bullhog
asked on
ASA Anyconnect cant get network traffic
Hello,
I need some help figuring out my troubles with my VPN anyconnect setup.
I do not know if I have to set any other routes at all. Attached is the relavent information of my config. Any help is greatly appreciated.
Thanks,
I need some help figuring out my troubles with my VPN anyconnect setup.
I can connect to the asa through the any connect client. I get an address from my pool (192.168.1.x)
My inside network pool is set to 192.168.0.0
Split tunneling is setup correctly i think. When connecting to VPN, i cannot access internal network but I can access internet.
I have one nat exemption set for 192.168.1.0 to my inside network
I do not know if I have to set any other routes at all. Attached is the relavent information of my config. Any help is greatly appreciated.
Thanks,
ASA Version 8.2(1)
!
hostname ciscoasa
interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt
ip address 192.168.0.1 255.255.255.0
interface Vlan2
description LAN Advantage CinBell
nameif outside
security-level 0
ip address 11.11.11.30 255.255.255.224
access-list Split_Tunnel_List remark Inside corporate network
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
access-list no_nat extended permit ip host 192.168.1.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sadly, that didn't work at all. After changing the acl, i re-added it to the interface and I am still having the same issue. Here is the full running config if you think it might help you.
Thanks for the help
Thanks for the help
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name office.domain.com
names
name 192.168.0.41 Server41 description Exchange
name 192.168.0.12 Server5 description Citrix
name 11.11.111..2 mail.domain.com
name 70.62.247.69 mailcheck.mailfilter.com
name 70.62.247.76 mx2.mailfilter.com
name 11.11.111..4 remote.domain.com description Citrix
name 192.168.0.31 server31 description SLX
name 11.11.111..8 slx.domain.com
name 192.168.0.66 CameraStation description Camera Station for all camera access
name 192.168.0.67 LaserCamera description Camera looking over laser
!
interface Vlan1
nameif inside
security-level 100
allow-ssc-mgmt
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
description EXTERNAL CONNECTION TO ISP
nameif outside
security-level 0
ip address 11.11.111..30 255.255.255.224
!
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 5
!
interface Ethernet0/7
switchport access vlan 5
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.20
name-server 123.12.1.100
name-server 123.12.1.100
domain-name office.domain.com
object-group service BES tcp-udp
description Blackberry Enterprise Server (and pro)
port-object eq 3101
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group network Mailcheck-Servers
network-object host mailcheck.mailfilter.com
network-object host mx2.nextstep1.com
object-group service Citrix
service-object tcp eq citrix-ica
service-object tcp eq www
service-object tcp eq https
service-object udp eq 1604
object-group service SLX
service-object tcp eq 3333
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service CitrixBroadcast udp
port-object eq 1604
object-group service Exchange tcp
port-object eq https
port-object eq smtp
object-group service SLXweb tcp
port-object eq 3333
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service AXISCamerStation tcp
port-object eq 11007
port-object eq 55752
port-object eq 55753
object-group service testFTP tcp
port-object eq 12345
object-group network DM_INLINE_NETWORK_1
network-object 192.168.0.0 255.255.255.0
network-object 11.11.111..0 255.255.255.224
object-group network DM_INLINE_NETWORK_2
network-object host 192.220.18.119
group-object Mailcheck-Servers
network-object host 161.58.10.126
network-object host 198.170.241.243
object-group network DM_INLINE_NETWORK_3
network-object 192.168.0.0 255.255.255.0
network-object 11.11.111..0 255.255.255.224
access-list outside_access_in extended permit tcp any host mail.domain.com eq pptp
access-list outside_access_in extended permit object-group SLX any host slx.domain.com
access-list outside_access_in extended permit object-group Citrix any host remote.domain.com
access-list outside_access_in extended permit tcp any host mail.domain.com eq https
access-list outside_access_in extended permit tcp any host mail.domain.com eq smtp
access-list outside_access_in extended permit object-group TCPUDP any host mail.domain.com object-group BES
access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_0
access-list inside_access_in remark AccesstoOutside
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 11.11.111..0 255.255.255.224
access-list inside_access_in extended permit gre any any
access-list acl-out extended permit tcp any host 11.11.111..6 object-group AXISCamerStation
access-list acl-out extended permit tcp any host 11.11.111..7 eq www
access-list acl-out extended permit object-group SLX any host slx.domain.com
access-list acl-out extended permit object-group Citrix any host remote.domain.com
access-list acl-out extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_1
access-list acl-out extended permit object-group DM_INLINE_PROTOCOL_1 any host mail.domain.com object-group BES
access-list acl-out extended permit tcp object-group DM_INLINE_NETWORK_2 host mail.domain.com eq smtp
access-list acl-out extended permit tcp any host mail.domain.com eq https
access-list acl-out extended permit gre any host mail.domain.com
access-list acl-out extended permit tcp any host mail.domain.com eq pptp
access-list acl-out extended permit ip host 192.220.18.119 host Server41
access-list Split_Tunnel_List remark Inside corporate network
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0
access-list outside_mpc extended permit ip any 192.168.0.0 255.255.255.0
access-list global_mpc extended permit ip any object-group DM_INLINE_NETWORK_3
access-list outside_mpc_1 remark Scan all incoming traffic... scans NO outgoing taffic
access-list outside_mpc_1 extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list testcap extended permit ip host 192.168.1.5 host 192.168.0.20
access-list testcap extended permit ip host 192.168.0.20 host 192.168.1.5
access-list no_nat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging list kl level debugging class vpdn
logging list kl level debugging class vpn
logging list kl level debugging class vpnc
logging list kl level debugging class vpnfo
logging list kl level debugging class webfo
logging list kl level debugging class webvpn
logging list kl level debugging class svc
logging trap warnings
logging asdm kl
logging host inside 192.168.0.42
logging debug-trace
no logging message 304003
no logging message 304002
no logging message 304001
no logging message 304005
no logging message 304004
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn_users 192.168.1.2-192.168.1.254
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) remote.domain.com Server5 netmask 255.255.255.255 dns
static (inside,outside) slx.domain.com server31 netmask 255.255.255.255 dns
static (inside,outside) mail.domain.com Server41 netmask 255.255.255.255 dns
static (inside,outside) 11.11.111..7 LaserCamera netmask 255.255.255.255 dns
static (inside,outside) 11.11.111..6 CameraStation netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 11.11.111..1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list none
file-browsing enable
file-entry enable
http-proxy enable
url-entry enable
aaa-server office.domain.com protocol nt
aaa-server office.domain.com (inside) host 192.168.0.20
nt-auth-domain-controller server02
aaa local authentication attempts max-fail 5
http server enable
http server idle-timeout 15
http server session-timeout 15
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 5
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
dhcpd domain office.domain.com
dhcpd auto_config inside vpnclient-wins-override
!
dhcpd address 192.168.0.2-192.168.0.50 inside
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
auto-signon allow ip 192.168.0.20 255.255.255.255 auth-type all
auto-signon allow ip 0.0.0.0 0.0.0.0 auth-type all
group-policy DfltGrpPolicy attributes
wins-server value 192.168.0.20
dns-server value 192.168.0.20
vpn-simultaneous-logins 25
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value office.domain.com
split-dns value server02
webvpn
url-list value domaininternal
svc ask enable default webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_users
authentication-server-group office.domain.com
username-from-certificate use-entire-name
secondary-username-from-certificate use-entire-name
authentication-attr-from-server secondary
authenticated-session-username secondary
tunnel-group DefaultRAGroup webvpn-attributes
group-alias Default enable
group-alias Group disable
group-alias RA disable
group-alias defaultragroup disable
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn_users
authentication-server-group office.domain.com
username-from-certificate use-entire-name
secondary-username-from-certificate use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.0.20 master timeout 2 retry 2
group-alias defaultwebvpngroup enable
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool vpn_users
authentication-server-group office.domain.com
authentication-server-group (inside) office.domain.com
username-from-certificate use-entire-name
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
class-map global-class
description WorldWideWeb
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match access-list outside_mpc_1
match default-inspection-traffic
class-map global-class1
match access-list global_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im IMInspect
parameters
match protocol msn-im
log
policy-map global_policy
description WorldWideWeb
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class global-class
inspect http
class global-class1
ips inline fail-open
policy-map outside-policy
class outside-class
inspect snmp
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum:a387ecbaaeefcc54f0cebeac885c6d6a
: end
Not that I think is has anything to do with the problem, but you should clean up the split tunnel list for the old entry with the wrong subnetmask:
no access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
Could you post the statistics for the AnyConnect connection when trying to acces the 192.168.0.0 network? If the counter says xxx sent but zero received, it's almost always a NAT problem. Your NAT statements and access-list looks good though, so I just want to check which direction we should look in.
no access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
Could you post the statistics for the AnyConnect connection when trying to acces the 192.168.0.0 network? If the counter says xxx sent but zero received, it's almost always a NAT problem. Your NAT statements and access-list looks good though, so I just want to check which direction we should look in.
ASKER
Sorry, I wasn't disregarding your suggestion... looks like I did not change that setting. as to the statistics. At this moment, 3 minutes into a connection, I have 210 sent packets and 36 received. I am constantly pinging an inside address. These pings are all timed out.
Also, the ASA cannot ping the address of the connected client.
Also, the ASA cannot ping the address of the connected client.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
One more helpful piece of information. I went into my syslog server to look for information about blocked pings from the 192.168.1.x subnet. I found this statement.
Syslog ID: 106023
Source: my VPN Client
Destination: my internal server
Description:deny icmp src: 192.168.1.7 dst inside: 192.168.0.20 (type8, code 0) by access-group "acl-out" [0x0, 0x0]
So, I will look at the acl and see if I can figure it out before you do :)
Syslog ID: 106023
Source: my VPN Client
Destination: my internal server
Description:deny icmp src: 192.168.1.7 dst inside: 192.168.0.20 (type8, code 0) by access-group "acl-out" [0x0, 0x0]
So, I will look at the acl and see if I can figure it out before you do :)
ASKER
Sorry Kellemann and DanJ... completely lost track of who was posting what :) I fixed the problem. I added a rule to my outside_in acl to allow traffic from the 192.168.1.x network to my 192.168.0.0 network. Thanks for the guidance.
Glad you got it sorted, and thanks for the points, BUT... I've never heard of the clients getting blocked at the outside interface. At that stage the packet is still encrypted, and the ASA should only evaluate the public source ip of the client. Is this some side-effect of a test-setup you are running? Just curious.
ASKER
Well, I have been using a mix of the asdm and cli. I can imagine there may be some commands they may or may not be interfering.
Also, would you think that is a big security risk to have that rule? I cant image an external address being spoofed to an internal address at all...
Can you find anything in the outside_in acl that would stop that traffic?
Also, would you think that is a big security risk to have that rule? I cant image an external address being spoofed to an internal address at all...
Can you find anything in the outside_in acl that would stop that traffic?
That's the strange thing, I can't find anything in the configuration that would cause this behavior. The ACL looks fine.
ip address 192.168.0.1 255.255.255.0
change the split tunnel ACL to
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0
and nonat to
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0