cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5915
Views
15
Helpful
14
Replies

VPN CLIENT CAN'T ACCESS INSIDE NETWORK

broadleon
Level 1
Level 1

hi,

 Just stopped working, and can't even ping the inside interface once connected.

 

Please find below the following configuration of my firewall.

 

 

Result of the command: "sh run"


: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.6(1)
!
hostname pegasus
domain-name jth.local
enable password IFomWluDEyOnsYVw encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool PegasusPool 10.200.10.2-10.200.10.253 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address ***********************
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.843
vlan 843
nameif Inside
security-level 99
ip address 10.200.10.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address ***************
!
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
expire-entry-timer minutes 60
name-server *************102 Inside
name-server *************101 Inside
domain-name *****************
Objects************************
description DNS Resolution
access-list outside_access_in extended deny ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Inside_access_in extended permit tcp any object dc3.***** eq domain
access-list Inside_access_in extended permit tcp any object dc1.***** eq domain
access-list Inside_access_in extended permit tcp any object api-****************.duosecurity.com eq ldaps
access-list Inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
route Inside 0.0.0.0 0.0.0.0 10.200.10.254 1
route outside 10.0.10.0 255.255.255.0 192.168.192.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map MAP-ANYCONNECT-LOGIN
map-name memberOf Group-Policy
map-value memberOf CN=AuthorisedAAAUsers,CN=Users,DC=JTH,DC=local GroupPolicy_pegasus
aaa-server LDAPSERVERS protocol ldap
aaa-server LDAPSERVERS (Inside) host *************
timeout 30
ldap-base-dn dc=*****,dc=*****
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Cisco Authentication,CN=Users,DC=****,DC=****
server-type microsoft
ldap-attribute-map MAP-ANYCONNECT-LOGIN
group-search-timeout 30
aaa-server Duo-Ldap protocol ldap
aaa-server Duo-Ldap (Inside) host api-****************.duosecurity.com
timeout 180
server-port 636
ldap-base-dn dc=*********************,dc=duosecurity,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=********************,dc=duosecurity,dc=com
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 3
http server enable
http ************************* management
no snmp-server location
no snmp-server contact
sysopt noproxyarp Inside
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint 1&1Certificate
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpool policy
crypto ca certificate chain 1&1Certificate
certificate ******************************************
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
ssl server-version tlsv1.2
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"
ssl trust-point 1&1Certificate outside
webvpn
enable outside
hostscan image disk0:/hostscan_4.3.05028-k9.pkg
hostscan enable
anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
anyconnect profiles pegasus disk0:/pegasus.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
mus password *****
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value ********************************************
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn
customization value CiscoDuo
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_pegasus internal
group-policy GroupPolicy_pegasus attributes
wins-server none
dns-server value ****************************************
vpn-simultaneous-logins 25
vpn-tunnel-protocol ssl-client
password-storage disable
default-domain value *****
webvpn
anyconnect ssl dtls enable
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value dart,posture
anyconnect profiles value pegasus type user
customization value CiscoDuo
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record PegasusACL
description "Pegasus Allowed Clients"
username ***************************************************
username *********************************************************
tunnel-group pegasus type remote-access
tunnel-group pegasus general-attributes
address-pool PegasusPool
authentication-server-group LDAPSERVERS LOCAL
secondary-authentication-server-group Duo-Ldap use-primary-username
default-group-policy NoAccess
tunnel-group pegasus webvpn-attributes
customization CiscoDuo
group-alias pegasus enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
inspect icmp error
inspect ip-options
class class-default
user-statistics accounting
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:77434066823bada6f2fa41bc98743be4
: end

1 Accepted Solution

Accepted Solutions

You can modify the vpn pool or you could of course change the interconnect network between the router and the asa. It is up to you to chose which is simpler.

The .254 router will need to have a route to the new vpn network.

Also any other router that handles anyconnect traffic will have to know how to reach the asa.

As for acls it looks you do not need to do anything on the asa, considering traffic will be initiated only from anyconnect client.

If you have any other acls configured on other devices and yo changed the vpn pool you will have to replace the 10.200.10.0/24 network with the new one.

 

 

View solution in original post

14 Replies 14

Hi @broadleon

didn´t look the whole config file but I saw that your first ACL statement is this:

access-list outside_access_in extended deny ip any any

ACL is usually read by devices top to bottom so, this ACL could block everything on you interface.

 Also, share the output of:

show run all sysopt

 

-If I helped you somehow, please, rate it as useful.-

 

 

I not sure how the acl of deny ip any any on the outside will affect traffic on the inside interface since that's where the vpn client will sit once authenticated

 

no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
sysopt noproxyarp Inside
no sysopt noproxyarp management

 

Mate, you get into firewall through outside interface. How do you suppose to do anything if you have a deny any any on the outside?

You should change this. Although you have sysopt connection permit-vpn in place.

 

-If I helped you somehow, please, rate it as useful.-

There is no denied traffic on interface, I can connect to the webpage to download the client perfectly, the Cisco VPN connects perfectly traffic communicates with the client on the outside interface fine.



What do you suggest I should have on the outside interface ?


Yeah you can because ACL does not block traffic to the Firewall, it blocks traffic through the Firewall. Control plane and data plane.

I am just saying that you should remove this ACL even though it can might not be the problem.

 

-If I helped you somehow, please, rate it as useful.-

if i remove deny ip any any what stops the unwanted traffic ? 

No. Firewall will block any traffic unless you explicit permitted. 

So, if you don't permit it, it will be blocked, that´s the rule.

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

Bogdan Nita
VIP Alumni
VIP Alumni

May I ask from where you are trying to ping and  what interface you are trying to ping ?

You might want to config: icmp permit <ip> <netmask> <interface>

cannot ping or reach any servers router gateways or reach internet once authenticated on the vpn.

 

We pass all traffic through the VPN, no split tunnelling.

Are you assigned to the GroupPolicy_pegasus when you are connected ?

Please share output from the following command:

show vpn-sessiondb anyconnect

 

You have the same IPs configured for the vpn pool as well as for the inside interface.

This could lead to duplicate IPs. Try to change the vpn pool.

 

I do not see NAT configured, that would explain why you are unable to reach the internet when you connect over vpn. However, you should be able to reach internal IPs.

Yes I'am assigned Pegasus once authenticated. 

 

My internet is through the inside interface off to a router gateway in my network connected, hence the route 0.0.0.0 on the inside.  I don't get internet through the same firewall as the vpn connection so i don't need nat on the same firewall.

 

I only have two ip's on the inside interface .1 the asa, and .254  a router the pool is configured to assign ip's in between is that an issue?

 

Result of the command: "Show vpn-sessiondb detail anyconnect filter name themaster"

 

Session Type: AnyConnect Detailed

 

Username     : themaster              Index        : 17

Assigned IP  : 10.200.10.4            Public IP    : 10.x.10.x

Protocol     : AnyConnect-Parent DTLS-Tunnel

License      : AnyConnect Premium

Encryption   : AnyConnect-Parent: (1)none  DTLS-Tunnel: (1)AES256

Hashing      : AnyConnect-Parent: (1)none  DTLS-Tunnel: (1)SHA1

Bytes Tx     : 16150                  Bytes Rx     : 91491

Pkts Tx      : 12                     Pkts Rx      : 776

Pkts Tx Drop : 0                      Pkts Rx Drop : 0

Group Policy : GroupPolicy_pegasus    Tunnel Group : pegasus

Login Time   : 18:33:07 UTC Mon Nov 13 2017

Duration     : 0h:11m:06s

Inactivity   : 0h:02m:31s

VLAN Mapping : N/A                    VLAN         : none

Audt Sess ID : 0a143214000110005a09e563

Security Grp : none

 

AnyConnect-Parent Tunnels: 1

DTLS-Tunnel Tunnels: 1

 

AnyConnect-Parent:

  Tunnel ID    : 17.1

  Public IP    : 10.x.10.x

  Encryption   : none                   Hashing      : none                  

  TCP Src Port : 49212                  TCP Dst Port : 443                   

  Auth Mode    : userPassword          

  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes            

  Client OS    : win

  Client OS Ver: 6.1.7601 Service Pack 1

  Client Type  : AnyConnect

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.5.02033

  Bytes Tx     : 8075                   Bytes Rx     : 0                     

  Pkts Tx      : 6                      Pkts Rx      : 0                     

  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                     

  

DTLS-Tunnel:

  Tunnel ID    : 17.3

  Assigned IP  : 10.200.10.4            Public IP    : 10.x.10.x

  Encryption   : AES256                 Hashing      : SHA1                  

  Ciphersuite  : AES256-SHA                                       

  Encapsulation: DTLSv1.0               Compression  : LZS                   

  UDP Src Port : 52319                  UDP Dst Port : 443                   

  Auth Mode    : userPassword          

  Idle Time Out: 30 Minutes             Idle TO Left : 22 Minutes            

  Client OS    : Windows               

  Client Type  : DTLS VPN Client

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.5.02033

  Bytes Tx     : 0                      Bytes Rx     : 89751                 

  Pkts Tx      : 0                      Pkts Rx      : 760                    

  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                     

  

Username     : themaster              Index        : 18

Assigned IP  : 10.200.10.5            Public IP    : 10.x.10.x

Protocol     : AnyConnect-Parent

License      : AnyConnect Premium

Encryption   : AnyConnect-Parent: (1)none

Hashing      : AnyConnect-Parent: (1)none

Bytes Tx     : 16150                  Bytes Rx     : 74713

Pkts Tx      : 12                     Pkts Rx      : 789

Pkts Tx Drop : 0                      Pkts Rx Drop : 0

Group Policy : GroupPolicy_pegasus    Tunnel Group : pegasus

Login Time   : 18:39:35 UTC Mon Nov 13 2017

Duration     : 0h:04m:38s

Inactivity   : 0h:00m:00s

VLAN Mapping : N/A                    VLAN         : none

Audt Sess ID : 0a143214000120005a09e6e7

Security Grp : none

 

AnyConnect-Parent Tunnels: 1

 

AnyConnect-Parent:

  Tunnel ID    : 18.1

  Public IP    : 10.0.10.2

  Encryption   : none                   Hashing      : none                  

  TCP Src Port : 49359                  TCP Dst Port : 443                   

  Auth Mode    : userPassword          

  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes            

  Client OS    : win

  Client OS Ver: 6.1.7601 Service Pack 1

  Client Type  : AnyConnect

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.5.02033

  Bytes Tx     : 8075                   Bytes Rx     : 0                     

  Pkts Tx      : 6                      Pkts Rx      : 0                     

  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                     

  

Username     : themaster              Index        : 19

Assigned IP  : 10.200.10.6            Public IP    : 10.x.10.x

Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel

License      : AnyConnect Premium

Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES256

Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA1

Bytes Tx     : 16150                  Bytes Rx     : 49672

Pkts Tx      : 12                     Pkts Rx      : 536

Pkts Tx Drop : 0                      Pkts Rx Drop : 0

Group Policy : GroupPolicy_pegasus    Tunnel Group : pegasus

Login Time   : 18:41:57 UTC Mon Nov 13 2017

Duration     : 0h:02m:16s

Inactivity   : 0h:00m:00s

VLAN Mapping : N/A                    VLAN         : none

Audt Sess ID : 0a143214000130005a09e775

Security Grp : none

 

AnyConnect-Parent Tunnels: 1

SSL-Tunnel Tunnels: 1

DTLS-Tunnel Tunnels: 1

 

AnyConnect-Parent:

  Tunnel ID    : 19.1

  Public IP    : 10.x.10.x

  Encryption   : none                   Hashing      : none                  

  TCP Src Port : 49421                  TCP Dst Port : 443                   

  Auth Mode    : userPassword          

  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes            

  Client OS    : win

  Client OS Ver: 6.1.7601 Service Pack 1

  Client Type  : AnyConnect

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.5.02033

  Bytes Tx     : 8075                   Bytes Rx     : 0                     

  Pkts Tx      : 6                      Pkts Rx      : 0                     

  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                     

  

SSL-Tunnel:

  Tunnel ID    : 19.2

  Assigned IP  : 10.200.10.6            Public IP    : 10.x.10.x

  Encryption   : AES-GCM-256            Hashing      : SHA384                

  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384                      

  Encapsulation: TLSv1.2                Compression  : LZS                   

  TCP Src Port : 49425                  TCP Dst Port : 443                   

  Auth Mode    : userPassword          

  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes            

  Client OS    : Windows               

  Client Type  : SSL VPN Client

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.5.02033

  Bytes Tx     : 8075                   Bytes Rx     : 1243                  

  Pkts Tx      : 6                      Pkts Rx      : 13                     

  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                     

  

DTLS-Tunnel:

  Tunnel ID    : 19.3

  Assigned IP  : 10.200.10.6            Public IP    : 10.x.10.x

  Encryption   : AES256                 Hashing      : SHA1                  

  Ciphersuite  : AES256-SHA                                       

  Encapsulation: DTLSv1.0               Compression  : LZS                   

  UDP Src Port : 64843                  UDP Dst Port : 443                   

  Auth Mode    : userPassword          

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes            

  Client OS    : Windows               

  Client Type  : DTLS VPN Client

  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.5.02033

  Bytes Tx     : 0                      Bytes Rx     : 48429                 

  Pkts Tx      : 0                      Pkts Rx      : 523                   

  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                     

 

 

I only have two ip's on the inside interface .1 the asa, and .254  a router the pool is configured to assign ip's in between is that an issue?

Yes I believe this is a issue. The .254 device will try to reach the anyconnect directly using arp, but the ASA will not do a proxy arp, so the return packet will never reach the ASA.

You can do a capture on the inside interface to confirm.

Should I then put the VPN clients on a different IP range to the inside interface ? and how does that work in terms of ACLS and routing ?

You can modify the vpn pool or you could of course change the interconnect network between the router and the asa. It is up to you to chose which is simpler.

The .254 router will need to have a route to the new vpn network.

Also any other router that handles anyconnect traffic will have to know how to reach the asa.

As for acls it looks you do not need to do anything on the asa, considering traffic will be initiated only from anyconnect client.

If you have any other acls configured on other devices and yo changed the vpn pool you will have to replace the 10.200.10.0/24 network with the new one.