Solved: vpn traffic needs access both internal external while tunnel all vpn traffic

yijunzhou · ‎06-18-2011

Hi,

Could anybody help me find the problem?

I am configuring ASA as firewall+vpn server, basically outside of appliance is T1 access(there are couple vlans in inside via a iptables, iptables's outside is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2). vpn users are authenticated via 2 factors authentication ( SDI, ip is 192.168.5.5) and get ACLs via local database. vpn pool is 192.168.6.1-192.168.6.15. vpn pool is NATed to external IP

trying to access one remote host A since host A is opened for specific IP and protocol only. all vpn traffic are tunneled. vpn user can logged in, but ACL vpnuser1_ONLY not working as expected.

Below is part of configuration:

ASA Version 8.2(2)
...........

route outside 0.0.0.0 0.0.0.0 xx.10.194.193 1

route inside companynet1 255.255.255.0 192.168.5.2 1

route inside companynet2 255.255.255.0 192.168.5.2 1

route inside companynet3 255.255.255.0 192.168.5.2 1

route inside companynet4 255.255.255.0 192.168.5.2 1

...............

route inside companynetn 255.255.255.0 192.168.5.2 1

nat (inside) 4 vpnpool 255.255.255.0 outside <--------- is this right?

global (outside) 4 xx.10.194.238 netmask 255.255.255.255

split-tunnel-policy tunnelall

.....................

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host 192.168.1.28 255.255.255.255 eq ssh log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host 74.2.23.195 255.255.255.255 eq ssh log

............

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 8

vpn-idle-timeout 10

vpn-session-timeout 60

vpn-tunnel-protocol l2tp-ipsec

webvpn

svc keep-installer none

svc rekey time 8

svc rekey method ssl

svc ask none default svc

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-simultaneous-logins 1

vpn-idle-timeout 9

vpn-session-timeout 45

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

webvpn

svc keep-installer none

svc rekey time 15

svc rekey method ssl

svc dpd-interval client 30

svc dpd-interval gateway 30

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.

svc routing-filtering-ignore disable

username vpnuser1 password xxxxxxx encrypted

username vpnuser1 attributes

vpn-group-policy GroupPolicy1

vpn-idle-timeout 6

vpn-session-timeout 20

vpn-filter value vpnuser1_ONLY

vpn-tunnel-protocol svc

group-lock value COMAVPN

service-type remote-access

tunnel-group DefaultRAGroup webvpn-attributes

group-alias companyvpn disable

tunnel-group COMAVPN type remote-access

tunnel-group COMAVPN general-attributes

address-pool (inside) vpnpool

address-pool vpnpool

authentication-server-group SDI

authentication-server-group (inside) SDI

authorization-server-group LOCAL

default-group-policy GroupPolicy1

tunnel-group COMAVPN webvpn-attributes

group-alias companyremote enable

Did I do anything wrong/missing?

Thanks

Yijun

Jennifer Halim · ‎06-22-2011

Firstly, you can't set "no nat-control" because once you have NAT statement, the "no nat-control" becomes disable anyway. The "no nat-control" is useful if you have no NAT statement at all on the interface.

Secondly, if you can't access outside to inside that's because you would need to configure NAT exemption. Not sure if you have configured this.

Here is the command:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

nat (inside) 0 access-list nonat

You can then add all other internal subnets to the nonat ACL if you need access from the VPN.

Lastly, for the deny error message on access-group "OUTSIDE", you would need to check if you have "sysopt connection permit-vpn" configured. If it's disable, it will also check the "OUTSIDE" interface for VPN traffic.

View solution in original post

Jennifer Halim · ‎06-18-2011

This does not seem correct:

nat (inside) 4 vpnpool 255.255.255.0 outside <--------- is this right?

global (outside) 4 xx.10.194.238 netmask 255.255.255.255

I assume that VPN is terminated on the outside interface, if this is the case then:

"nat (inside) 4 vpnpool 255.255.255.0 outside" is incorrect:

It should be: nat (outside) 4 vpnpool 255.255.255.0 outside

Also the global statement is incorrect and you can't use address which is part of the outside interface subnet. It needs to be a unique address within the inside interface subnet:

global (inside) 4 192.168.5.x netmask 255.255.255.255

yijunzhou · ‎06-19-2011

Hello Jennifer,

The purpose is let vpn user access both internal subnetwork and one single public host on the internet as following:

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host 192.168.1.28 255.255.255.255 eq ssh log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host 74.2.23.195 255.255.255.255 eq ssh log

where host 192.168.1.28 255.255.255.255 is internal machine and 74.2.23.195 255.255.255.255 is external public host on the internet, howerver, because 74.2.23.195 is restrictively opened to one public IP xx.10.194.238 which is part of the outside interface subnet and certain protocol. So vpn pool need to PATed to one single public address.

Please help me identify anything wrong or whatever modification needed.

Thanks,

Yijun

Jennifer Halim · ‎06-19-2011

OK, that makes sense.

Then you would need to configure the following:

nat (outside) 4 vpnpool 255.255.255.0 outside

The NAT statement should be as above.

Do you already have an existing "global" statement that PAT to xx.10.194.238

If you do, then just change the above NAT statement to use the same sequence number as the existing global statement.

Otherwise, if you don't have existing global statement with the xx.10.194.238, then it should be as follows:

global (outside) 4 xx.10.194.238 netmask 255.255.255.255

Also, remember to enable "same-security-traffic permit intra-interface"

yijunzhou · ‎06-20-2011

Hi, Jennifer

I modified configuration as you suggested, and set no nat-control otherwise outside cannot access anything inside.

However, I found this in log: when I tried ssh to 192.168.1.28.

Deny tcp src outside:192.168.6.1/49821 dst inside:192.168.1.28/22 by access-group "OUTSIDE" [0x0, 0x0]

Why access-group OUTSIDE instead of vpnuser1_ONLY taking effect? I can see from ASDM log that vpnuser1_ONLY is my connection's filter.

Thanks,

Yijun

Jennifer Halim · ‎06-22-2011

Firstly, you can't set "no nat-control" because once you have NAT statement, the "no nat-control" becomes disable anyway. The "no nat-control" is useful if you have no NAT statement at all on the interface.

Secondly, if you can't access outside to inside that's because you would need to configure NAT exemption. Not sure if you have configured this.

Here is the command:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

nat (inside) 0 access-list nonat

You can then add all other internal subnets to the nonat ACL if you need access from the VPN.

Lastly, for the deny error message on access-group "OUTSIDE", you would need to check if you have "sysopt connection permit-vpn" configured. If it's disable, it will also check the "OUTSIDE" interface for VPN traffic.

yijunzhou · ‎06-22-2011

Yes!!! Jennifer, you are expert! Thank you very very much.

Jennifer Halim · ‎06-22-2011

Great to hear it's working now, and thanks for the update.

Please kindly mark the post as answered so others can learn from your post. Thank you.

yijunzhou · ‎06-23-2011

Hi, Jennifer,

How can I mark the post as answered?

Thanks,

Jennifer Halim · ‎06-23-2011

Here you go:

https://supportforums.cisco.com/community/help#discussions_correct