Solved

Cisco ASA 5510 Anyconnect is not able to access internal LAN

Posted on 2013-02-04
12
3,995 Views
Last Modified: 2013-02-07
Hi Guys,

I'm a bit new to the Cisco ASA range of firewalls, and am having a stubborn problem with the Anyconnect configuration.

I have configured the system based on information I have cobbled together from various sources, the result is that I have a webpage that a user can login to and it auto installs the Anyconnect client.

When the user then connects to our sites external ip, Anyconnect goes through its authentication sequence and is issued an IP address from the VPN ip pool, I believe that I even have split-tunneling setup correctly because the internet is accessible from the computer dialing in.

However this is where things fall over, I cannot access the internal LAN. I can only ping the internal LAN gateway and nothing more.

I also checked the logs and noticed that whenever I try to ping an internal IP address the log records the following:

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:xx.xx.xx.xx/xx dst inside:xx.xx.xx.xx/xx denied due to NAT reverse path failure.

This has been torturing me for days, any help would be appreciated.

Also below is my config file for you guys to have a look through.

ASA Version 8.2(5) 
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
name xxx.xxx.xxx.xxx Some ISP
name 10.8.5.102 Av-Control-Computer
!
interface Ethernet0/0
 description External Connection to Some ISP
 nameif Outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252 
!
interface Ethernet0/1
 description Internal connection to  AV Control Network
 nameif Inside
 security-level 100
 no ip address
!
interface Ethernet0/1.2
 description AV control Vlan
 vlan 200
 nameif AV-Control-Vlan
 security-level 100
 ip address 10.8.5.1 255.255.255.0 
!
interface Ethernet0/1.3
 vlan 1
 nameif Switch-Managment-VLAN
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
object-group service RDP tcp
 port-object eq 3389
access-list Inside_access_in extended permit ip any any 
access-list AV-Control-Vlan_access_in extended permit ip any any 
access-list VPN-EXEMPT-NAT extended permit ip 10.8.5.0 255.255.255.0 10.10.1.0 255.255.255.0 
access-list split-tunnel standard permit 10.8.5.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu AV-Control-Vlan 1500
mtu Switch-Managment-VLAN 1500
ip local pool VPN-IPs 10.10.1.2-10.10.1.50 mask 255.255.255.0
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm location SomeISP-GW 255.255.255.255 Inside
asdm location Av-Control-Computer 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 101 interface
nat (Inside) 0 access-list VPN-EXEMPT-NAT
nat (Outside) 0 access-list VPN-EXEMPT-NAT
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (AV-Control-Vlan) 101 0.0.0.0 0.0.0.0
access-group Inside_access_in in interface Inside
access-group AV-Control-Vlan_access_in in interface AV-Control-Vlan
route Outside 0.0.0.0 0.0.0.0 SomeISP-GW 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http 10.8.5.0 255.255.255.0 AV-Control-Vlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
management-access AV-Control-Vlan
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.8.5.240 source AV-Control-Vlan prefer
webvpn
 enable Outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy techs internal
group-policy techs attributes
 vpn-tunnel-protocol svc 
group-policy clientgroup internal
group-policy clientgroup attributes
 dns-server value 10.8.5.1
 vpn-tunnel-protocol svc 
 group-lock value VPN-Techs
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc
username testuser password xxxxxxxxxxxxxx encrypted privilege 15
username testuser attributes
 vpn-group-policy DfltGrpPolicy
username testuser password xxxxxxxxxxxxxx encrypted privilege 0
username testuser attributes
 vpn-group-policy techs
tunnel-group VPN-Techs type remote-access
tunnel-group VPN-Techs general-attributes
 address-pool VPN-IPs
 default-group-policy clientgroup
tunnel-group VPN-Techs webvpn-attributes
 group-alias VPN-Techs_users enable
 group-alias techs enable
 group-url https://xxx.xxx.xxx.xxx/techs enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Open in new window


Hope you guys can help

Cheers
0
Comment
Question by:Easyfit
  • 6
  • 6
12 Comments
 
LVL 8

Accepted Solution

by:
R_Edwards earned 500 total points
ID: 38851016
your NAT rules are conflicting, please see the below article it might clear things up for you.

https://supportforums.cisco.com/docs/DOC-12569

hope it helps
-=Richard
0
 

Author Comment

by:Easyfit
ID: 38851093
Hi Richard,

Thanks for the quick response, I kind of had the feeling that NATting was my issue.

However I'm a bit confused with my current settings and what I need to do to rectify them.

You see I have an "inside" interface with no IP, and instead am using a SUB interface which is a VLAN as you probably noticed, so my confusion lies in how I would go about setting up natting for that interface (Forgive my ignorance)

nat (Inside) 0 access-list VPN-EXEMPT-NAT
nat (Outside) 0 access-list VPN-EXEMPT-NAT
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (AV-Control-Vlan) 101 0.0.0.0 0.0.0.0

Open in new window


which of the above would i need to modify and or remove?

my guess would be the

"nat (Outside) 0 access-list VPN-EXEMPT-NAT"

Thanks in advance

Peter
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 38851179
can you post the output of:

ASA# show nat




-=Richard
0
 

Author Comment

by:Easyfit
ID: 38851199
Sorry, that's not possible tonight.

As I am at home and have no way to connect into the network :-(

I can however grab the info tomorrow and post it, will you be available to have a look then?

I am on Sydney, AUS time

Cheers

Peter
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 38851251
no drama Peter, I am in DC and will look at it as soon as i get into work.

Have a good night

Cheers
-=Richard
0
 

Author Comment

by:Easyfit
ID: 38853601
Hi Richard,

ok I have run the ASA# Show nat command and here are the results

Result of the command: "show nat"

NAT policies on Interface Outside:
  match ip Outside 10.8.5.0 255.255.255.0 Outside 10.10.1.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface Inside:
  match ip Inside 10.8.5.0 255.255.255.0 Outside 10.10.1.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 10.8.5.0 255.255.255.0 Inside 10.10.1.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 10.8.5.0 255.255.255.0 AV-Control-Vlan 10.10.1.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 10.8.5.0 255.255.255.0 Switch-Managment-VLAN 10.10.1.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 10.8.5.0 255.255.255.0 management 10.10.1.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside any Outside any
    dynamic translation to pool 101 (xxx.xxx.xxx.xxx [Interface PAT]) ! this IP is the outside ip
    translate_hits = 0, untranslate_hits = 0
  match ip Inside any Inside any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip Inside any AV-Control-Vlan any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip Inside any Switch-Managment-VLAN any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip Inside any management any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface AV-Control-Vlan:
  match ip AV-Control-Vlan any Outside any
    dynamic translation to pool 101 (xxx.xxx.xxx.xxx [Interface PAT]) ! this ip is the outside ip
    translate_hits = 1629, untranslate_hits = 29
  match ip AV-Control-Vlan any Inside any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip AV-Control-Vlan any AV-Control-Vlan any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip AV-Control-Vlan any Switch-Managment-VLAN any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip AV-Control-Vlan any management any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip AV-Control-Vlan any Outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface Switch-Managment-VLAN:
  match ip Switch-Managment-VLAN any Outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface management:
  match ip management any Outside any
    no translation group, implicit deny
    policy_hits = 0

Open in new window


I believe the outside nat is wrong,

Cheers

Peter
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 8

Expert Comment

by:R_Edwards
ID: 38854681
Peter,
     Good Morning/afternoon!

from looking at your ASA config and your NAT rules.  I am trying to clear things up in my head.

Troubleshooting by messenger/email is a pain.

your outside clients that VPN in have the address of 10.8.5.X correct?  and they connect into 10.10.1.0?

this is the line i am referring to
access-list VPN-EXEMPT-NAT extended permit ip 10.8.5.0 255.255.255.0 10.10.1.0 255.255.255.0
0
 

Author Comment

by:Easyfit
ID: 38854733
Evening Richard,

No, the other way around
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 38854813
my bad.. Evening..

can you issue a Sh Nat detail?
0
 

Author Comment

by:Easyfit
ID: 38854845
Ok I figured it out, I cleared all my NAT rules and started afresh, I created a Dynamic nat from my VLAN to the outside and the same for a NAT exemption.

And would you believe it, It works.

Now I still can't ping anything but now I can VPN in and run an RDP session to any machine on the internal VLAN.

is there a particular way to enable pinging from the VPN network to the internal VLAN? I tried to do it through the access rules but no Joy

Peter
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 38855103
Awesome!

as for ping.. you should allow all ICMP traffic and it should work
0
 

Author Comment

by:Easyfit
ID: 38861626
Hi Richard,

not sure by what you mean with allow all icmp, as i also have the same issue http/https.

Surely there is a way to allow select traffic through the VPN?

Cheers
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now