

View solution in original post

Jouni Forss · ‎10-16-2013

Hi,

Only thing I am unclear about is the NAT-DESTINATION group?

Is this supposed to be some object that defines the actual NAT address the remote users use? I am just wondering as we first used the "outside" interface IP addresss as the PAT address. Has this changed?

If I were to configure the above and had a requirement that I would want to add multiple source network beforehand to the Dynamic PAT configurations to avoid adding every single new site then I would configure it with Manual NAT instead of my original suggested Auto NAT

object-group network REMOTE-SOURCE-NETWORKS

network-object

nat (outside,outside) after-auto source dynamic REMOTE-SOURCE-NETWORKS interface

I assume that you have preallocated parts of some networks as subnets for the remote sites and because of this could already set all those subnets/networks to the "object-group" and have a PAT configuration ready for everyone.

Let me know if this was what you were looking for.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎10-04-2013

Hi,

Provided that traffic destined to any other network other than the remote sites own network flows through the VPN connection then the most typical things that the central ASA might be missing are the following

same-security-traffic permit intra-interface

Whether this configurations is already in use can be checked with

show run same-security-traffic

The setting mentioned above enables the ASA to pass a packet incoming on an interface back through that same interface it came initially. Without this setting its not possible.

Then you will naturally need to have a NAT configurations for the users connections from the remote LAN

If we were to use Auto NAT / Network Object NAT (since I dont know how you have built the basic Dynamic PAT for your central site ASA) the configuration could look something like this

object network REMOTE-SITE-PAT

subnet 172.16.217.0 255.255.255.0

nat (outside,outside) dynamic interface

The above should provide the Dynamic PAT to the "outside" interface of the central ASA when the hosts are connecting to the Internet.

Since the NEM Mode VPN is probably connected at this moment you can test what would happen to an Internet bound packet coming through the VPN connection (before even changing any of the above settings)

packet-tracer input outside tcp 172.16.217.100 12345 8.8.8.8 80

This should tell what would happen to the packet. If you are missing the first command I suggest the "packet-tracer" output will be very short and should see a Phase with DROP pretty soon

- Jouni

tomas roberton · ‎10-16-2013

Hello

Thanks so much for your help.

The above NAT-RULE allows my users to NAT to anywhere on the internet. Ideally I would like to create a NAT rule that would allow any source on the outside,outside nat rule to be able to NAT to a group named NAT-DESTINATION.

This would stop me from having to add each site in manually everytime I add a new EZVPN site whilst maintaining a restricted NAT-DESTINATION group.

Would you reccomend using access list maybe ?

Thanks

tom

Jouni Forss · ‎10-16-2013

Hi,

Only thing I am unclear about is the NAT-DESTINATION group?

Is this supposed to be some object that defines the actual NAT address the remote users use? I am just wondering as we first used the "outside" interface IP addresss as the PAT address. Has this changed?

If I were to configure the above and had a requirement that I would want to add multiple source network beforehand to the Dynamic PAT configurations to avoid adding every single new site then I would configure it with Manual NAT instead of my original suggested Auto NAT

object-group network REMOTE-SOURCE-NETWORKS

network-object

nat (outside,outside) after-auto source dynamic REMOTE-SOURCE-NETWORKS interface

I assume that you have preallocated parts of some networks as subnets for the remote sites and because of this could already set all those subnets/networks to the "object-group" and have a PAT configuration ready for everyone.

Let me know if this was what you were looking for.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

tomas roberton · ‎10-16-2013

Hello Jouni,

Thanks for the reply.

That sounds good for me to allow the Remote Networks to nat. However using you command above they would be able to NAT to anywhere on the internet. I would like these networks to only be able to access specific networks on the internet. e.g. office 365 ip addresses etc.

Jouni Forss · ‎10-16-2013

Hi,

I suppose you could do it by configuring

object-group network REMOTE-SOURCE-NETWORKS

network-object

object-group network ALLOWED-FOR-REMOTE

network-object host

network-object

nat (outside,outside) after-auto source dynamic REMOTE-SOURCE-NETWORKS interface destination static ALLOWED-FOR-REMOTE ALLOWED-FOR-REMOTE

I guess for the above configuration to apply you would have to remove the current Auto NAT / Network Object NAT configuration (as its higher priority than this) Optionally you could remove the "after-auto" parameter from the "nat" command which would make it higher priority than the Auto NAT / Network Object NAT

Though I would personally prefer controlling this with ACLs at some point of the network. You could even do it at the remote devices LAN interface ACL so that the traffic/connection attempt would never even go through the VPN.

Cisco doesnt really suggest using NAT as a means to do access control.

- Jouni

tomas roberton · ‎10-16-2013

spot on

Thanks for your help Jouni

zeuscyril · ‎01-17-2016

hi tomasroberton,

i am also trying the same scenario, but i am getting some error can you post your server config as well,

i have configured it by using the cisco client it is working. my internet traffic going out via tunnel but in the hardware client i am getting the following error.

5

Jan 16 2016

09:38:30

713050

Group = EasyVPN, Username = hardware1, IP = y.y.y.y, Connection terminated for peer hardware1. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0