Solved: Re: Newbie #2 - got AnyConnect working, can't get to work comput

Jeff Rozar · ‎02-17-2013

This simple solution is evading me!

I successfully got AnyConnect working and I can get a VPN connection to my public static IP (69.x.x.x). I can ping devices on my home network (10.x.x.x) and surf the Internet from my home PC, but I can't ping any computer on my work network (192.x.x.x).

I added a NAT exemption rule (please see attached screenshot of the NAT exemption rule), and I entered the command management-access inside in the ASDM, but I still can't ping any work computer.

Thanks!

Jouni Forss · ‎02-17-2013

And also,

Just to make sure that the ICMP traffic/connections work with regards to firewall settings.

Make sure you have ICMP inspect enabled on your firewall.

My firewall is at the newest software so I'm not 100% sure if the menus/options are named in the sameway on your ASDM software.

Try to navigate the following sections

Configuration (in the top bar of the ASDM)
Firewall (in the bottom left button section)
Service Policy Rules (In the lefhand side with which is visible after choosing the previous section "Firewall)
There should be something called "inspection_default" in the main window
- click to select it
- above it is the "Edit" button, click it
- In the opening window go to "Rule Actions"
- Check the box on the "ICMP" section and then apply the configurations

There should also be a "Search" function in the ASDM. Somewhere in the top section of the ASDM window perhaps. If you type write "inspect" there (without the quotes) you should get the a search result that takes you to the to the section where you can edit the "inspect" configurations.

If you have the ASA in pretty basic configuration you could simply "drop" these configuration lines to the ASA by choosing

Tools (From the top most toolbar)
Command Line Interface
- Choose Multiple Line
- Copy/Paste the below configurations
- Press "Send"

policy-map global_policy

class inspection_default

inspect icmp

- Jouni

View solution in original post

Jouni Forss · ‎02-17-2013

Ah,

There is the problem (atleast one clear problem)

Please use the Tools -> Command Line Interface in the ASDM to insert the following configuration

sysopt connection permit-vpn

This command is currently configured with the "no" parameter in front of it. This means that the default setting is disabled.

Default setting is that "sysopt connection permit-vpn" is enabled (It doesnt show in the CLI configuration then)
- This default setting permits all traffic coming from VPN connections to bypass "outside" interface ACL
When the setting is "no sysopt connection permit-vpn" then every single connection coming even from a VPN connection requires the "outside" interface ACL to permit it.
- As you dont at the moment even have an "outside" interface ACL, you would have to create an ACL and attach it to the "outside" interface for the traffic to pass from VPN Client to LAN.

So all in all your options are either to

Change the setting with the command I provided
Configure an ACL to your "outside" interface which permits traffic from the VPN Pool network to the LAN network. (Yes you will be using private IP addresses to permit traffic from "outside" to "inside")

- Jouni

View solution in original post

Jouni Forss · ‎02-17-2013

Hi,

It depends on how you want to control the VPN users.

If you trust the VPN users there should be no problem using this setting (allowing all traffic from the VPN user). The users that have access to this VPN (have the username/password etc) should already be trusted.

If you dont want to allow everything through the VPN Client connection them you should leave the "sysopt" connection as it was and create the ACL on your "outside" interface to allow the traffic you need.

For example

access-list OUTSIDE-IN remark Allow VPN user traffic

access-list OUTSIDE-IN permit tcp 10.1.2.0 255.255.255.0 host 192.168.1.96 eq www

access-list OUTSIDE-IN permit icmp 10.1.2.0 255.255.255.0 host 192.168.1.96 echo

access-group OUTSIDE-IN in interface outside

Ofcourse the ACL rules would look the way you want them to. Above just to give an example of the required commands.

I'm not sure what would cause the cause the networks forwarded to the VPN chance from network to a single host IP address. The Split Tunnel ACL that you have configured should define the define the networks or host addresses that are found through the VPN connection.

Please rate the answers if you have found the information to be helpfull. If it has answered your question mark the question as answered

- Jouni

View solution in original post

Jouni Forss · ‎02-17-2013

Hi,

Try configuring the following in the window of the picture you attached in your post:

Source: The network behind the ASA interface "inside"
Destination: The VPN Pool network

Remove any other NAT Exempt/NAT0 configurations you might have configured for this so the configuration stays simple and clean.

- Jouni

Jouni Forss · ‎02-17-2013

And also,

Just to make sure that the ICMP traffic/connections work with regards to firewall settings.

Make sure you have ICMP inspect enabled on your firewall.

My firewall is at the newest software so I'm not 100% sure if the menus/options are named in the sameway on your ASDM software.

Try to navigate the following sections

Configuration (in the top bar of the ASDM)
Firewall (in the bottom left button section)
Service Policy Rules (In the lefhand side with which is visible after choosing the previous section "Firewall)
There should be something called "inspection_default" in the main window
- click to select it
- above it is the "Edit" button, click it
- In the opening window go to "Rule Actions"
- Check the box on the "ICMP" section and then apply the configurations

There should also be a "Search" function in the ASDM. Somewhere in the top section of the ASDM window perhaps. If you type write "inspect" there (without the quotes) you should get the a search result that takes you to the to the section where you can edit the "inspect" configurations.

If you have the ASA in pretty basic configuration you could simply "drop" these configuration lines to the ASA by choosing

Tools (From the top most toolbar)
Command Line Interface
- Choose Multiple Line
- Copy/Paste the below configurations
- Press "Send"

policy-map global_policy

class inspection_default

inspect icmp

- Jouni

Jeff Rozar · ‎02-17-2013

Thanks, but not working after those changes.

I changed it to:

Source: 192.168.1.0/24

Destination: 10.1.2.0/28

Jouni Forss · ‎02-17-2013

Hi,

Just to be clear

Can you list all the networks in question in this setup

Network behind the ASA
Network defined as the VPN Pool

You should do NAT Exempt between the network behind ASA (which you are trying to each) and the VPN Pool (from which you get an IP address while connected to the VPN)

You talk about the home network in the posts and it doesnt matter between the connections of your VPN Pool and network behind the ASA.

Did you perhaps configure Split Tunneling on the connection or are you doing Full Tunnel. This could be determined by going to the Statistics section of the VPN Client when connected and checking the routing section there. There you can see which destination networks are reached through the VPN.

Also, did you manage to enable the ICMP inspection? Since if you have the ASA at pretty default settings, then this ICMP setting isnt enabled and could probably be preventing the ICMP Echo reply back to the VPN Client user.

- Jouni

Jeff Rozar · ‎02-17-2013

Network behind the ASA: 192.x.x.x

VPN Pool: 10.x.x.x

AnyConnect shows no "Non-Secured Routes" listed. "Secured Routes" shows one entry of 192.168.1.96.

Yes, I enabled the ICMP inspection by checking the box.

Yes, it is configured for Split tunneling:

DNS Names: [blank]

DNS Lookups Through Tunnel: Yes

Policy: Tunnel Network Liste Blow

List: DefaultRAGroup_splitTunnelAcl_1 (there are five listed: DefaultRAGroup_splitTunnelAcl, DefaultRAGroup_splitTunnelAcl_2, DefaultRAGroup_splitTunnelAcl, inside_nat0_outbound, inside_nat0_outbound_1)

Intercept: No

Jouni Forss · ‎02-17-2013

Hi,

Only one of the Split Tunnel ACLs are used in the connection.

Since your client says in the Secured Routes section only one host IP address of 192.168.1.96 then that means that only connections to that IP address are forwarded through the VPN connection to the network behind ASA.

Other host on the network 192.168.1.x/yy are not reachable through the VPN Client connection at the moment. This is because of the mentioned Split Tunnel configuration.

If you need to connect some other host behind the ASA firewall you either need to add them to the ACL that defines the single IP of 192.168.1.96 or change that host IP address to the whole network behind the ASA so that all traffic headed for that network gets forwarded to the VPN connection.

- Jouni

Jeff Rozar · ‎02-17-2013

I can't ping 192.168.1.96 - don't know if that matters. And 192.168.1.96 is not in the DHCP or DNS of the Windows Server on the work network.

I need to get to the entire internal work network from the home PC.

In the ASDM, I went to Config/Dev Mgt/DHCP Server, and I saw two entries. One for inside and outside. Both of them are set to No. But in the Global DHCP Options, the Enable auto-configuration from interface [outside] was checked. So I unchecked it, cleared out the DNS Server 1 field, and now when I reconnected, AnyConnect shows 192.168.1.0 as the Destination, with Subnet Mask 255.255.255.0. Don't know if this means anything to my issue.

I still can't ping anything internally.

Jouni Forss · ‎02-17-2013

Hi,

To confirm setting on the firewall side I would really have to see the configuration in CLI format.

You could use the ASDM Tools -> Command Line Interface

to insert the command "show run" and copy/paste the output here on the forums while removing public IP addresses and any other information you think should stay private. Naturally with regards to troubleshooting all the private IP address information should be visible.

I personally find it hard to troubleshoot issues just through the ASDM. Configurations are located under so many windows,tabs and drop down menus that its very time consuming. Even worse in my case is that I dont really use ASDM other than for really specific situations. Almost all configurations that I can do I do through the CLI.

- Jouni

Jeff Rozar · ‎02-17-2013

Attached!

Jouni Forss · ‎02-17-2013

Ah,

There is the problem (atleast one clear problem)

Please use the Tools -> Command Line Interface in the ASDM to insert the following configuration

sysopt connection permit-vpn

This command is currently configured with the "no" parameter in front of it. This means that the default setting is disabled.

Default setting is that "sysopt connection permit-vpn" is enabled (It doesnt show in the CLI configuration then)
- This default setting permits all traffic coming from VPN connections to bypass "outside" interface ACL
When the setting is "no sysopt connection permit-vpn" then every single connection coming even from a VPN connection requires the "outside" interface ACL to permit it.
- As you dont at the moment even have an "outside" interface ACL, you would have to create an ACL and attach it to the "outside" interface for the traffic to pass from VPN Client to LAN.

So all in all your options are either to

Change the setting with the command I provided
Configure an ACL to your "outside" interface which permits traffic from the VPN Pool network to the LAN network. (Yes you will be using private IP addresses to permit traffic from "outside" to "inside")

- Jouni

Jeff Rozar · ‎02-17-2013

Does sysopt connection permit-vpn cause any security issues?

I did that and it worked! But after I did that, it added 192.168.1.96 as an IP address on the ACL.

Do I just need to do that, or is it better to configure an ACL?

Jouni Forss · ‎02-17-2013

Hi,

It depends on how you want to control the VPN users.

If you trust the VPN users there should be no problem using this setting (allowing all traffic from the VPN user). The users that have access to this VPN (have the username/password etc) should already be trusted.

If you dont want to allow everything through the VPN Client connection them you should leave the "sysopt" connection as it was and create the ACL on your "outside" interface to allow the traffic you need.

For example

access-list OUTSIDE-IN remark Allow VPN user traffic

access-list OUTSIDE-IN permit tcp 10.1.2.0 255.255.255.0 host 192.168.1.96 eq www

access-list OUTSIDE-IN permit icmp 10.1.2.0 255.255.255.0 host 192.168.1.96 echo

access-group OUTSIDE-IN in interface outside

Ofcourse the ACL rules would look the way you want them to. Above just to give an example of the required commands.

I'm not sure what would cause the cause the networks forwarded to the VPN chance from network to a single host IP address. The Split Tunnel ACL that you have configured should define the define the networks or host addresses that are found through the VPN connection.

Please rate the answers if you have found the information to be helpfull. If it has answered your question mark the question as answered

- Jouni

Jeff Rozar · ‎02-17-2013

Of course! It's the LEAST I can do!

Newbie #2 - got AnyConnect working, can't get to work computers