11-05-2014 08:45 AM
I have a weird issue but I can't find a solution for it. I configured SSL VPN on the firewall and my goal was to allow VPN users access to two subnet (10.15.216.0 / 22 and 10.15.220.0 /22). Internal interface of the firewall is attached to 10.15.220.0 subnet. VPN client will be assigned IP address from firewall IP pool -- 10.15.200.0 /24
I already configured appropriate access list:
access-list split_vpn_users standard permit 10.15.220.0 255.255.252.0
access-list split_vpn_users standard permit 10.15.216.0 255.255.252.0
VPN is working when I need to access devices on 10.15.220.0 subnet but I can't get to any devices on 10.15.216.0 subnet. When I do packet tracer I have the following result:
act# packet-tracer input inside icmp 10.15.200.2 8 0$
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd793b4a0, priority=12, domain=capture, deny=false
hits=621531641, user_data=0xd7bbe720, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7dc31d8, priority=1, domain=permit, deny=false
hits=23451445222, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.15.216.0 255.255.252.0 inside
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
Any help in troubleshooting this issue would be greatly appreciated.
11-11-2014 12:52 PM
Hello,
I see, what is happening here is that you are defining the packet tracer to go from the AnyConnect client IP address (10.15.200.0/24) that should be in the "Outside" and not in the "Inside" to go to the inside.
So the issue here are the following:
1. Make sure if the 10.15.216.0/24 is residing from the inside interface or from another interface.
2. If yes, You should do the packet tracer from the Inside interface or from the pertinent to the outside (IP POOL of the clients) but from the 10.15.216.0 to --> 10.15.200.0/24
3. Make sure there is a NAT exemption from the 10.15.216.0/24 to the IP POOL 10.15.200.0/24.
For example:
Pre 8.3:
access-list nonat permit ip 10.15.216.0 255.255.255.0 10.15.200.0 255.255.255.0
nat (inside) 0 access-list nonat
NAT 8.3:
Object network obj-10.15.216.0
subnet 10.15.216.0 255.255.255.0
Object network obj-10.15.200.0
subnet 10.15.200.0 255.255.255.0
nat (inside,outside) 1 source static obj-10.15.216.0 obj-10.15.216.0 destination static obj-10.15.200.0 obj-10.15.200.0 no-proxy-arp route-lookup
Let me know how it works out,
Please don't forget to rate, and mark as correct the helpful Post,
David Castro,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide