Solved

ASA Anyconnect cant get network traffic

Posted on 2010-11-17
11
1,033 Views
Last Modified: 2012-06-27
Hello,
I need some help figuring out my troubles with my VPN anyconnect setup.

I can connect to the asa through the any connect client. I get an address from my pool (192.168.1.x)
My inside network pool is set to 192.168.0.0
Split tunneling is setup correctly i think. When connecting to VPN, i cannot access internal network but I can access internet.
I have one nat exemption set for 192.168.1.0 to my inside network



I do not know if I have to set any other routes at all. Attached is the relavent information of my config. Any help is greatly appreciated.
Thanks,

ASA Version 8.2(1)
!
hostname ciscoasa

interface Vlan1
 nameif inside
 security-level 100
 allow-ssc-mgmt
 ip address 192.168.0.1 255.255.255.0
interface Vlan2
 description LAN Advantage CinBell
 nameif outside
 security-level 0
 ip address 11.11.11.30 255.255.255.224

access-list Split_Tunnel_List remark Inside corporate network
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
access-list no_nat extended permit ip host 192.168.1.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 11.11.11.1 1

Open in new window

0
Comment
Question by:bullhog
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 9

Expert Comment

by:DanJ
ID: 34156309
inside address is
ip address 192.168.0.1 255.255.255.0

change the split tunnel ACL to
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0

and nonat to
access-list no_nat extended permit ip  192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

0
 
LVL 9

Accepted Solution

by:
DanJ earned 250 total points
ID: 34156331
oops,

access-list no_nat extended permit ip  192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
0
 
LVL 1

Author Comment

by:bullhog
ID: 34161638
Sadly, that didn't work at all. After changing the acl, i re-added it to the interface and I am still having the same issue. Here is the full running config if you think it might help you.
Thanks for the help
ASA Version 8.2(1) 
!
hostname ciscoasa
domain-name office.domain.com

names
name 192.168.0.41 Server41 description Exchange
name 192.168.0.12 Server5 description Citrix
name 11.11.111..2 mail.domain.com
name 70.62.247.69 mailcheck.mailfilter.com
name 70.62.247.76 mx2.mailfilter.com
name 11.11.111..4 remote.domain.com description Citrix
name 192.168.0.31 server31 description SLX
name 11.11.111..8 slx.domain.com
name 192.168.0.66 CameraStation description Camera Station for all camera access
name 192.168.0.67 LaserCamera description Camera looking over laser
!
interface Vlan1
 nameif inside
 security-level 100
 allow-ssc-mgmt
 ip address 192.168.0.1 255.255.255.0 
!
interface Vlan2
 description EXTERNAL CONNECTION TO ISP
 nameif outside
 security-level 0
 ip address 11.11.111..30 255.255.255.224 
!
interface Vlan5
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 5
!
interface Ethernet0/7
 switchport access vlan 5
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.20
 name-server 123.12.1.100
 name-server 123.12.1.100
 domain-name office.domain.com
object-group service BES tcp-udp
 description Blackberry Enterprise Server (and pro)
 port-object eq 3101
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group network Mailcheck-Servers
 network-object host mailcheck.mailfilter.com
 network-object host mx2.nextstep1.com
object-group service Citrix
 service-object tcp eq citrix-ica 
 service-object tcp eq www 
 service-object tcp eq https 
 service-object udp eq 1604 
object-group service SLX
 service-object tcp eq 3333 
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
object-group service CitrixBroadcast udp
 port-object eq 1604
object-group service Exchange tcp
 port-object eq https
 port-object eq smtp
object-group service SLXweb tcp
 port-object eq 3333
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service AXISCamerStation tcp
 port-object eq 11007
 port-object eq 55752
 port-object eq 55753
object-group service testFTP tcp
 port-object eq 12345
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.0.0 255.255.255.0
 network-object 11.11.111..0 255.255.255.224
object-group network DM_INLINE_NETWORK_2
 network-object host 192.220.18.119
 group-object Mailcheck-Servers
 network-object host 161.58.10.126
 network-object host 198.170.241.243
object-group network DM_INLINE_NETWORK_3
 network-object 192.168.0.0 255.255.255.0
 network-object 11.11.111..0 255.255.255.224
access-list outside_access_in extended permit tcp any host mail.domain.com eq pptp 
access-list outside_access_in extended permit object-group SLX any host slx.domain.com 
access-list outside_access_in extended permit object-group Citrix any host remote.domain.com 
access-list outside_access_in extended permit tcp any host mail.domain.com eq https 
access-list outside_access_in extended permit tcp any host mail.domain.com eq smtp 
access-list outside_access_in extended permit object-group TCPUDP any host mail.domain.com object-group BES 
access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_0 
access-list inside_access_in remark AccesstoOutside
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any 
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 11.11.111..0 255.255.255.224 
access-list inside_access_in extended permit gre any any 
access-list acl-out extended permit tcp any host 11.11.111..6 object-group AXISCamerStation 
access-list acl-out extended permit tcp any host 11.11.111..7 eq www 
access-list acl-out extended permit object-group SLX any host slx.domain.com 
access-list acl-out extended permit object-group Citrix any host remote.domain.com 
access-list acl-out extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_1 
access-list acl-out extended permit object-group DM_INLINE_PROTOCOL_1 any host mail.domain.com object-group BES 
access-list acl-out extended permit tcp object-group DM_INLINE_NETWORK_2 host mail.domain.com eq smtp 
access-list acl-out extended permit tcp any host mail.domain.com eq https 
access-list acl-out extended permit gre any host mail.domain.com 
access-list acl-out extended permit tcp any host mail.domain.com eq pptp 
access-list acl-out extended permit ip host 192.220.18.119 host Server41 
access-list Split_Tunnel_List remark Inside corporate network
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0 
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0 
access-list outside_mpc extended permit ip any 192.168.0.0 255.255.255.0 
access-list global_mpc extended permit ip any object-group DM_INLINE_NETWORK_3 
access-list outside_mpc_1 remark Scan all incoming traffic... scans NO outgoing taffic
access-list outside_mpc_1 extended permit ip any object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list testcap extended permit ip host 192.168.1.5 host 192.168.0.20 
access-list testcap extended permit ip host 192.168.0.20 host 192.168.1.5 
access-list no_nat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
pager lines 24
logging enable
logging list kl level debugging class vpdn
logging list kl level debugging class vpn
logging list kl level debugging class vpnc
logging list kl level debugging class vpnfo
logging list kl level debugging class webfo
logging list kl level debugging class webvpn
logging list kl level debugging class svc
logging trap warnings
logging asdm kl
logging host inside 192.168.0.42
logging debug-trace
no logging message 304003
no logging message 304002
no logging message 304001
no logging message 304005
no logging message 304004
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn_users 192.168.1.2-192.168.1.254
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) remote.domain.com Server5 netmask 255.255.255.255 dns 
static (inside,outside) slx.domain.com server31 netmask 255.255.255.255 dns 
static (inside,outside) mail.domain.com Server41 netmask 255.255.255.255 dns 
static (inside,outside) 11.11.111..7 LaserCamera netmask 255.255.255.255 dns 
static (inside,outside) 11.11.111..6 CameraStation netmask 255.255.255.255 dns 
access-group inside_access_in in interface inside
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 11.11.111..1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  url-list none
  file-browsing enable
  file-entry enable
  http-proxy enable
  url-entry enable
aaa-server office.domain.com protocol nt
aaa-server office.domain.com (inside) host 192.168.0.20
 nt-auth-domain-controller server02
aaa local authentication attempts max-fail 5
http server enable
http server idle-timeout 15
http server session-timeout 15
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 5
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
dhcpd domain office.domain.com
dhcpd auto_config inside vpnclient-wins-override
!
dhcpd address 192.168.0.2-192.168.0.50 inside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
 svc enable
  auto-signon allow ip 192.168.0.20 255.255.255.255 auth-type all
  auto-signon allow ip 0.0.0.0 0.0.0.0 auth-type all
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.0.20
 dns-server value 192.168.0.20
 vpn-simultaneous-logins 25
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value office.domain.com
 split-dns value server02 
 webvpn
  url-list value domaininternal
  svc ask enable default webvpn
tunnel-group DefaultRAGroup general-attributes
 address-pool vpn_users
 authentication-server-group office.domain.com
 username-from-certificate use-entire-name
 secondary-username-from-certificate use-entire-name
 authentication-attr-from-server secondary
 authenticated-session-username secondary
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias Default enable
 group-alias Group disable
 group-alias RA disable
 group-alias defaultragroup disable
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool vpn_users
 authentication-server-group office.domain.com
 username-from-certificate use-entire-name
 secondary-username-from-certificate use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.0.20 master timeout 2 retry 2
 group-alias defaultwebvpngroup enable
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 address-pool vpn_users
 authentication-server-group office.domain.com
 authentication-server-group (inside) office.domain.com
 username-from-certificate use-entire-name
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
!
class-map global-class
 description WorldWideWeb
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
class-map outside-class
 match access-list outside_mpc_1
 match default-inspection-traffic
class-map global-class1
 match access-list global_mpc
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect im IMInspect
 parameters
 match protocol msn-im 
  log
policy-map global_policy
 description WorldWideWeb
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
 class global-class
  inspect http 
 class global-class1
  ips inline fail-open
policy-map outside-policy
 class outside-class
  inspect snmp 
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context 
Cryptochecksum:a387ecbaaeefcc54f0cebeac885c6d6a
: end

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:kellemann
ID: 34163464
Not that I think is has anything to do with the problem, but you should clean up the split tunnel list for the old entry with the wrong subnetmask:
no access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0

Could you post the statistics for the AnyConnect connection when trying to acces the 192.168.0.0 network? If the counter says xxx sent but zero received, it's almost always a NAT problem. Your NAT statements and access-list looks good though, so I just want to check which direction we should look in.
0
 
LVL 1

Author Comment

by:bullhog
ID: 34163842
Sorry, I wasn't disregarding your suggestion... looks like I did not change that setting. as to the statistics. At this moment, 3 minutes into a connection, I have 210 sent packets and 36 received. I am constantly pinging an inside address. These pings are all timed out.

Also, the ASA cannot ping the address of the connected client.
0
 
LVL 7

Assisted Solution

by:kellemann
kellemann earned 250 total points
ID: 34163977
I wasn't my suggestion in the first place, it was DanJ, so I can't take credit for it.
It is interesting that you receive any traffic at all. Let's try something else:
While still connected, put in the following command on the ASA and post the output.

packet-tracer input inside tcp 192.168.0.2 8888 <ip address assigned to the client, for example 192.168.1.2> 8888 detailed
0
 
LVL 1

Author Comment

by:bullhog
ID: 34163979
One more helpful piece of information. I went into my syslog server to look for information about blocked pings from the 192.168.1.x subnet. I found this statement.

Syslog ID: 106023
Source: my VPN Client
Destination: my internal server
Description:deny icmp src: 192.168.1.7 dst inside: 192.168.0.20 (type8, code 0) by access-group "acl-out" [0x0, 0x0]

So, I will look at the acl and see if I can figure it out before you do :)
0
 
LVL 1

Author Comment

by:bullhog
ID: 34164222
Sorry Kellemann and DanJ... completely lost track of who was posting what :) I fixed the problem. I added a rule to my outside_in acl to allow traffic from the 192.168.1.x network to my 192.168.0.0 network. Thanks for the guidance.
0
 
LVL 7

Expert Comment

by:kellemann
ID: 34164437
Glad you got it sorted, and thanks for the points, BUT... I've never heard of the clients getting blocked at the outside interface. At that stage the packet is still encrypted, and the ASA should only evaluate the public source ip of the client. Is this some side-effect of a test-setup you are running? Just curious.
0
 
LVL 1

Author Comment

by:bullhog
ID: 34165030
Well, I have been using a mix of the asdm and cli. I can imagine there may be some commands they may or may not be interfering.

Also, would you think that is a big security risk to have that rule? I cant image an external address being spoofed to an internal address at all...

Can you find anything in the outside_in acl that would stop that traffic?
0
 
LVL 7

Expert Comment

by:kellemann
ID: 34167390
That's the strange thing, I can't find anything in the configuration that would cause this behavior. The ACL looks fine.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question