Solved

Cisco ASA Remote Access VPN cannot access Inside network

Posted on 2012-04-05
16
1,738 Views
Last Modified: 2012-06-27
I have a Remote Access VPN set up to connect to my Cisco ASA 5510. I am able to establish the connection without any problems. I am able to access my DMZ segment and access hosts on that network, but I am not able to access anything on the Inside segment.

I also have some Site to Site VPNs setup on this firewall, and they are working perfectly.

For the Remote Access VPN, I am using Group Policy "NetworkAdminPolicy" and I have "NetworkAdminACL" being applied to that group policy. I have also tried with and without "splittunel" being setup for the Split Tunneling option for that group policy. When I connect using my user, the Anyconnect VPN client shows that the correct Group Policy and ACL are being applied, but I am not able to access anything on the Inside network. I AM able to access the DMZ however.

I have posted the sanitized config below:

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
domain-name xxx.com
enable password xxx encrypted
passwd xxx encrypted
names
name xx.xx.10.162 outsideint
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.22.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/1
 nameif backup
 security-level 0
 ip address xx.xx.59.134 255.255.255.248 
 ospf cost 10
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.77.111.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address outsideint 255.255.255.224 
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.11.250 255.255.255.0 
 ospf cost 10
 management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.22.220
 name-server 192.168.22.250
 domain-name xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
 description Remote Desktop Protocol (Windows)
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network Branch_IPs
 network-object host xxx
 network-object host xxx

object-group network Secure222_Web_Group
 network-object host xxx
 network-object host xxx
 
 group-object Branch_IPs
object-group network DM_INLINE_NETWORK_1
 network-object 10.77.111.0 255.255.255.0
 network-object 192.168.22.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.77.111.0 255.255.255.0
 network-object 192.168.22.0 255.255.255.0
object-group network Offices
 network-object host xxx
 network-object host xxx
object-group network DM_INLINE_NETWORK_3
 group-object Branch_IPs
 group-object Offices
object-group icmp-type icmpehcho
 icmp-object echo
 icmp-object echo-reply
access-list outside_access_in extended permit tcp any host xx.xx.10.169 eq 5222 log warnings 
access-list outside_access_in extended permit tcp any interface outside eq 12312 
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 interface outside eq 465 
access-list lan2lan_list extended permit ip 10.77.111.0 255.255.255.0 10.100.111.0 255.255.255.0 log warnings 
access-list outside_access_in_deny extended deny tcp 176.16.0.0 255.255.0.0 host 67.152.76.40 log warnings 
access-list outside_access_in_deny extended deny tcp 10.0.0.0 255.0.0.0 host 67.152.76.40 log warnings 
access-list outside_access_in_deny extended deny tcp 192.168.0.0 255.255.0.0 host 67.152.76.40 log warnings 
access-list nonat extended permit ip 10.77.111.0 255.255.255.0 10.100.111.0 255.255.255.0 log warnings 
access-list nonat extended permit ip 10.77.111.0 255.255.255.0 192.168.50.0 255.255.255.0 log warnings 
access-list nonat extended permit ip 10.77.111.0 255.255.255.0 10.10.12.0 255.255.255.0 
access-list nonat extended permit ip 10.77.111.0 255.255.255.0 192.168.60.0 255.255.255.0 
access-list inside_access_out extended permit tcp 192.168.22.0 255.255.255.0 192.168.33.0 255.255.255.0 log warnings 
access-list inside_access_out extended permit tcp 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0 
access-list DeveloperACL extended permit tcp 192.168.50.0 255.255.255.0 host 10.77.111.25 eq 3389 log warnings 
access-list DeveloperACL extended permit tcp 192.168.50.0 255.255.255.0 host 10.77.111.25 eq https log warnings 
access-list DeveloperACL extended permit tcp 192.168.50.0 255.255.255.0 host 10.77.111.15 eq https log warnings 
access-list DeveloperACL extended permit tcp 192.168.50.0 255.255.255.0 host 10.77.111.15 eq www log warnings 
access-list dmz_access_in extended permit ip 10.77.111.0 255.255.255.0 any log 
access-list inside_access_in extended permit ip 192.168.22.0 255.255.255.0 any log 
access-list VPNNoAccessACL extended deny ip any any log warnings 
access-list NetworkAdminACL extended permit tcp 192.168.60.0 255.255.255.0 host 192.168.22.220 eq 3389 log warnings 
access-list NetworkAdminACL extended permit tcp 192.168.60.0 255.255.255.0 host 192.168.22.250 eq www log warnings 
access-list NetworkAdminACL extended permit tcp 192.168.60.0 255.255.255.0 host 10.77.111.240 eq www log warnings 
access-list NetworkAdminACL extended permit tcp 192.168.60.0 255.255.255.0 host 10.77.111.25 eq https log warnings 
access-list NetworkAdminACL extended permit tcp 192.168.60.0 255.255.255.0 host 10.77.111.25 eq 3389 log warnings 
access-list NetworkAdminACL extended permit tcp 192.168.60.0 255.255.255.0 host 192.168.22.1 eq https log warnings 
access-list NetworkAdminACL extended permit ip 192.168.60.0 255.255.255.0 host 192.168.22.250 
access-list NetworkAdminACL extended permit ip 192.168.22.0 255.255.255.0 192.168.60.0 255.255.255.0 
access-list NetworkAdminACL extended permit ip 192.168.44.0 255.255.255.0 192.168.22.0 255.255.255.0 
access-list NetworkAdminACL extended permit ip 192.168.22.0 255.255.255.0 192.168.44.0 255.255.255.0 
access-list NetworkAdminACL extended permit ip 192.168.22.0 255.255.255.0 192.168.22.0 255.255.255.0 
access-list Tunnel_list standard permit 10.77.111.0 255.255.255.0 
access-list Tunnel_list_DMZ standard permit host 10.77.111.25 
access-list Tunnel_list_DMZ standard permit host 10.77.111.15 
access-list DMZ_nat_static extended permit tcp host 10.77.111.50 eq 12345 any 
access-list inside_nat0_outbound extended permit ip 192.168.22.0 255.255.255.0 192.168.44.0 255.255.255.0 log debugging 
access-list inside_nat0_outbound extended permit ip 192.168.22.0 255.255.255.0 10.10.12.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.22.0 255.255.255.0 192.168.60.0 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 192.168.22.0 255.255.255.0 192.168.44.0 255.255.255.0 log debugging 
access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_1 192.168.44.0 255.255.255.0 log warnings 
access-list inside_nat_static extended permit tcp host 192.168.22.120 eq 12999 any 
access-list inside_nat_static_1 extended permit tcp host 192.168.22.250 eq 13888 any 
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 10.10.12.0 255.255.255.0 
access-list DMZ_nat_static_1 extended permit tcp host 10.77.111.78 eq 444 any 
access-list inside_nat_static_2 extended permit tcp host 192.168.22.120 eq www any 
access-list splittunnel standard permit 192.168.22.0 255.255.255.0 
access-list splittunnel standard permit 10.77.111.0 255.255.255.0 
access-list no_nat_vpn extended permit ip 192.168.22.0 255.255.255.0 192.168.70.0 255.255.255.0 
access-list NetworkAdminVPNACL extended permit ip 192.168.60.0 255.255.255.0 192.168.22.0 255.255.255.0 
access-list NetworkAdminVPNACL extended permit ip 192.168.60.0 255.255.255.0 10.77.111.0 255.255.255.0 
access-list AdminWEBACL webtype permit tcp host 192.168.22.250 eq 3389 log default
access-list AdminWEBACL webtype permit tcp host 192.168.22.220 eq 3389 log default
access-list Developer_WebACL webtype permit tcp host 10.77.111.25 eq https log default
access-list NoAccess_WebACL webtype deny url any log default
pager lines 24
logging enable
logging list vpnlog level warnings class vpn
logging list all level warnings
logging trap notifications
logging asdm errors
logging host inside 192.168.22.250
logging permit-hostdown
logging class vpn asdm debugging 
mtu inside 1500
mtu backup 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool vpninside 192.168.22.30-192.168.22.35 mask 255.255.255.0
ip local pool VPNAddressPool 192.168.50.10-192.168.50.20 mask 255.255.255.0
ip local pool adminaddresspool 192.168.60.10-192.168.60.15 mask 255.255.255.0
ip local pool SSLClientPool 192.168.70.10-192.168.70.30 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-625-53.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp interface 12345 access-list DMZ_nat_static 
static (inside,outside) tcp interface 12348 access-list inside_nat_static 
static (inside,outside) tcp interface 12346 access-list inside_nat_static_1 
static (inside,outside) tcp interface 12347 access-list inside_nat_static_2 
static (DMZ,outside) tcp interface 444 access-list DMZ_nat_static_1 
static (inside,DMZ) 192.168.22.0 192.168.22.0 netmask 255.255.255.0 
static (inside,DMZ) 192.168.44.0 192.168.44.0 netmask 255.255.255.0 
static (DMZ,outside) xx.xx.10.170 10.77.111.50 netmask 255.255.255.255 
static (DMZ,outside) xx.xx.10.169 10.77.111.10 netmask 255.255.255.255 
static (DMZ,outside) xx.xx.10.168 10.77.111.15 netmask 255.255.255.255 
static (DMZ,outside) xx.xx.10.166 10.77.111.25 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group dmz_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.10.161 2
route inside 192.168.33.0 255.255.255.0 192.168.22.10 1
route outside 192.168.44.0 255.255.255.0 192.168.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa local authentication attempts max-fail 5
http server enable
http 192.168.11.0 255.255.255.0 management
http 192.168.22.0 255.255.255.0 inside
http 192.168.44.0 255.255.255.0 inside
http BrightHouseInternet 255.255.255.255 outside
snmp-server host inside 192.168.22.120 community ***** version 2c
snmp-server host inside 192.168.22.20 community ***** version 2c
snmp-server location xxx
snmp-server contact xxx
snmp-server community xxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac 
crypto ipsec transform-set SecondSet esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2lmap 1 match address lan2lan_list
crypto map l2lmap 1 set peer xx.xx.xx.66 
crypto map l2lmap 1 set transform-set FirstSet
crypto map l2lmap 2 match address outside_cryptomap_2
crypto map l2lmap 2 set peer xxx 
crypto map l2lmap 2 set transform-set FirstSet
crypto map l2lmap 3 match address outside_cryptomap
crypto map l2lmap 3 set peer xx.xx.111.180 
crypto map l2lmap 3 set transform-set FirstSet
crypto map l2lmap interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.mycompany.com
 subject-name CN=sslvpn.mycompany.com
 keypair sslvpnkey
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment terminal
 subject-name CN=xx.xx.com,O=XXX,C=US,St=XX
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca certificate chain localtrust
 certificate xxx
  quit
crypto ca certificate chain ASDM_TrustPoint3
 certificate xxx
  quit
crypto ca certificate chain ASDM_TrustPoint2
 certificate ca xxx
  quit
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp reload-wait
telnet timeout 5
ssh timeout 20
ssh version 2
console timeout 0
management-access inside
dhcpd address 192.168.22.160-192.168.22.180 inside
dhcpd dns 192.168.22.220 interface inside
dhcpd lease 172800 interface inside
!
dhcpd domain xxx.local interface backup
!
dhcpd address 192.168.11.251-192.168.11.254 management
!
dhcprelay server 192.168.22.220 inside
priority-queue DMZ
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.29 source outside
ntp server 129.6.15.28 source outside
tftp-server inside 192.168.22.250 d:\share
ssl trust-point ASDM_TrustPoint3 outside
webvpn
 enable outside
 svc image disk0:/anyconnect-dart-win-2.5.1025-k9.pkg 1 regex "Windows NT"
 svc enable
 port-forward xxx 3389 192.168.22.120 3389 rdp
 tunnel-group-list enable
group-policy SSLClient internal
group-policy SSLClient attributes
 dns-server value 192.168.22.220
 vpn-filter value NetworkAdminACL
 vpn-tunnel-protocol svc webvpn
 group-lock value SSLClient
 default-domain value xxx.local
 address-pools value SSLClientPool
 webvpn
  filter value AdminWEBACL
group-policy testvpngrouppolicy internal
group-policy testvpngrouppolicy attributes
 vpn-filter value NetworkAdminACL
 vpn-tunnel-protocol svc 
group-policy DevelopersPolicy internal
group-policy DevelopersPolicy attributes
 banner value Developer VPN Access
 banner value Unauthorized access prohibited
 vpn-idle-timeout 10
 vpn-filter value DeveloperACL
 vpn-tunnel-protocol svc webvpn
 group-lock value sslvpnprofile
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Tunnel_list_DMZ
 address-pools value VPNAddressPool
 webvpn
  url-list value Developers_Bookmarks
  filter value Developer_WebACL
  hidden-shares none
  file-entry disable
  file-browsing disable
  url-entry disable
group-policy DfltGrpPolicy attributes
 banner value Default Group Policy
 vpn-simultaneous-logins 10
 vpn-idle-timeout 15
 vpn-session-timeout 480
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 group-lock value sslvpnprofile
 split-tunnel-network-list value Tunnel_list_DMZ
 webvpn
  filter value NoAccess_WebACL
  svc ask enable default webvpn
  file-entry disable
  file-browsing disable
  url-entry disable
group-policy NetworkAdminPolicy internal
group-policy NetworkAdminPolicy attributes
 banner value Network Admins Group Policy
 banner value Unauthorized access prohibited
 dns-server value 192.168.22.220
 vpn-tunnel-protocol svc webvpn
 group-lock value networkadmingroup
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value xxx.local
 address-pools value adminaddresspool
 webvpn
  url-list value xxx_Bookmarks
  filter none
  file-entry enable
  file-browsing enable
  url-entry enable
  smart-tunnel auto-signon disable
username user1 password xxx encrypted privilege 15
username user1 attributes
 vpn-group-policy NetworkAdminPolicy
 group-lock value networkadmingroup
tunnel-group sslvpnprofile type remote-access
tunnel-group sslvpnprofile general-attributes
 address-pool VPNAddressPool
tunnel-group sslvpnprofile webvpn-attributes
 group-alias SSLVPN enable
 group-alias sslvpnprofile enable
tunnel-group xx.xx.xx.66 type ipsec-l2l
tunnel-group xx.xx.xx.66 ipsec-attributes
 pre-shared-key *****
tunnel-group networkadmingroup type remote-access
tunnel-group networkadmingroup general-attributes
 address-pool adminaddresspool
 default-group-policy NetworkAdminPolicy
tunnel-group networkadmingroup webvpn-attributes
 group-alias NetworkAdmin enable
tunnel-group xx.xx.112.178 type ipsec-l2l
tunnel-group xx.xx.112.178 ipsec-attributes
 pre-shared-key *****
tunnel-group xx.xx.111.180 type ipsec-l2l
tunnel-group xx.xx.111.180 ipsec-attributes
 pre-shared-key *****
tunnel-group testsslvpn type remote-access
tunnel-group testsslvpn general-attributes
 address-pool adminaddresspool
 default-group-policy testvpngrouppolicy
tunnel-group testsslvpn webvpn-attributes
 group-alias TestSSLVPN enable
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
 default-group-policy SSLClient
tunnel-group SSLClient webvpn-attributes
 group-alias MY_RA enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxx
: end

Open in new window


I think it might be a NAT issue, but I have already setup the NAT-exempt rules for Inside traffic.

If you have any ideas, please let me know. Thanks.
0
Comment
Question by:paul_ohm
  • 10
  • 6
16 Comments
 
LVL 4

Accepted Solution

by:
dcj21 earned 500 total points
Comment Utility
I don't see any errors. NAT Looks ok.  Is the ASA the ONLY router for the inside subnet?

 Can you post some more info while the remote client is connected.

On the ASA
    show nat
    show ip route

And on the client
    ifconfig
    route -p
0
 

Author Comment

by:paul_ohm
Comment Utility
From the ASA while the connected:

show nat:
NAT policies on Interface inside:
  match ip inside 192.168.22.0 255.255.255.0 inside 192.168.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 inside 10.10.12.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 inside 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 backup 192.168.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 backup 10.10.12.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 backup 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 DMZ 192.168.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 DMZ 10.10.12.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 DMZ 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 outside 192.168.4.0 255.255.255.0
    NAT exempt
    translate_hits = 257477, untranslate_hits = 263419
  match ip inside 192.168.22.0 255.255.255.0 outside 10.10.12.0 255.255.255.0
    NAT exempt
    translate_hits = 8, untranslate_hits = 4
  match ip inside 192.168.22.0 255.255.255.0 outside 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 266
  match ip inside 192.168.22.0 255.255.255.0 management 192.168.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 management 10.10.12.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.22.0 255.255.255.0 management 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match tcp inside host 192.168.22.120 eq 12999 outside any
    static translation to outsideint/12999
    translate_hits = 6, untranslate_hits = 162
  match tcp inside host 192.168.22.250 eq 13888 outside any
    static translation to outsideint/13888
    translate_hits = 0, untranslate_hits = 2
  match ip inside 192.168.22.0 255.255.255.0 DMZ any
    static translation to 192.168.22.0
    translate_hits = 179364, untranslate_hits = 10615
  match ip inside 192.168.4.0 255.255.255.0 DMZ any
    static translation to 192.168.4.0
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 64, untranslate_hits = 0
  match ip inside any backup any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any DMZ any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any outside any
    dynamic translation to pool 101 (outsideint [Interface PAT])
    translate_hits = 1739015, untranslate_hits = 183581
  match ip inside any management any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any backup any
    no translation group, implicit deny
    policy_hits = 0
  match ip inside any DMZ any
    no translation group, implicit deny
    policy_hits = 0
  match ip inside any outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface DMZ:
  match ip DMZ 10.77.111.0 255.255.255.0 backup 10.100.111.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 10.77.111.0 255.255.255.0 backup 192.168.50.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 10.77.111.0 255.255.255.0 backup 10.10.12.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 10.77.111.0 255.255.255.0 backup 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 10.77.111.0 255.255.255.0 DMZ 10.100.111.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 10.77.111.0 255.255.255.0 DMZ 192.168.50.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 10.77.111.0 255.255.255.0 DMZ 10.10.12.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 10.77.111.0 255.255.255.0 DMZ 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ 10.77.111.0 255.255.255.0 outside 10.100.111.0 255.255.255.0
    NAT exempt
    translate_hits = 69859, untranslate_hits = 548
  match ip DMZ 10.77.111.0 255.255.255.0 outside 192.168.50.0 255.255.255.0
    NAT exempt
    translate_hits = 6, untranslate_hits = 925
  match ip DMZ 10.77.111.0 255.255.255.0 outside 10.10.12.0 255.255.255.0
    NAT exempt
    translate_hits = 19139, untranslate_hits = 71
  match ip DMZ 10.77.111.0 255.255.255.0 outside 192.168.60.0 255.255.255.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 18
  match ip DMZ host 10.77.111.50 outside any
    static translation to xx.xx.10.170
    translate_hits = 557, untranslate_hits = 1147
  match ip DMZ host 10.77.111.25 outside any
    static translation to xx.xx.10.166
    translate_hits = 487, untranslate_hits = 2207
  match ip DMZ any backup any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ any DMZ any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ any outside any
    dynamic translation to pool 101 (outsideint [Interface PAT])
    translate_hits = 58833, untranslate_hits = 643
  match ip DMZ any backup any
    no translation group, implicit deny
    policy_hits = 0
  match ip DMZ any outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface management:
  match ip management any backup any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip management any DMZ any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip management any outside any
    dynamic translation to pool 101 (outsideint [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip management any management any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip management any inside any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip management any backup any
    no translation group, implicit deny
    policy_hits = 0
  match ip management any DMZ any
    no translation group, implicit deny
    policy_hits = 0
  match ip management any outside any
    no translation group, implicit deny
    policy_hits = 0

Open in new window


Show ip route did not work, but:

show route:
	ciscoasa(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is xx.xx.10.161 to network 0.0.0.0

S    192.168.60.10 255.255.255.255 [1/0] via xx.xx.10.161, outside
C    xx.xx.10.160 255.255.255.224 is directly connected, outside
S    192.168.4.0 255.255.255.0 [1/0] via 192.168.22.1, outside
C    10.77.111.0 255.255.255.0 is directly connected, DMZ
C    192.168.22.0 255.255.255.0 is directly connected, inside
S    192.168.33.0 255.255.255.0 [1/0] via 192.168.22.10, inside
S*   0.0.0.0 0.0.0.0 [2/0] via xx.xx.10.161, outside

Open in new window

0
 

Author Comment

by:paul_ohm
Comment Utility
From the client while connected to a remote wireless network:

ipconfig /all (it's a windows 7 client):
  Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Dell Wireless 1397 WLAN Mini-Card
   Physical Address. . . . . . . . . : xxxxxxxxxxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::48b2:b92a:8bd2:fdff%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.3.113(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, April 09, 2012 3:51:27 PM
   Lease Expires . . . . . . . . . . : Tuesday, April 10, 2012 3:51:28 PM
   Default Gateway . . . . . . . . . : 192.168.3.1
   DHCP Server . . . . . . . . . . . : 192.168.3.1
   DHCPv6 IAID . . . . . . . . . . . : 218914934
   DHCPv6 Client DUID. . . . . . . . : xxxxxxxxxxxx

   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled


Ethernet adapter Local Area Connection 8:

   Connection-specific DNS Suffix  . : xxx.local
   Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Ada
pter for Windows x64
   Physical Address. . . . . . . . . : xxxxxxxxxx
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.60.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.22.220
   NetBIOS over Tcpip. . . . . . . . : Enabled

Open in new window



route print
Interface List
 29...00 05 9a 3c 7a 00 ......Cisco AnyConnect VPN Virtual Miniport Adapter
Windows x64
 53...0c 60 76 35 7a 12 ......Microsoft Virtual WiFi Miniport Adapter
 13...00 ff c7 b0 65 af ......TAP-Win32 Adapter V9
 11...0c 60 76 35 7a 12 ......Dell Wireless 1397 WLAN Mini-Card
 10...00 24 e8 d4 cb 12 ......Realtek RTL8168D/8111D Family PCI-E Gigabit Et
et NIC (NDIS 6.20)
  1...........................Software Loopback Interface 1
 57...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 58...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 51...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 56...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
 83...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
 55...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #8
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.3.1    192.168.3.113     25
        10.77.111.0    255.255.255.0         On-link     192.168.60.10      2
      10.77.111.255  255.255.255.255         On-link     192.168.60.10    257
   xx.xx.10.162  255.255.255.255      192.168.3.1    192.168.3.113     26
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.22.0    255.255.255.0         On-link     192.168.60.10      2
    192.168.22.255  255.255.255.255         On-link     192.168.60.10    257
      192.168.3.0    255.255.255.0         On-link     192.168.3.113    281
      192.168.3.1  255.255.255.255         On-link     192.168.3.113     26
    192.168.3.113  255.255.255.255         On-link     192.168.3.113    281
    192.168.3.255  255.255.255.255         On-link     192.168.3.113    281
     192.168.60.0    255.255.255.0         On-link     192.168.60.10    257
    192.168.60.10  255.255.255.255         On-link     192.168.60.10    257
   192.168.60.255  255.255.255.255         On-link     192.168.60.10    257
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.3.113    281
        224.0.0.0        240.0.0.0         On-link     192.168.60.10    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.3.113    281
  255.255.255.255  255.255.255.255         On-link     192.168.60.10    257
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 51     58 ::/0                     On-link
===========================================================================
Persistent Routes:
  None

Open in new window

0
 

Author Comment

by:paul_ohm
Comment Utility
from the VPN clientfrom the VPN client
0
 
LVL 4

Expert Comment

by:dcj21
Comment Utility
Your inside_nat0_outbound access-list does not list the VPNpool

You need to add
access-list inside_nat0_outbound extended permit ip 192.168.22.0 255.255.255.0 192.168.50.0 255.255.255.0
0
 

Author Comment

by:paul_ohm
Comment Utility
I am using the "NetworkAdmin" group policy, which is using the "NetworkAdminACL" and "adminaddresspool" which is 192.168.60.0, NOT 192.168.50.0.

The VPNpool is for other users that ONLY need to access the 10.77.111.0 network, and they are able to access that network with no problems. Similarly, when connecting with the NetworkAdmin profile (192.168.60.0), I am able to access the DMZ (10.77.111.0) as well, but not the inside network (192.168.22.0)
0
 

Author Comment

by:paul_ohm
Comment Utility
You can see in my posts that I am being issued 192.168.60.10 by the VPN Client, so the nat-exempt needs to have 192.168.60.0, which it does. I cannot see anything that's different about the 10.77.111.0 network and the 192.168.22.0 network in terms of nats or routes, which is why I am stumped.
0
 
LVL 4

Expert Comment

by:dcj21
Comment Utility
I'm out of ideas. Are there any logging or debug messages?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:paul_ohm
Comment Utility
How can I try to debug it from the ASA side? What command would I need to issue to at least see the requests from the .60.0 to the .22.0?
0
 
LVL 4

Expert Comment

by:dcj21
Comment Utility
Debug commands are by service or protocol and are issued on the command line

The ASDM has a monitoring screen that can show you these also.

Any messages in the logs? (show logging)
0
 

Author Comment

by:paul_ohm
Comment Utility
OK, I enabled debug level logging and attempted an RDP (port 3389) connection between 192.168.60.10 (VPN Client) and 192.168.22.250. The connection failed, but I did get this line in the log file:

2012-04-10 14:42:53	Local4.Info	192.168.22.1	%ASA-6-302013: Built inbound TCP connection 9619292 for outside:192.168.60.10/11441 (192.168.60.10/11441) to inside:192.168.22.250/3389 (192.168.22.250/3389) (myuser)

Open in new window


This is the only line from the log with mention of port 3389 OR 192.168.22.250. It seems to me like the NAT is working correctly, is that right?

I also attempted an RDP connection to the DMZ host 10.77.111.25 (port 3389) and this was successful. Here is the same line from the logs:

2012-04-10 14:43:11	Local4.Info	192.168.22.1	%ASA-6-302013: Built inbound TCP connection 9619339 for outside:192.168.60.10/11442 (192.168.60.10/11442) to DMZ:10.77.111.25/3389 (10.77.111.25/3389) (myuser)

Open in new window


This line looks the same as the first one except this resulted in a successful connection and the first one did not. I see that both show the inside interface IP (192.168.22.1), but I think that's just because my Syslog server is located on the 192.168.22.0 subnet? Am I missing something simple?
0
 
LVL 4

Expert Comment

by:dcj21
Comment Utility
Might be a access list issue - The VPN connection is considered 'outside'

Configure Access List Bypass for VPN Connections

When you enable this option, you allow the SSL/IPsec clients to bypass the interface access list.
Try this to not use access lists on VPN

ASDM Procedure

Click Configuration, and then click Remote Access VPN.
Expand Network (Client) Access, and then expand Advanced.
Expand SSL VPN, and choose Bypass Interface Access List.
Ensure the Enable inbound SSL VPN and IPSEC Sessions to bypass interface access lists check box is checked, and click Apply.

Command Line Example

ciscoasa
ciscoasa(config)#sysopt connection permit-vpn

!--- Enable interface access-list bypass for VPN connections.
!--- This example uses the vpn-filter command for access control.

ciscoasa(config-group-policy)#
0
 

Author Comment

by:paul_ohm
Comment Utility
Thanks for all of your responses so far. Unfortunately, I have this option checked already as I thought of this possibility a while ago. I think if the issue were attributable to an access list, I would have seen another log entry stating that it was denied...
0
 

Author Comment

by:paul_ohm
Comment Utility
My apologies. It turns out that this was an issue with a separate VPN that our ISP setup between the ISP router between two offices. Therefore, our workstations are configured with a gateway of .22.10 instead of .22.1. So the hosts on the inside had no route to get back to the .60.0 network. When I setup a route through windows on one of inside hosts, I was able to connect to it. I will give you the points since you were the only one who answered and you got me looking in the right direction with route print, albeit on the wrong devices. Thanks.
0
 

Author Closing Comment

by:paul_ohm
Comment Utility
The issue was internal to our network
0
 
LVL 4

Expert Comment

by:dcj21
Comment Utility
Thanks! - Don't you just love networking! :-)

Remember, Networking is hard, that's why we have a job. You never hear of a toaster engineer.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now