07-07-2012 09:10 PM
I have a vpn setup. I can vpn in from either the outside (internet) or from inside my network. Once I do that I can no longer ping or remote into the server I have setup on the 192.168.1.0/24 subnet. I can ping from the 192.168.1.0 subnet to any other subnet but I cannot ping from the vpn subnet to any other subnet. I know that I have some permits on Outside-IN and Inside-IN, this is only to make it easier to troubleshoot. Thank you in advance.
The VPN subnet is 192.168.2.0
The Server subnet is 192.168.1.0
the Internal client subnet is 10.0.0.0 /24
Here is the config and the packet-tracer output
RUNNING-CONFIG
=====================
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Axon
network-object host 192.168.1.6
object-group network VPN-Clients
network-object 192.168.2.0 255.255.255.0
object-group service HTTP-HTTPS tcp
port-object eq www
port-object eq https
object-group service RDP tcp
port-object eq 3389
access-list Outside-IN extended permit ip any any
access-list Inside-IN extended permit ip any any
access-list Axon-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.2.2-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
access-group Inside-IN in interface inside
access-group Outside-IN in interface outside
route outside 192.168.2.0 255.255.255.0 192.168.1.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy VPNPolicy internal
group-policy VPNPolicy attributes
vpn-tunnel-protocol svc webvpn
address-pools value VPNPool
webvpn
url-list none
svc ask enable
username test2 password sLyNkwX4lP/BSsCW encrypted privilege 0
username test2 attributes
vpn-group-policy VPNPolicy
username fwaarmac password 5rABwjFzDBYcp0nJ encrypted privilege 15
username fwaarmac attributes
vpn-group-policy VPNPolicy
username test1 password sLyNkwX4lP/BSsCW encrypted privilege 0
username test1 attributes
vpn-group-policy VPNPolicy
username dan password vFpifCksRBgKm.0Q encrypted privilege 15
username dan attributes
vpn-group-policy VPNPolicy
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy VPNPolicy
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPNPool
default-group-policy VPNPolicy
tunnel-group VPN webvpn-attributes
group-alias vpn enable
group-url https://10.0.0.10/vpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b8d7144e7d51265fa9a5f38e29f40269
: end
NAT / PACKET-TRACER
========================
packet-tracer input outside tcp 192.168.2.1 3389 192.168.1.6 3389 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside-IN in interface outside
access-list Outside-IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95ea0e0, priority=12, domain=permit, deny=false
hits=5247, user_data=0xc793c350, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95e6d48, priority=0, domain=inspect-ip-options, deny=true
hits=10050, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc959fab8, priority=0, domain=host-limit, deny=false
hits=5248, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (10.0.0.10 [Interface PAT])
translate_hits = 88, untranslate_hits = 7
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc962a5f8, priority=1, domain=nat-reverse, deny=false
hits=415, user_data=0xc962a388, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-08-2012 02:38 AM
You would need to configure NAT exemption for the VPN client to access internal host:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
route inside 10.0.0.0 255.255.255.0 192.168.1.x
access-list splitacl permit 192.168.1.0 255.255.255.0
access-list splitacl permit 10.0.0.0 255.255.255.0
group-policy VPNPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitacl
07-10-2012 08:19 PM
Could that also work for an IPsec connection? Apply that policy to the IPsec profile?
07-11-2012 07:03 AM
Yes, that will also work for IPSec VPN Client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide