08-04-2016 12:32 PM
I have set up a SSL VPN and I can connect via anyconnect but my clients in the VPN pool cannot access the internet
object network SSL_VPN_POOL
nat (Outside,Outside) dynamic interface
nat (Outside,Outside) source static SSL_VPN_NONAT SSL_VPN_NONAT destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp
ip local pool SSL_RA_VPN 172.20.253.1-172.20.253.254 mask 255.255.255.0
The object group SSL_VPN_NONAT contains a list of internal networks that should not be natted when accessed vial the SSL_VPN_POOL clients.
I cannot get to the gateway of my VPN, or ping out to any of the SSL_VPN_NONAT network hosts, or to the internet.
08-05-2016 12:44 AM
Hello Evan,
Below a document with a configuration example for u-turning AnyConnect.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html
1-The nat outside-outside is correctly configured for u-turn traffic from the SSL_VPN_POOL.
2-You will need to make sure that the following global configuration command is in place:
same-security-traffic permit intra-interface
3-Regarding the second nat you mentioned I got confused. If the SSL_VPN_NONAT is an object that defines internal networks then the correct nat should be:
nat (Inside,Outside) source static SSL_VPN_NONAT SSL_VPN_NONAT destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
Supposing the internal networks are located through the "Inside" interface.
This line will be saying: when traffic is traveling from inside to outside, sourced with SSL_VPN_NONAT, "keep it" with its same ip address when the destination is SSL_VPN_POOL also "keep it" with its same ip address.
This will be the nat exemption for traffic between local networks and remote pool.
Regards,
Miguel
08-09-2016 10:18 AM
Hello mibricen
You were correct in your assumption that the SSL_VPN_NONAT is the object that identifies the internal networks.
I was unable to get my object NAT to work so I created a regular NAT rule, so it now looks like this:
nat (Perham-LAN,Outside) source static any any destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
nat (Outside,Perham-LAN) source static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
nat (Outside,Outside) source dynamic SSL_VPN_POOL interface
Now:
08-10-2016 03:43 PM
Hello Evan,
Just to clarify, the first and second line on the nat configuration you shared are defining the traffic the same way.
This line is bi-directional:
nat (Perham-LAN,Outside) source static any any destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
So traffic from Any via Perham-LAN interface and going to SSL_VPN_POOL via outside interface will hit this nat rule, as well as traffic comming from SSL_VPN_POOL via outside going to Any via Perham-LAN will hit this same rule
Hence this second line is not really necessary, and it may cause Reverse Path Failure drops if the ASA detects that one nat is used for outbound traffic and another for inbound traffic on the same connection:
nat (Outside,Perham-LAN) source static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
Now the third nat seems correctly configured, however you will need to be careful to configure a dynamic nat as policy nat, this because if new nat rules are added they will show below the currrent nat on the nat table and the dynamic rule may absorb traffic not meant to the rule.
So instead of using this:
nat (Outside,Outside) source dynamic SSL_VPN_POOL interface
I personally prefer to use:
object network SSL_VPN_POOL
nat (Outside,Outside) dynamic interface
Which on the very first post of this forum you mentioned that you already had configured if I understood correctly.
By running the command show run nat it should show like:
nat (Perham-LAN,Outside) source static any any destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
nat (Outside,Outside) source dynamic SSL_VPN_POOL interface
Making sure that the dynamic nat is always the last, to avoid it to take precedence.
And as a personal opinion, I will rather configure it like this, with the no nat on the policy nat (Section 1) and the dynamic nat on the object nat (Section 2):
nat (Perham-LAN,Outside) source static SSL_VPN_NONAT SSL_VPN_NONAT destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
!
object network SSL_VPN_POOL
nat (Outside,Outside) dynamic interface
I will prefer to use a previously defined object or object-group instead of the "any" on the policy nat, since it may absorb traffic not meant to it.
For troubleshooting your current issue.
Please run a packet tracer command from one of the hosts on the internal lan to one host on the VPN pool:
packet-tracer input Perham-LAN icmp 192.168.2.43 8 0 172.20.253.43 detailed
Note: Replace <192.168.2.43> for a real host ip on your local lan and <172.20.253.43> for the ip assigned on the Remote user.
Check if it shows any drop on some phase.
You may also want to run the same command backwards to check for any difference.
packet-tracer input Outside icmp 172.20.253.43 8 0 192.168.2.43 detailed
And also:
packet-tracer input Outside icmp 172.20.253.43 8 0 192.168.2.43 detailed
To make sure they are following the correct path and hitting the correct nat rules.
Very important: For the packet tracer to work on an outside>inside scenario. The traffic need to be permitted on an access-group applied to the outside interface.
If you find anything unusual on the packet tracer responses let me know. Or once collected attach them on the forum for analysis.
Regards,
Miguel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide