Easyfit
asked on
Cisco ASA 5510 Anyconnect is not able to access internal LAN
Hi Guys,
I'm a bit new to the Cisco ASA range of firewalls, and am having a stubborn problem with the Anyconnect configuration.
I have configured the system based on information I have cobbled together from various sources, the result is that I have a webpage that a user can login to and it auto installs the Anyconnect client.
When the user then connects to our sites external ip, Anyconnect goes through its authentication sequence and is issued an IP address from the VPN ip pool, I believe that I even have split-tunneling setup correctly because the internet is accessible from the computer dialing in.
However this is where things fall over, I cannot access the internal LAN. I can only ping the internal LAN gateway and nothing more.
I also checked the logs and noticed that whenever I try to ping an internal IP address the log records the following:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:xx.xx.xx.xx/xx dst inside:xx.xx.xx.xx/xx denied due to NAT reverse path failure.
This has been torturing me for days, any help would be appreciated.
Also below is my config file for you guys to have a look through.
Hope you guys can help
Cheers
I'm a bit new to the Cisco ASA range of firewalls, and am having a stubborn problem with the Anyconnect configuration.
I have configured the system based on information I have cobbled together from various sources, the result is that I have a webpage that a user can login to and it auto installs the Anyconnect client.
When the user then connects to our sites external ip, Anyconnect goes through its authentication sequence and is issued an IP address from the VPN ip pool, I believe that I even have split-tunneling setup correctly because the internet is accessible from the computer dialing in.
However this is where things fall over, I cannot access the internal LAN. I can only ping the internal LAN gateway and nothing more.
I also checked the logs and noticed that whenever I try to ping an internal IP address the log records the following:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:xx.xx.xx.xx/xx dst inside:xx.xx.xx.xx/xx denied due to NAT reverse path failure.
This has been torturing me for days, any help would be appreciated.
Also below is my config file for you guys to have a look through.
ASA Version 8.2(5)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
name xxx.xxx.xxx.xxx Some ISP
name 10.8.5.102 Av-Control-Computer
!
interface Ethernet0/0
description External Connection to Some ISP
nameif Outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
description Internal connection to AV Control Network
nameif Inside
security-level 100
no ip address
!
interface Ethernet0/1.2
description AV control Vlan
vlan 200
nameif AV-Control-Vlan
security-level 100
ip address 10.8.5.1 255.255.255.0
!
interface Ethernet0/1.3
vlan 1
nameif Switch-Managment-VLAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
object-group service RDP tcp
port-object eq 3389
access-list Inside_access_in extended permit ip any any
access-list AV-Control-Vlan_access_in extended permit ip any any
access-list VPN-EXEMPT-NAT extended permit ip 10.8.5.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list split-tunnel standard permit 10.8.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu AV-Control-Vlan 1500
mtu Switch-Managment-VLAN 1500
ip local pool VPN-IPs 10.10.1.2-10.10.1.50 mask 255.255.255.0
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm location SomeISP-GW 255.255.255.255 Inside
asdm location Av-Control-Computer 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 101 interface
nat (Inside) 0 access-list VPN-EXEMPT-NAT
nat (Outside) 0 access-list VPN-EXEMPT-NAT
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (AV-Control-Vlan) 101 0.0.0.0 0.0.0.0
access-group Inside_access_in in interface Inside
access-group AV-Control-Vlan_access_in in interface AV-Control-Vlan
route Outside 0.0.0.0 0.0.0.0 SomeISP-GW 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http 10.8.5.0 255.255.255.0 AV-Control-Vlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
quit
telnet timeout 5
ssh timeout 5
console timeout 0
management-access AV-Control-Vlan
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.8.5.240 source AV-Control-Vlan prefer
webvpn
enable Outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy techs internal
group-policy techs attributes
vpn-tunnel-protocol svc
group-policy clientgroup internal
group-policy clientgroup attributes
dns-server value 10.8.5.1
vpn-tunnel-protocol svc
group-lock value VPN-Techs
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username testuser password xxxxxxxxxxxxxx encrypted privilege 15
username testuser attributes
vpn-group-policy DfltGrpPolicy
username testuser password xxxxxxxxxxxxxx encrypted privilege 0
username testuser attributes
vpn-group-policy techs
tunnel-group VPN-Techs type remote-access
tunnel-group VPN-Techs general-attributes
address-pool VPN-IPs
default-group-policy clientgroup
tunnel-group VPN-Techs webvpn-attributes
group-alias VPN-Techs_users enable
group-alias techs enable
group-url https://xxx.xxx.xxx.xxx/techs enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
Hope you guys can help
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
can you post the output of:
ASA# show nat
-=Richard
ASA# show nat
-=Richard
ASKER
Sorry, that's not possible tonight.
As I am at home and have no way to connect into the network :-(
I can however grab the info tomorrow and post it, will you be available to have a look then?
I am on Sydney, AUS time
Cheers
Peter
As I am at home and have no way to connect into the network :-(
I can however grab the info tomorrow and post it, will you be available to have a look then?
I am on Sydney, AUS time
Cheers
Peter
no drama Peter, I am in DC and will look at it as soon as i get into work.
Have a good night
Cheers
-=Richard
Have a good night
Cheers
-=Richard
ASKER
Hi Richard,
ok I have run the ASA# Show nat command and here are the results
I believe the outside nat is wrong,
Cheers
Peter
ok I have run the ASA# Show nat command and here are the results
Result of the command: "show nat"
NAT policies on Interface Outside:
match ip Outside 10.8.5.0 255.255.255.0 Outside 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
NAT policies on Interface Inside:
match ip Inside 10.8.5.0 255.255.255.0 Outside 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 10.8.5.0 255.255.255.0 Inside 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 10.8.5.0 255.255.255.0 AV-Control-Vlan 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 10.8.5.0 255.255.255.0 Switch-Managment-VLAN 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 10.8.5.0 255.255.255.0 management 10.10.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside any Outside any
dynamic translation to pool 101 (xxx.xxx.xxx.xxx [Interface PAT]) ! this IP is the outside ip
translate_hits = 0, untranslate_hits = 0
match ip Inside any Inside any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip Inside any AV-Control-Vlan any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip Inside any Switch-Managment-VLAN any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip Inside any management any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip Inside any Outside any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface AV-Control-Vlan:
match ip AV-Control-Vlan any Outside any
dynamic translation to pool 101 (xxx.xxx.xxx.xxx [Interface PAT]) ! this ip is the outside ip
translate_hits = 1629, untranslate_hits = 29
match ip AV-Control-Vlan any Inside any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip AV-Control-Vlan any AV-Control-Vlan any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip AV-Control-Vlan any Switch-Managment-VLAN any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip AV-Control-Vlan any management any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip AV-Control-Vlan any Outside any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface Switch-Managment-VLAN:
match ip Switch-Managment-VLAN any Outside any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface management:
match ip management any Outside any
no translation group, implicit deny
policy_hits = 0
I believe the outside nat is wrong,
Cheers
Peter
Peter,
Good Morning/afternoon!
from looking at your ASA config and your NAT rules. I am trying to clear things up in my head.
Troubleshooting by messenger/email is a pain.
your outside clients that VPN in have the address of 10.8.5.X correct? and they connect into 10.10.1.0?
this is the line i am referring to
access-list VPN-EXEMPT-NAT extended permit ip 10.8.5.0 255.255.255.0 10.10.1.0 255.255.255.0
Good Morning/afternoon!
from looking at your ASA config and your NAT rules. I am trying to clear things up in my head.
Troubleshooting by messenger/email is a pain.
your outside clients that VPN in have the address of 10.8.5.X correct? and they connect into 10.10.1.0?
this is the line i am referring to
access-list VPN-EXEMPT-NAT extended permit ip 10.8.5.0 255.255.255.0 10.10.1.0 255.255.255.0
ASKER
Evening Richard,
No, the other way around
No, the other way around
my bad.. Evening..
can you issue a Sh Nat detail?
can you issue a Sh Nat detail?
ASKER
Ok I figured it out, I cleared all my NAT rules and started afresh, I created a Dynamic nat from my VLAN to the outside and the same for a NAT exemption.
And would you believe it, It works.
Now I still can't ping anything but now I can VPN in and run an RDP session to any machine on the internal VLAN.
is there a particular way to enable pinging from the VPN network to the internal VLAN? I tried to do it through the access rules but no Joy
Peter
And would you believe it, It works.
Now I still can't ping anything but now I can VPN in and run an RDP session to any machine on the internal VLAN.
is there a particular way to enable pinging from the VPN network to the internal VLAN? I tried to do it through the access rules but no Joy
Peter
Awesome!
as for ping.. you should allow all ICMP traffic and it should work
as for ping.. you should allow all ICMP traffic and it should work
ASKER
Hi Richard,
not sure by what you mean with allow all icmp, as i also have the same issue http/https.
Surely there is a way to allow select traffic through the VPN?
Cheers
not sure by what you mean with allow all icmp, as i also have the same issue http/https.
Surely there is a way to allow select traffic through the VPN?
Cheers
ASKER
Thanks for the quick response, I kind of had the feeling that NATting was my issue.
However I'm a bit confused with my current settings and what I need to do to rectify them.
You see I have an "inside" interface with no IP, and instead am using a SUB interface which is a VLAN as you probably noticed, so my confusion lies in how I would go about setting up natting for that interface (Forgive my ignorance)
Open in new window
which of the above would i need to modify and or remove?
my guess would be the
"nat (Outside) 0 access-list VPN-EXEMPT-NAT"
Thanks in advance
Peter