[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 598
  • Last Modified:

ASA5510 remote VPN and local subnets

I've been working on a project with an ASA5510. What I wanted to do is give myself remote access to the environment without having to drive all the way to the cabinet. That being said, I'm not a network wonk, I know how to route my way out of a paper bag but that's about it.

Here is the network breakdown:

ASA management 0/0 - 172.25.111.1 /24
ASA Ethernet 0/0 - 72.x.x.x
ASA Ethernet 0/1 - 10.20.80.1/24

Layer2 switch is 172.25.111.2, default route 172.25.111.1

I've successfully configured the AnyConnect profile/groups, etc. I can ping the gateway but I can't ping anything else on the management network. An example would be the ILO port for my IBM server: 172.25.111.20, it has been configured with the static IP address, and uses 172.25.111.1 a the default route. While I'm connected to the management vlan (locally), I can ping and access any of the hosts (HTTP and HTTPS) on that subnet but I can't do the same remotely.

My edited running config is below. Any suggestions?

: Saved
: Written by enable_15 at 11:25:58.764 UTC Mon Oct 10 2011
!
ASA Version 8.4(2) 
!
hostname core-0
domain-name mine.pvt
enable password xxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
name 72.x.x.x outside-gateway
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 72.x.x.x 255.255.255.240 
!
interface Ethernet0/1
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 10.20.80.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 duplex full
 nameif management
 security-level 100
 ip address 172.25.111.1 255.255.255.0 
!
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup management
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 domain-name mine.pvt
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn-network
 subnet 192.168.54.0 255.255.255.0
object network outside-gateway
 host 72.x.x.x
object-group network inside0-nat0
 network-object object vpn-network
object-group network NET-inside0
 network-object 10.20.80.0 255.255.255.0
object-group network management0
 network-object 172.25.111.0 255.255.255.0
access-list outside_access_in extended permit ip any any 
access-list management_access_in extended permit ip any any 
access-list global_access extended permit ip any any 
access-list acl_split-tunnel standard permit 10.20.80.0 255.255.255.0 
access-list acl_split-tunnel standard permit 172.25.111.0 255.255.255.0 
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu management 1500
mtu inside 1500
ip local pool mine_vpn-pool 192.168.54.10-192.168.54.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (management,outside) source dynamic any interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group management_access_in in interface management
access-group global_access global
route outside 0.0.0.0 0.0.0.0 outside-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.54.0 255.255.255.0 inside
http 172.25.111.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=mine-fwcore-0
 proxy-ldc-issuer
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 3e1f8f4e
    [REMOVED BLOCK FROM PUBLIC POSTING]  quit
telnet timeout 5
ssh 172.25.111.0 255.255.255.0 management
ssh timeout 15
ssh version 2
console timeout 0
management-access management
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 aes256-sha1 3des-sha1
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
 anyconnect profiles mineClientProfile disk0:/mineclientprofile.xml
 anyconnect enable
group-policy DfltGrpPolicy attributes
group-policy mineGrpPolicy internal
group-policy mineGrpPolicy attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_split-tunnel
 default-domain value mine.pvt
 split-dns value 8.8.8.8
 split-tunnel-all-dns disable
 address-pools value mine_vpn-pool
 ipv6-address-pools none
 webvpn
  url-list none
  anyconnect firewall-rule client-interface public value outside_access_in
  anyconnect firewall-rule client-interface private value outside_access_in
  anyconnect ask enable default webvpn
username root password xxxxxxxxxxxxxxx encrypted privilege 15
username ME password xxxxxxxxxxxxxx encrypted privilege 0
username ME attributes
 vpn-group-policy mineGrpPolicy
tunnel-group mine_vpn type remote-access
tunnel-group mine_vpn general-attributes
 address-pool (outside) mine_vpn-pool
 address-pool mine_vpn-pool
 default-group-policy mineGrpPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:90f8b893f5d1380ec9d23007f9509556
: end

Open in new window

0
wsani
Asked:
wsani
1 Solution
 
SorensonCommented:
At quick glance, it appears that you need to exclude the vpn traffic from the nat commands.

try something like this:

access-list nat-zero permit ip 10.20.80.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list nat-zero permit ip 172.25.111.0 255.255.255.0 192.168.54.0 255.255.255.0
nat (inside)  0 access-list nat-zero
nat (management) 0 access-list nat-zero

0
 
wsaniAuthor Commented:
thanks for that. Both of nat commands are deprecated. I ran into this earlier while experimenting.
0
 
SuperTacoCommented:
Try doing a nat expemption rule through the ASDM GUI.  
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now