09-08-2011 09:58 PM
I've got a client that recently got an ASA 5505. E0/0 is connected to the outside, E0/1 connected to the internal server (Win 2008). The ASA "local network" is 172.30.1.0/24; my internal network is 192.168.1.0/24. I'm able to connect from home through AnyConnect and get a proper address (which I've got a pool of 172.30.1.64/26 assigned for VPN users), but no traffic from my computer will go to the internal network, nor will the internal server (or the ASA for that matter) can't talk to my VPN'd computer.
On the firewall settings on the ASA, I've got it all open: any/any on both inside and outside, just to try and get anything to go through. I've even got split-tunneling working, but not traffic-passing! The config is below (redacting local AAA users). Any help would be appreciated!
: Saved : ASA Version 8.2(1) ! hostname MGFP-ASA domain-name mgfp.local enable password z3wSfrC0H.OIDKq4 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.30.1.1 255.255.255.0 ! interface Vlan2 mac-address 0006.259d.7411 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone MST -7 dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.1.5 name-server 208.67.222.222 name-server 208.67.220.220 domain-name mgfp.local access-list outside_access_in extended permit ip any any access-list outside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.192 255.255.255.192 inactive access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0 access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0 access-list inside_access_in extended permit ip 172.30.1.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list inside_access_in remark Allow VPN traffic inside. access-list inside_access_in extended permit ip any any access-list inside_access_out remark Allow traffic from internal to VPN access-list inside_access_out extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0 access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0 access-list SPLIT-TUNNEL standard permit 172.30.1.0 255.255.255.0 access-list inside_nat0_outbound_2 extended permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool VPN-Router 172.30.1.64-172.30.1.96 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group outside_access_in in interface outside ! router rip ! route inside 192.168.1.0 255.255.255.0 172.30.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy webvpn svc ask none default svc aaa-server Providers protocol ldap aaa-server Providers (inside) host 192.168.1.5 timeout 5 server-type microsoft http server enable http 192.168.1.0 255.255.255.0 inside http 172.30.1.0 255.255.255.0 inside http 206.128.64.74 255.255.255.255 outside http 206.169.38.99 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 206.128.64.74 255.255.255.255 outside ssh 206.169.38.99 255.255.255.255 outside ssh timeout 5 console timeout 0 dhcp-client client-id interface outside dhcpd update dns ! dhcpd address 172.30.1.16-172.30.1.32 inside dhcpd dns 8.8.8.8 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside svc image disk0:/anyconnect-win-2.5.3054-k9.pkg 2 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 svc enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol svc webvpn address-pools value VPN-DHCP webvpn svc ask none default svc group-policy Remote internal group-policy Remote attributes vpn-tunnel-protocol l2tp-ipsec svc split-tunnel-network-list value SPLIT-TUNNEL group-policy VPN internal group-policy VPN attributes vpn-tunnel-protocol l2tp-ipsec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL address-pools value VPN-Router webvpn url-list none svc ask enable default svc username <REDACTED> ! tunnel-group VPN-REMOTE type remote-access tunnel-group VPN-REMOTE general-attributes address-pool VPN-Router default-group-policy VPN ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:ab7141d99a375cc04aa2787280689577 : end no asdm history enable
09-08-2011 10:31 PM
The ACL: inside_access_out is incorrect, and I would suggest that you remove that. You don't have to have both inbound and outbound ACL applied to inside interface.
To remove it:
no access-group inside_access_out out interface inside
The inside_access_in ACL also has been configured the other way round, however, since you have "permit ip any any" it should allow the traffic after you remove the above outbound ACL.
The inside_access_in ACL should say:
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 172.30.1.0 255.255.255.0
"in" means inbound towards the inside interface, and "out" means outbound from the inside interface.
09-08-2011 10:56 PM
Thanks for the quick reply! However, it's still not solved. I removed the inside_access_out ACL and disabled the inside_access_in ACL (since the any/any rule is there), but still no dice. If it helps, here are the routing tables of my machine when VPN'd in and the ASA. Also, results of Packet Trace within ASDM, trying to go from 172.30.1.0 to 192.168.1.0 and vice-versa will be below the routing tables.
ASA:
Gateway of last resort is 206.128.64.33 to network 0.0.0.0
C 206.128.64.32 255.255.255.248 is directly connected, outside
C 172.30.1.0 255.255.255.0 is directly connected, inside
S 172.30.1.64 255.255.255.255 [1/0] via 206.128.64.33, outside
S 192.168.1.0 255.255.255.0 [1/0] via 172.30.1.1, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 206.128.64.33, outside
--------------------------------------------------------------------------
My computer (while connected to VPN):
===========================================================================
Interface List
16...00 05 9a 3c 7a 00 ......Cisco AnyConnect VPN Virtual Miniport Adapter for
Windows x64
17...02 50 41 00 00 01 ......PAN Virtual Ethernet Adapter
14...60 33 4b 21 7d d3 ......Bluetooth Device (Personal Area Network)
12...60 33 4b 21 93 37 ......Broadcom 802.11n Network Adapter
11...c4 2c 03 33 af 63 ......Broadcom NetXtreme Gigabit Ethernet
1...........................Software Loopback Interface 1
27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
30...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
31...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.102 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.30.1.0 255.255.255.0 On-link 172.30.1.64 2
172.30.1.64 255.255.255.255 On-link 172.30.1.64 257
172.30.1.255 255.255.255.255 On-link 172.30.1.64 257
192.168.1.0 255.255.255.0 On-link 172.30.1.64 2
192.168.1.1 255.255.255.255 On-link 192.168.1.102 26
192.168.1.102 255.255.255.255 On-link 192.168.1.102 281
192.168.1.255 255.255.255.255 On-link 172.30.1.64 257
206.128.64.34 255.255.255.255 192.168.1.1 192.168.1.102 26
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.102 281
224.0.0.0 240.0.0.0 On-link 172.30.1.64 10000
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.102 281
255.255.255.255 255.255.255.255 On-link 172.30.1.64 257
===========================================================================
Persistent Routes:
None
--------------------------------------------------------------------
Firewall Packet Trace
Source: 172.30.1.1 | Destination: 192.168.1.5
Result: FLOW-LOOKUP & ROUTE-LOOKUP pass, but ACCESS-LIST fails. Action=drop; Config, Implicit Rule.
I click on "Show rule in Access Rules table" and it goes to Inside Incoming any/any Deny (Implicit Rule). I get the same result going back the other way.
It doesn't make sense to me how an "any/any permit" rule gets bypassed? Also as a last note, pinging from internal server or ASA to my computer still doesn't go, and vice-versa. Also, just tested: the ASA cannot ping my internal network (192.168.1.0). ???
09-08-2011 11:05 PM
OK, the ip pool should really be in a different subnet than the ASA inside interface, otherwise the router will keep arp-ing for it instead of routing it.
I would suggest that you change the IP Pool to a unique subnet, and modify NAT exemption accordingly.
EG: IP Pool 192.168.55.0/24
ip local pool VPN-Router 192.168.55.1-192.168.55.32 mask 255.255.255.0
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list NONAT permit ip 172.30.1.0 255.255.255.0 192.168.55.0 255.255.255.0
Then "clear xlate" to clear the existing translation, and re-connect to the VPN again. It should work this time.
To further test: add "management-access inside", and see if you can ping 172.30.1.1 from the VPN.
09-08-2011 11:13 PM
OK, almost there! I can now ping 172.30.1.1 from the VPN, but I still can't gain access to the 192.168.1.0 network. I'm getting excited, though, and really appreciate your help!
06-17-2013 09:49 AM
I am at this point, I have the same problem but with the Windows Cisco VPN cleint I access all my servers and ping ANY host inside my network, switch over to linux or MAC and use its Built_in_VPN I connect fine, and can ping my asa's internal IP 129.168.1.1 but nothing else!!!
09-08-2011 11:22 PM
One other quick note:
I just tried to connect to the internal server (192.168.1.5), still no go. However, I COULD connect to it through its 2nd NIC that's connected to the ASA, which has an IP of 172.30.1.2! I know that you must think I'm stupid, but I can't figure out how to fix this. I know what the problem is, but translating that to configuration just isn't working for me. It seems like a simple routing issue to me, and from this point it might be the Windows server not routing correctly. But at least you've gotten me to this point and I appreciate it!
09-09-2011 12:02 AM
Great progress...
Since you have 2 NICs on the server, and if you would like to use the 192.168.1.5 NIC when connecting from the VPN, then you have to configure static route on that NIC for the VPN pool subnet to be routed through that NIC.
How is the 192.168.1.5 NIC connected to the network? you would need to either have a L3 switch or router, otherwise, it will not work.
Any specific reason why you don't want to connect to it via the 172.30.1.2 NIC? I assume that the default gateway configured on the server is pointed towards the first NIC, hence routing from 192.168.1.5 NIC fails.
09-09-2011 09:54 AM
I'm going to convince them that getting to their server using a different IP from the outside is how it's going to be used, but I still want to ask about this, for my own self-gratification.
If I have Routing and Remote Access running on the Windows Server 2008 box, could I treat that as a router and add the static route(s)? The way it's hooked up now is:
ISP-->ASA-->SERVER-->SWITCH
They don't have any L3 device in the middle. Like I said, it's not mission-critical, but I'm looking for more tortur... I mean, a way to do this. Thanks!
09-12-2011 04:34 AM
If you are going to use 2 NICs on the server, then you have to ensure that traffic is in and out the same NIC.
So if traffic is inbound towards NIC 2, it needs to be routed out via NIC 2 as well. Otherwise, if traffic is inbound towards NIC 1 and the reply is outbound via NIC 1, that will be dropped on the ASA.
Especially important for TCP traffic because ASA is keeping the TCP state table to ensure only legitimate TCP packet gets through. If for example SYN is inbound from 1 ASA interface, and SYN-ACK is towards a different ASA interface, ASA will drop that connection.
Hope that makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide