Allowing VPN Clients to management network - nat woes

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

Allowing VPN Clients to management network - nat woes

Post by Guest » Mon Aug 09, 2010 3:33 am

Attempting to allow access for IPSEC VPNClient to management network.  packet trace stops on vpn encrypt even through phase 7 states it is NAT EXEMPT,  it says its still trying to NAT through a static.  The only thing i can think of to put a nat exempt rule for the subnet on the outside interface... Please advise.  Thanks.   Phase: 1Type: ACCESS-LISTSubtype: Result: ALLOWConfig:Implicit RuleAdditional Information:MAC Access list Phase: 2Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flow Phase: 3Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   0.0.0.0         0.0.0.0         OUTSIDE Phase: 4Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group MANAGEMENT-IN in interface MANAGEMENTaccess-list MANAGEMENT-IN extended permit ip any any Additional Information: Phase: 5Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information: Phase: 6Type: FOVERSubtype: standby-updateResult: ALLOWConfig:Additional Information: Phase: 7Type: NAT-EXEMPTSubtype: Result: ALLOWConfig:  match ip MANAGEMENT 10.10.10.0 255.255.255.0 OUTSIDE 172.18.0.32 255.255.255.240    NAT exempt    translate_hits = 3, untranslate_hits = 33Additional Information: Phase: 8Type: NATSubtype: Result: ALLOWConfig:static MANAGEMENT,OUTSIDE 203.23.23.75 10.10.10.10 netmask 255.255.255.255   match ip MANAGEMENT host 10.10.10.10 OUTSIDE any    static translation to 203.23.176.75    translate_hits = 0, untranslate_hits = 1Additional Information: Phase: 9Type: NATSubtype: host-limitsResult: ALLOWConfig:static (MANAGEMENT,OUTSIDE) 203.23.23.75 10.10.10.10 netmask 255.255.255.255   match ip MANAGEMENT host 10.10.10.10 OUTSIDE any    static translation to 203.23.23.75    translate_hits = 0, untranslate_hits = 1Additional Information: Phase: 10Type: VPNSubtype: encryptResult: DROPConfig:Additional Information: Result:input-interface: MANAGEMENTinput-status: upinput-line-status: upoutput-interface: OUTSIDEoutput-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule     ------------SNIPPET FROM CONFIG------------------ access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0 ip local pool CorpVPN 172.18.0.33-172.18.0.46 mask 255.255.255.240                                      access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.11 eq ssh access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.10 eq ssh access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.13 eq 3389 access-list 101 extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 nat (MANAGEMENT) 0 access-list NO-NAT-FROM-MGMTaccess-list NO-NAT-FROM-MGMT extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 any group-policy CorpVPN internalgroup-policy CorpVPN attributes dns-server value 203.23.23.23 vpn-simultaneous-logins 8 vpn-idle-timeout 720 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value CorpVPN address-pools value CorpVPN tunnel-group CorpVPN type remote-accesstunnel-group CorpVPN general-attributes address-pool CorpVPN default-group-policy CorpVPNtunnel-group CorpVPN ipsec-attributes pre-shared-key

Guest

Re:Allowing VPN Clients to management network - nat woes

Post by Guest » Mon Aug 09, 2010 3:52 am

Split tunnel ACL needs to be standard ACL instead of extended ACL.Currently you have the following:access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0 Please kindly change it to:access-list CorpVPN standard permit 10.10.10.0 255.255.255.0 plus any other internal networks that you would like to access from the vpn client. Can you also advise if the MANAGEMENT interface has "management-only" configuration line? if you do, then please kindly remove it as you wouldn be able to pass traffic from vpn client towards servers connected to the MANAGEMENT interface if its configured with "management-only". Hope that helps.

Guest

Re:Allowing VPN Clients to management network - nat woes

Post by Guest » Mon Aug 09, 2010 4:47 am

Hi Jen, I think ive fixed it with: same-security-traffic permit intra-interface oops probably should of checked that. I have setup other vpn group policy split tunnel with extended acls with success.  What is the reasoning for standard acl if I may ask. Thanks again.

Guest

Re:Allowing VPN Clients to management network - nat woes

Post by Guest » Mon Aug 09, 2010 6:20 am

Not too sure how "same-security-traffic permit intra-interface" will fix your issue. That command is only for traffic comingin and out of the same interface. In your case, you are coming into the Outside interface and leaving the MANAGEMENT interface, so that command shouldn really fix anything. Split tunnel ACL only supports standard ACL, not extended ACL. It used to support extended ACL back in PIX version 6.x and below. However, from ASA version 7.x and above, it has changed to standard ACL. Eventhough it might work, it is not officially supported and if it breaks, you know what it is  Here is the configuration guide that states only standard ACL is allowed:http://www.cisco.com/en/US/docs/securit ... #wp1053494 Hope that answers your question.

Guest

Re:Allowing VPN Clients to management network - nat woes

Post by Guest » Mon Aug 09, 2010 6:42 am

OK so same-security ..... did not fix it. I changed the extended acl to a standard acl but it still does not work. Im seeing this in the logs when I enable logging monitor: IKE Initiator unable to find policy: Intf OUTSIDE, Src: 10.10.10.10, Dst: 172.18.0.33 Also I just noticed this:interface GigabitEthernet0/1.10 description - MANAGEMENT NETWORK  , IPS INTERFACES vlan 10 nameif MANAGEMENT security-level 100 ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2 Its not the physical management0/0 interface but a user created one.

Post Reply