Solved

ASA Anyconnect cant get network traffic

Posted on 2010-11-17
11
999 Views
Last Modified: 2012-06-27
Hello,
I need some help figuring out my troubles with my VPN anyconnect setup.

I can connect to the asa through the any connect client. I get an address from my pool (192.168.1.x)
My inside network pool is set to 192.168.0.0
Split tunneling is setup correctly i think. When connecting to VPN, i cannot access internal network but I can access internet.
I have one nat exemption set for 192.168.1.0 to my inside network



I do not know if I have to set any other routes at all. Attached is the relavent information of my config. Any help is greatly appreciated.
Thanks,

ASA Version 8.2(1)
!
hostname ciscoasa

interface Vlan1
 nameif inside
 security-level 100
 allow-ssc-mgmt
 ip address 192.168.0.1 255.255.255.0
interface Vlan2
 description LAN Advantage CinBell
 nameif outside
 security-level 0
 ip address 11.11.11.30 255.255.255.224

access-list Split_Tunnel_List remark Inside corporate network
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0
access-list no_nat extended permit ip host 192.168.1.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 11.11.11.1 1

Open in new window

0
Comment
Question by:bullhog
  • 5
  • 4
  • 2
11 Comments
 
LVL 9

Expert Comment

by:DanJ
ID: 34156309
inside address is
ip address 192.168.0.1 255.255.255.0

change the split tunnel ACL to
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0

and nonat to
access-list no_nat extended permit ip  192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

0
 
LVL 9

Accepted Solution

by:
DanJ earned 250 total points
ID: 34156331
oops,

access-list no_nat extended permit ip  192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
0
 
LVL 1

Author Comment

by:bullhog
ID: 34161638
Sadly, that didn't work at all. After changing the acl, i re-added it to the interface and I am still having the same issue. Here is the full running config if you think it might help you.
Thanks for the help
ASA Version 8.2(1) 

!

hostname ciscoasa

domain-name office.domain.com



names

name 192.168.0.41 Server41 description Exchange

name 192.168.0.12 Server5 description Citrix

name 11.11.111..2 mail.domain.com

name 70.62.247.69 mailcheck.mailfilter.com

name 70.62.247.76 mx2.mailfilter.com

name 11.11.111..4 remote.domain.com description Citrix

name 192.168.0.31 server31 description SLX

name 11.11.111..8 slx.domain.com

name 192.168.0.66 CameraStation description Camera Station for all camera access

name 192.168.0.67 LaserCamera description Camera looking over laser

!

interface Vlan1

 nameif inside

 security-level 100

 allow-ssc-mgmt

 ip address 192.168.0.1 255.255.255.0 

!

interface Vlan2

 description EXTERNAL CONNECTION TO ISP

 nameif outside

 security-level 0

 ip address 11.11.111..30 255.255.255.224 

!

interface Vlan5

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address dhcp 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

 switchport access vlan 5

!

interface Ethernet0/7

 switchport access vlan 5

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 192.168.0.20

 name-server 123.12.1.100

 name-server 123.12.1.100

 domain-name office.domain.com

object-group service BES tcp-udp

 description Blackberry Enterprise Server (and pro)

 port-object eq 3101

object-group service DM_INLINE_TCP_0 tcp

 port-object eq www

 port-object eq https

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object udp

 protocol-object tcp

object-group network Mailcheck-Servers

 network-object host mailcheck.mailfilter.com

 network-object host mx2.nextstep1.com

object-group service Citrix

 service-object tcp eq citrix-ica 

 service-object tcp eq www 

 service-object tcp eq https 

 service-object udp eq 1604 

object-group service SLX

 service-object tcp eq 3333 

 service-object tcp eq ftp 

 service-object tcp eq ftp-data 

object-group service CitrixBroadcast udp

 port-object eq 1604

object-group service Exchange tcp

 port-object eq https

 port-object eq smtp

object-group service SLXweb tcp

 port-object eq 3333

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

object-group service AXISCamerStation tcp

 port-object eq 11007

 port-object eq 55752

 port-object eq 55753

object-group service testFTP tcp

 port-object eq 12345

object-group network DM_INLINE_NETWORK_1

 network-object 192.168.0.0 255.255.255.0

 network-object 11.11.111..0 255.255.255.224

object-group network DM_INLINE_NETWORK_2

 network-object host 192.220.18.119

 group-object Mailcheck-Servers

 network-object host 161.58.10.126

 network-object host 198.170.241.243

object-group network DM_INLINE_NETWORK_3

 network-object 192.168.0.0 255.255.255.0

 network-object 11.11.111..0 255.255.255.224

access-list outside_access_in extended permit tcp any host mail.domain.com eq pptp 

access-list outside_access_in extended permit object-group SLX any host slx.domain.com 

access-list outside_access_in extended permit object-group Citrix any host remote.domain.com 

access-list outside_access_in extended permit tcp any host mail.domain.com eq https 

access-list outside_access_in extended permit tcp any host mail.domain.com eq smtp 

access-list outside_access_in extended permit object-group TCPUDP any host mail.domain.com object-group BES 

access-list outside_access_in extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_0 

access-list inside_access_in remark AccesstoOutside

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any 

access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 11.11.111..0 255.255.255.224 

access-list inside_access_in extended permit gre any any 

access-list acl-out extended permit tcp any host 11.11.111..6 object-group AXISCamerStation 

access-list acl-out extended permit tcp any host 11.11.111..7 eq www 

access-list acl-out extended permit object-group SLX any host slx.domain.com 

access-list acl-out extended permit object-group Citrix any host remote.domain.com 

access-list acl-out extended permit tcp any host mail.domain.com object-group DM_INLINE_TCP_1 

access-list acl-out extended permit object-group DM_INLINE_PROTOCOL_1 any host mail.domain.com object-group BES 

access-list acl-out extended permit tcp object-group DM_INLINE_NETWORK_2 host mail.domain.com eq smtp 

access-list acl-out extended permit tcp any host mail.domain.com eq https 

access-list acl-out extended permit gre any host mail.domain.com 

access-list acl-out extended permit tcp any host mail.domain.com eq pptp 

access-list acl-out extended permit ip host 192.220.18.119 host Server41 

access-list Split_Tunnel_List remark Inside corporate network

access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0 

access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0 

access-list outside_mpc extended permit ip any 192.168.0.0 255.255.255.0 

access-list global_mpc extended permit ip any object-group DM_INLINE_NETWORK_3 

access-list outside_mpc_1 remark Scan all incoming traffic... scans NO outgoing taffic

access-list outside_mpc_1 extended permit ip any object-group DM_INLINE_NETWORK_1 

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 

access-list testcap extended permit ip host 192.168.1.5 host 192.168.0.20 

access-list testcap extended permit ip host 192.168.0.20 host 192.168.1.5 

access-list no_nat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 

pager lines 24

logging enable

logging list kl level debugging class vpdn

logging list kl level debugging class vpn

logging list kl level debugging class vpnc

logging list kl level debugging class vpnfo

logging list kl level debugging class webfo

logging list kl level debugging class webvpn

logging list kl level debugging class svc

logging trap warnings

logging asdm kl

logging host inside 192.168.0.42

logging debug-trace

no logging message 304003

no logging message 304002

no logging message 304001

no logging message 304005

no logging message 304004

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpn_users 192.168.1.2-192.168.1.254

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) remote.domain.com Server5 netmask 255.255.255.255 dns 

static (inside,outside) slx.domain.com server31 netmask 255.255.255.255 dns 

static (inside,outside) mail.domain.com Server41 netmask 255.255.255.255 dns 

static (inside,outside) 11.11.111..7 LaserCamera netmask 255.255.255.255 dns 

static (inside,outside) 11.11.111..6 CameraStation netmask 255.255.255.255 dns 

access-group inside_access_in in interface inside

access-group acl-out in interface outside

route outside 0.0.0.0 0.0.0.0 11.11.111..1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

 webvpn

  url-list none

  file-browsing enable

  file-entry enable

  http-proxy enable

  url-entry enable

aaa-server office.domain.com protocol nt

aaa-server office.domain.com (inside) host 192.168.0.20

 nt-auth-domain-controller server02

aaa local authentication attempts max-fail 5

http server enable

http server idle-timeout 15

http server session-timeout 15

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto isakmp policy 5

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

vpn-addr-assign local reuse-delay 5

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 15

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 15

console timeout 0

dhcpd domain office.domain.com

dhcpd auto_config inside vpnclient-wins-override

!

dhcpd address 192.168.0.2-192.168.0.50 inside

!



threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.255.0

threat-detection scanning-threat shun duration 3600

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

 enable outside

 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2

 svc enable

  auto-signon allow ip 192.168.0.20 255.255.255.255 auth-type all

  auto-signon allow ip 0.0.0.0 0.0.0.0 auth-type all

group-policy DfltGrpPolicy attributes

 wins-server value 192.168.0.20

 dns-server value 192.168.0.20

 vpn-simultaneous-logins 25

 vpn-tunnel-protocol svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split_Tunnel_List

 default-domain value office.domain.com

 split-dns value server02 

 webvpn

  url-list value domaininternal

  svc ask enable default webvpn

tunnel-group DefaultRAGroup general-attributes

 address-pool vpn_users

 authentication-server-group office.domain.com

 username-from-certificate use-entire-name

 secondary-username-from-certificate use-entire-name

 authentication-attr-from-server secondary

 authenticated-session-username secondary

tunnel-group DefaultRAGroup webvpn-attributes

 group-alias Default enable

 group-alias Group disable

 group-alias RA disable

 group-alias defaultragroup disable

tunnel-group DefaultWEBVPNGroup general-attributes

 address-pool vpn_users

 authentication-server-group office.domain.com

 username-from-certificate use-entire-name

 secondary-username-from-certificate use-entire-name

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server 192.168.0.20 master timeout 2 retry 2

 group-alias defaultwebvpngroup enable

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

 address-pool vpn_users

 authentication-server-group office.domain.com

 authentication-server-group (inside) office.domain.com

 username-from-certificate use-entire-name

tunnel-group SSLClientProfile webvpn-attributes

 group-alias SSLVPNClient enable

!

class-map global-class

 description WorldWideWeb

 match default-inspection-traffic

class-map inspection_default

 match default-inspection-traffic

class-map outside-class

 match access-list outside_mpc_1

 match default-inspection-traffic

class-map global-class1

 match access-list global_mpc

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map type inspect im IMInspect

 parameters

 match protocol msn-im 

  log

policy-map global_policy

 description WorldWideWeb

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

 class global-class

  inspect http 

 class global-class1

  ips inline fail-open

policy-map outside-policy

 class outside-class

  inspect snmp 

!

service-policy global_policy global

service-policy outside-policy interface outside

prompt hostname context 

Cryptochecksum:a387ecbaaeefcc54f0cebeac885c6d6a

: end

Open in new window

0
 
LVL 7

Expert Comment

by:kellemann
ID: 34163464
Not that I think is has anything to do with the problem, but you should clean up the split tunnel list for the old entry with the wrong subnetmask:
no access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.0.0

Could you post the statistics for the AnyConnect connection when trying to acces the 192.168.0.0 network? If the counter says xxx sent but zero received, it's almost always a NAT problem. Your NAT statements and access-list looks good though, so I just want to check which direction we should look in.
0
 
LVL 1

Author Comment

by:bullhog
ID: 34163842
Sorry, I wasn't disregarding your suggestion... looks like I did not change that setting. as to the statistics. At this moment, 3 minutes into a connection, I have 210 sent packets and 36 received. I am constantly pinging an inside address. These pings are all timed out.

Also, the ASA cannot ping the address of the connected client.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Assisted Solution

by:kellemann
kellemann earned 250 total points
ID: 34163977
I wasn't my suggestion in the first place, it was DanJ, so I can't take credit for it.
It is interesting that you receive any traffic at all. Let's try something else:
While still connected, put in the following command on the ASA and post the output.

packet-tracer input inside tcp 192.168.0.2 8888 <ip address assigned to the client, for example 192.168.1.2> 8888 detailed
0
 
LVL 1

Author Comment

by:bullhog
ID: 34163979
One more helpful piece of information. I went into my syslog server to look for information about blocked pings from the 192.168.1.x subnet. I found this statement.

Syslog ID: 106023
Source: my VPN Client
Destination: my internal server
Description:deny icmp src: 192.168.1.7 dst inside: 192.168.0.20 (type8, code 0) by access-group "acl-out" [0x0, 0x0]

So, I will look at the acl and see if I can figure it out before you do :)
0
 
LVL 1

Author Comment

by:bullhog
ID: 34164222
Sorry Kellemann and DanJ... completely lost track of who was posting what :) I fixed the problem. I added a rule to my outside_in acl to allow traffic from the 192.168.1.x network to my 192.168.0.0 network. Thanks for the guidance.
0
 
LVL 7

Expert Comment

by:kellemann
ID: 34164437
Glad you got it sorted, and thanks for the points, BUT... I've never heard of the clients getting blocked at the outside interface. At that stage the packet is still encrypted, and the ASA should only evaluate the public source ip of the client. Is this some side-effect of a test-setup you are running? Just curious.
0
 
LVL 1

Author Comment

by:bullhog
ID: 34165030
Well, I have been using a mix of the asdm and cli. I can imagine there may be some commands they may or may not be interfering.

Also, would you think that is a big security risk to have that rule? I cant image an external address being spoofed to an internal address at all...

Can you find anything in the outside_in acl that would stop that traffic?
0
 
LVL 7

Expert Comment

by:kellemann
ID: 34167390
That's the strange thing, I can't find anything in the configuration that would cause this behavior. The ACL looks fine.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now