Solved: Hello Ben,

Ben Sebborn · ‎04-08-2016

Hi

I've upgraded from a Cisco ASA 5505 to a 5506X, and as such have moved up to ASA 9.5

Because of this I'm a bit stuck on how to implement VPN. I've followed the wizard, and I can now establish inbound connections, but when connected (all traffic is tunnelled) there is no internet connectivity.

Our internal office network (inside) is 192.168.2.0/24

Our VPN pool is 192.168.4.0/24

I presume I'm missing a NAT rule but in all honesty I'm an ASDM user and as everything is changed I'm struggling to recreate it?

Here's my config:

Result of the command: "sh run"

: Saved

: 
: Serial Number: JAD194306H5
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1) 
!
hostname ciscoasanew
domain-name work.internal
enable password ... encrypted
names
ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.3.4 255.255.255.0 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.2.197 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 192.168.2.199 
 domain-name work.internal
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 173.0.82.0
 host 173.0.82.0
object network 173.0.82.1
 subnet 66.211.0.0 255.255.255.0
object network 216.113.0.0
 subnet 216.113.0.0 255.255.255.0
object network 64.4.0.0
 subnet 64.4.0.0 255.255.255.0
object network 66.135.0.0
 subnet 66.135.0.0 255.255.255.0
object network a
 host 192.168.7.7
object network devweb
 host 192.168.2.205
object network DevwebSSH
 host 192.168.2.205
object network DEV-WEB-SSH
 host 192.168.2.205
object network DEVWEB-SSH
 host 192.168.2.205
object network vpn-network
 subnet 192.168.4.0 255.255.255.0
object network NETWORK_OBJ_192.168.4.0_24
 subnet 192.168.4.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object-group network EC2ExternalIPs
 network-object host 52.18.73.220
 network-object host 54.154.134.173
 network-object host 54.194.224.47
 network-object host 54.194.224.48
 network-object host 54.76.189.66
 network-object host 54.76.5.79
object-group network PayPal
 network-object object 173.0.82.0
 network-object object 173.0.82.1
 network-object object 216.113.0.0
 network-object object 64.4.0.0
 network-object object 66.135.0.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object icmp6 
 service-object icmp alternate-address
 service-object icmp conversion-error
 service-object icmp echo
 service-object icmp information-reply
 service-object icmp information-request
access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh 
access-list outside_access_in remark AWS Servers
access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive 
access-list outside_access_in extended permit ip any any inactive 
access-list outside_access_in remark Ping reply
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside 
access-list outside_access_in remark Alarm
access-list outside_access_in extended permit tcp any interface outside eq 10001 
access-list outside_access_in remark CCTV
access-list outside_access_in extended permit tcp any interface outside eq 7443 
access-list outside_access_in extended deny ip any any 
access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0 
access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252 
access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252 
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252 
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252 
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252 
access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248 
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254 
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254 
access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118 
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list workVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging buffer-size 16000
logging asdm-buffer-size 512
logging asdm warnings
logging flash-bufferwrap
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 7200
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
object network DEVWEB-SSH
 nat (inside,outside) static interface service tcp ssh ssh 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.2.197,CN=ciscoasanew
 keypair ASDM_LAUNCHER
 crl configure

snip

dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client 
group-policy workVPN2016 internal
group-policy workVPN2016 attributes
 dns-server value 192.168.2.199
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelall
 ipv6-split-tunnel-policy tunnelall
 default-domain value work.internal
 split-dns value work.internal
 split-tunnel-all-dns enable
dynamic-access-policy-record DfltAccessPolicy

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
hpm topN enable
Cryptochecksum:
: end

Paul Chapman · ‎04-11-2016

Hi Ben -

What you are trying to accomplish is called VPN Hairpinning. Based on your original configuration you have 2 NAT problems. The first has to do with NAT ordering. In ASA 8.3 and later code we are dealing with Twice NAT which are 2 ordered sections going before and after the Object NAT.

My general rule of thumb for NAT ordering is like this:

Twice NAT (Before) - Use this section for NAT exemptions or unusual configurations that must go first
Object NAT - Use this section for static NAT statements for servers
Twice NAT (After) - Use this section for your global NAT statements, basically a catch all

Next, never use "any" as an interface for any NAT statement. This may seem like a good idea, but it will bite you. Remember, there is no longer the concept of NAT control, so an "any" interface will screw up both VPN and DMZ configurations alike. Always be specific about your interface pairs for NAT.

To that end, here is what I suggest that your NAT configuration should look like:

nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
!
object network DEVWEB-SSH
 nat (inside,outside) static interface service tcp ssh ssh 
!
nat (inside,outside) after-auto source dynamic any interface
nat (outside,outside) after-auto source dynamic any interface

The key is that you need a NAT explicitly translating the VPN traffic.

PSC

View solution in original post

Ben Sebborn · ‎04-08-2016

The error I'm getting is:

5

Apr 08 2016

17:13:39

192.168.4.1

65167

54.230.3.43

443

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.4.1/65167(LOCAL\robc) dst outside:54.230.3.43/443 denied due to NAT reverse path failure

From some reading, it seems I need to exclude my VPN network (192.168.4.0) from NAT but I'm not sure how to do this in ASDM on ASA 9.x

Thanks

Ben Sebborn · ‎04-08-2016

Please note that the 'internet' isn't directly attached to our ourside interface, another router is - hence:

route outside 0.0.0.0 0.0.0.0 192.168.3.3 1

David Castro F. · ‎04-09-2016

Hello Ben,

I checked the config and this u-turn to internet seems to be configured correctly, but there is an outside access group, that is not allowing the traffic from the VPN pool to ANY(Internet), please proceed to add this line:

access-list outside_access_in line 1 extended permit ip 192.168.4.0 255.255.255.0 any

I added the "line 1", since there is an implicit deny acl you created at the end, also the traffic will be translated to this address "192.168.3.4", you have to make sure, that the router in front (edge router) will NAT that address to a public one,

Please proceed to rate and mark as correct the helpful post!

Thanks,

David Castro,

Ben Sebborn · ‎04-11-2016

Hi David

That's been added but no joy unfortunately. The users can still access internal devices on 192.168.2.0 but can't get outside of this to the internet.

Here's our current config:

Hi David

That's been added but no joy unfortunately. The users can still access internal devices on 192.168.2.0 but can't get outside of this to the internet.

Here's our current config:

Result of the command: "sh run nat"

nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp

!

object network obj_any

nat (any,outside) dynamic interface

object network DEVWEB-SSH

nat (inside,outside) static interface service tcp ssh ssh

object network NETWORK_OBJ_192.168.4.0_24

nat (outside,outside) dynamic interface

Result of the command: "sh run access-list"

access-list outside_access_in extended permit ip 192.168.4.0 255.255.255.0 any

access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh

access-list outside_access_in remark AWS Servers

access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive

access-list outside_access_in extended permit ip any any inactive

access-list outside_access_in remark Ping reply

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside

access-list outside_access_in remark Alarm

access-list outside_access_in extended permit tcp any interface outside eq 10001

access-list outside_access_in remark CCTV

access-list outside_access_in extended permit tcp any interface outside eq 7443

access-list outside_access_in extended deny ip any any

access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0

access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252

access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252

access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252

access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252

access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252

access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248

access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254

access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254

access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118

access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list WorkVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list WorkVPN2016_splitTunnelAcl standard permit any4

Paul Chapman · ‎04-11-2016

Hi Ben -

What you are trying to accomplish is called VPN Hairpinning. Based on your original configuration you have 2 NAT problems. The first has to do with NAT ordering. In ASA 8.3 and later code we are dealing with Twice NAT which are 2 ordered sections going before and after the Object NAT.

My general rule of thumb for NAT ordering is like this:

Twice NAT (Before) - Use this section for NAT exemptions or unusual configurations that must go first
Object NAT - Use this section for static NAT statements for servers
Twice NAT (After) - Use this section for your global NAT statements, basically a catch all

Next, never use "any" as an interface for any NAT statement. This may seem like a good idea, but it will bite you. Remember, there is no longer the concept of NAT control, so an "any" interface will screw up both VPN and DMZ configurations alike. Always be specific about your interface pairs for NAT.

To that end, here is what I suggest that your NAT configuration should look like:

nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
!
object network DEVWEB-SSH
 nat (inside,outside) static interface service tcp ssh ssh 
!
nat (inside,outside) after-auto source dynamic any interface
nat (outside,outside) after-auto source dynamic any interface

The key is that you need a NAT explicitly translating the VPN traffic.

PSC

Aditya Ganjoo · ‎04-08-2016

Hi Ben,

You just need to create the following NAT:

ASA(config)# Object network obj-192.168.4.0
ASA(config-network-object)# subnet 192.168.4.0 255.255.255.0
ASA(config-network-object)# nat (outside,outside) dynamic interface

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Ben Sebborn · ‎04-09-2016

Hi Aditya

Many thanks for this - unfortunately it hasn't fixed the issue:

Result of the command: "sh run nat"

nat (inside,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
object network DEVWEB-SSH
nat (inside,outside) static interface service tcp ssh ssh
object network NETWORK_OBJ_192.168.4.0_24
nat (outside,outside) dynamic interface

When connected, users can ping our internal network (192.168.2.x) and also the address of our gateway router (192.168.3.3) which is attached to the outside interface, however they can't ping/access outside of that. (Nothing has changed on the gateway router)

I can't see any related errors in the ASA logs

Here are logs from the client:

Cisco Systems VPN Client Version 5.0.07.0440

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1 11:11:30.937 04/09/16 Sev=Warning/2    IKE/0xE300008D

Split-DNS requires Split Tunneling and a primary DNS server

2 11:11:36.542 04/09/16 Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.0.255

    Netmask    255.255.255.255

    Gateway    192.168.4.1

    Interface    192.168.4.2

3 11:11:36.542 04/09/16 Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: c0a80402, Gateway: c0a80401.

4 11:14:41.032 04/09/16 Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.4.2, error 0

5 11:14:42.047 04/09/16 Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.4.2, error 0

6 11:14:43.067 04/09/16 Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

7 11:14:43.777 04/09/16 Sev=Warning/2    IKE/0xA3000067

Received an IPC message during invalid state (IKE_MAIN:512)

8 11:18:00.736 04/09/16 Sev=Warning/2    IKE/0xE300008D

Split-DNS requires Split Tunneling and a primary DNS server

9 11:18:04.559 04/09/16 Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.0.255

    Netmask    255.255.255.255

    Gateway    192.168.4.2

    Interface    192.168.4.1

10 11:18:04.559 04/09/16 Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: c0a80401, Gateway: c0a80402.

11 11:33:16.858 04/09/16 Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.4.1, error 0

12 11:33:17.872 04/09/16 Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

13 11:33:18.532 04/09/16 Sev=Warning/2    IKE/0xA3000067

Received an IPC message during invalid state (IKE_MAIN:512)

14 11:33:31.888 04/09/16 Sev=Warning/2    IKE/0xE300008D

Split-DNS requires Split Tunneling and a primary DNS server

15 11:33:36.734 04/09/16 Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.0.255

    Netmask    255.255.255.255

    Gateway    192.168.4.2

    Interface    192.168.4.1

16 11:33:36.734 04/09/16 Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: c0a80401, Gateway: c0a80402.

17 11:34:33.080 04/09/16 Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.4.1, error 0

18 11:34:34.130 04/09/16 Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

19 11:34:34.792 04/09/16 Sev=Warning/2    IKE/0xA3000067

Received an IPC message during invalid state (IKE_MAIN:512)

Ben Sebborn · ‎04-09-2016

After seeing the errors about Split-Tunnels, I changed the config from 'tunnel all' to 'tunnel selceted networks'

This then allows the traffic to the internet fine, but isn't really a fix, because we need anyone connecting through the VPN to have our office external IP so we can whitelist them on other (external) websites

As such, all traffic should be tunnelled.... Just can't seem to get that bit working

Ben Sebborn · ‎04-11-2016

That's solved it, thanks very much Paul

VPN on ASA 5506 with no internet access, help with NAT?