dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
474
spivy66
join:2005-09-16
Baldwin, NY

spivy66

Member

asa vpn config

help Please

I have been banging my head against a wall on this one..sorry if i posted this twice, comp had issues..

I setup a ssl vpn asa 6.4 and my remote user connects via cisco anywhere client, but when it connected the user loses internet and cannot ping anything not even on remote side. I did research and i tried nat acl , but i just can figure this out.. below is the error

5 Nov 08 2014 11:31:32 192.168.36.2 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.0.100.1/59436 dst inside:192.168.36.2/53 denied due to NAT reverse path failure

below is my config, im sure its n a nat rule or an acl.. thanks for your help.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.11.08 19:24:48 =~=~=~=~=~=~=~=~=~=~=~=

ASA Version 8.2(5)
!
hostname ASAfirewall
enable password whammy encrypted
passwd whammy encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside

security-level 100
ip address 192.168.36.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
banner exec Please do not attempt to access this device unless you are authorized-
banner login Please do not attempt to access this device unless you are authorized-
banner asdm Please do not attempt to access this device unless you are authorized
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit intra-interface
access-list OPEN1 extended permit ip 192.168.36.0 255.255.255.0 any
access-list OPEN standard permit any
access-list OPEN standard permit 192.168.36.0 255.255.255.0
access-list acl extended permit ip any any
access-list acl extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 1.1.1.1 255.255.255.248 interface inside
access-list no_nat extended permit ip 10.10.100.0 255.255.255.0 10.10.200.0 255.255.255.0
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool 10.0.0.1-10.0.0.254 mask 255.255.255.0

ip local pool SSLClientPool 10.0.100.1-10.0.100.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 access-list acl
nat (inside) 2 192.168.36.0 255.255.255.0
access-group acl in interface inside
access-group acl in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.36.0 255.255.255.0 inside
http 1.1.1.1 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location

no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASAfirewall
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.whammy.com
subject-name CN=sslvpn.whammy.com
keypair sslvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2c3a4a54
3082019 72657761 6c6c301e 170d3134 31313038
31353033 ce9e51e e1028fd7
35e0a075 bbb9b60 05050003 8181004d
13417194 c4f1fd84 79201145 75d044db 460e08c7 25a0ad84 d8c55954 a2a53cb7
ee68b439 434ff8f4 6906359f 882eab44 19a45043 ecadc354 8bfd5db5 a7e7f99d
5b1d2498 34932b37 65a24174 c3afe449 7bb75488 87bcd85f 228bd8e0 48260ee2

104e7da6 a1c0f763 176043e9 257473db 2c6a47f8 0025492e 6ba981c1 60c4b4
quit
crypto ca certificate chain localtrust
certificate 2d3a4a54
308201ff 30820168 a0030201 0202042d 3a4a5430 0d06092a 864886f7 0d010105
050bbfe 4df9218f
0cc54bb5 7afe3354 1912e5fa 877e5526 b80dab44 84e678e2 a2e70c0f caf47e96
5275df40 67db1977 7a6021b8 cfab2665 cfebba53 e1a285fe f5f4de98 9bb66204
ba6757ec e3716757 ef2b9d88 28ab1a6e f43b114c 731605f9 8a041ecf 8c4fdef5 2e05a0
quit
telnet timeout 5
ssh scopy enable
ssh 192.168.36.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 20
dhcpd dns 1.1.1.1 1.1.1.1
dhcpd lease 4600
!

dhcpd address 192.168.36.40-192.168.36.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClient internal
group-policy SSLClient attributes
dns-server value 192.168.36.2
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value whammy
split-tunnel-all-dns enable
address-pools value SSLClientPool
group-policy DfltGrpPolicy attributes
dns-server value 192.168.36.2
vpn-simultaneous-logins 1
vpn-tunnel-protocol svc webvpn
username admin password whammy encrypted privilege 15
username skaufman password whammy encrypted privilege 7
username skaufman attributes
service-type remote-access

username cl password whammy encrypted privilege 15
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
address-pool SSLClientPool
default-group-policy SSLClient
dhcp-server 192.168.36.2
tunnel-group SSLClient webvpn-attributes
group-alias whammy1 disable
group-alias whammy enable
!
class-map inspection
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
mount users type cifs
server 192.168.36.2
share files
domain SC
username administrator
password whammy

status enable
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http »tools.cisco.com/its/serv ··· EService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cb0c126961188b226f5acf32ac0c2c23
: end

ASAfirewall#
creatine8
join:2007-09-05
Canada

2 edits

creatine8

Member

From the sounds of it, you need to set up split tunneling. See below for a config example. (scroll down for CLI commands)

»www.cisco.com/c/en/us/su ··· fig.html

You need an access list that defines the subnets your remote clients connect to and change this split-tunnel-network-list none to split-tunnel-network-list access-list you created above.

You will also need a nat (inside) 0 access-list nonat which defines which traffic should not be natted (your vpn ip pool and inside lan)
spivy66
join:2005-09-16
Baldwin, NY

spivy66

Member

ok thanks for the reply, I did play around with spit tunneling, but not for that long. I'll read up on the link and let you know my outcome, thank you
aryoba
MVM
join:2002-08-22

aryoba to spivy66

MVM

to spivy66
said by spivy66:

global (inside) 2 interface
nat (inside) 2 192.168.36.0 255.255.255.0

These commands don't look right
spivy66
join:2005-09-16
Baldwin, NY

spivy66

Member

can you provide me with the proper commands. All i need is internet access and my vpn to work using the anywhere client. Last time i played with nat my internet broke. thanks
spivy66

1 edit

spivy66

Member

I made the changes but i'm getting same issue tunnel connects but can t ping anything. below is my config...

I made the changes but i'm getting same issue tunnel connects but can t ping anything. below is my config...

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.11.12 09:12:47 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ASAfirewall
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.36.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
banner exec Please do not attempt to access this device unless you are authorized-
banner login Please do not attempt to access this device unless you are authorized-
banner asdm Please do not attempt to access this device unless you are authorized
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit intra-interface
access-list OPEN1 extended permit ip 192.168.36.0 255.255.255.0 any
access-list OPEN standard permit any
access-list OPEN standard permit 192.168.36.0 255.255.255.0
access-list acl extended permit ip any any
access-list acl extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.10.100.0 255.255.255.0 interface inside
access-list no_nat extended permit ip 10.10.100.0 255.255.255.0 10.10.200.0 255.255.255.0
access-list nonat extended permit ip 192.168.36.0 255.255.255.0 10.0.100.0 255.255.255.0
access-list nonat extended permit ip 10.0.100.0 255.255.255.0 192.168.36.0 255.255.255.0
pager lines 30
logging enable
logging monitor notifications
logging asdm informational
logging class auth monitor emergencies
mtu inside 1500
mtu outside 1500
ip local pool pool 10.0.0.1-10.0.0.254 mask 255.255.255.0
ip local pool SSLClientPool 10.0.100.1-10.0.100.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 access-list acl
nat (inside) 2 192.168.36.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
access-group acl in interface inside
access-group acl in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.36.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 1.1.1.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASAfirewall
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.schwartzl.com
subject-name CN=sslvpn.schwartzl.com
keypair sslvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2c3a4a54
308201db 30820144 a0030201 0202042c 3a4a5430 0d06092a 864886f7 0d010105
05003032 31143012 06035504 03130b41 53416669 72657761 6c6c311a 30180609
2a864886 f70d0109 02160b41 53416669 72657761 6c6c301e 170d3134 31313038
31353033 35335a17 0d323431 31303531 35303335 335a3032 31143012 06035504
03130b41 53416669 72657761 6c6c311a 30180609 2a864886 f70d0109 02160b41
53416669 72657761 6c6c3081 9f300d06 092a8648 86f70d01 01010500 03818d00
3228bd8e0 48260ee2
104e7da6 a1c0f763 176043e9 257473db 2c6a47f8 0025492e 6ba981c1 60c4b4
quit
crypto ca certificate chain localtrust
certificate 2d3a4a54
308201ff 30820168 a0030201 0202042d 3a4a5430 0d06092a 864886f7 0d010105
05003044 311d301b 06035504 03131473 736c7670 6e2e7363 68776172 747a6c2e
636f6d31 23302106 092a8648 86f70d01 09021614 73736c76 706e2e73 63687761
72747a6c 2e636f6d 301e170d 31343131 30383135 32393033 5a170d32 34313130
35313532 3930335a 3044311d 301b0603 55040313 1473736c 76706e2e 73636877
6172747a 6c2e636f 6d312330 2106092a 864886f7 0d010902 16147373 6c76706e
2e736368 77617274 7a6c2e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500
18f
0cc54bb5 7afe3354 1912e5fa 877e5526 b80dab44 84e678e2 a2e70c0f caf47e96
5275df40 67db1977 7a6021b8 cfab2665 cfebba53 e1a285fe f5f4de98 9bb66204
ba6757ec e3716757 ef2b9d88 28ab1a6e f43b114c 731605f9 8a041ecf 8c4fdef5 2e05a0
quit
telnet timeout 5
ssh scopy enable
ssh 192.168.36.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 20
dhcpd dns 2.2.2.2 2.2.2.2
dhcpd lease 4600
!
dhcpd address 192.168.36.40-192.168.36.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc profiles SSL disk0:/ssl.xml
svc enable
tunnel-group-list enable
group-policy SSLClient internal
group-policy SSLClient attributes
dns-server value 192.168.36.2
vpn-simultaneous-logins 2
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value no_nat
default-domain value schwartzl
split-tunnel-all-dns enable
address-pools value SSLClientPool
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc profiles value SSL
svc ask none default svc
group-policy DfltGrpPolicy attributes
dns-server value 192.168.36.2
vpn-simultaneous-logins 1
vpn-tunnel-protocol svc webvpn
username admin password j8Pp encrypted privilege 15
username skaufman password f5nO encrypted privilege 7
username skaufman attributes
vpn-group-policy SSLClient
service-type admin
webvpn
svc ask enable default webvpn timeout 30
username clutchpc password 8j encrypted privilege 15
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
address-pool SSLClientPool
default-group-policy SSLClient
tunnel-group SSLClient webvpn-attributes
group-alias SchwartzL enable
!
class-map inspection
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
mount users type cifs
server 192.168.36.2
share files
domain SCH
username administrator
password *****
status enable
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http »tools.cisco.com/its/serv ··· EService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e74287e891225ca02180bbfcec764dcb
: end

ASAfirewall#
creatine8
join:2007-09-05
Canada

creatine8 to spivy66

Member

to spivy66
I the access list for the split tunnel cannot be an extended access list

Create a standard access list

access-list split-tunnel standard permit 192.168.36.0 255.255.255.0

and replace

split-tunnel-network-list value no_nat
with
split-tunnel-network-list value split-tunnel

I don't see any other obvious issues
spivy66
join:2005-09-16
Baldwin, NY

spivy66

Member

creatine!!! you are the man!!! that fixed it! can be so kindly and explain those changes and how it made everything work?

and thank you aryoba for your 0.2 cents