• Advertisement

Allowing VPN Clients to management network - nat woes

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.

Allowing VPN Clients to management network - nat woes

Postby Guest » Mon Aug 09, 2010 2:33 am

Attempting to allow access for IPSEC VPNClient to management network.  packet trace stops on vpn encrypt even through phase 7 states it is NAT EXEMPT,  it says its still trying to NAT through a static.  The only thing i can think of to put a nat exempt rule for the subnet on the outside interface...

 

Please advise.  Thanks.

 

 

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

 

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

 

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

 

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group MANAGEMENT-IN in interface MANAGEMENT
access-list MANAGEMENT-IN extended permit ip any any
Additional Information:

 

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

 

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

 

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip MANAGEMENT 10.10.10.0 255.255.255.0 OUTSIDE 172.18.0.32 255.255.255.240
    NAT exempt
    translate_hits = 3, untranslate_hits = 33
Additional Information:

 

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static MANAGEMENT,OUTSIDE 203.23.23.75 10.10.10.10 netmask 255.255.255.255
  match ip MANAGEMENT host 10.10.10.10 OUTSIDE any
    static translation to 203.23.176.75
    translate_hits = 0, untranslate_hits = 1
Additional Information:

 

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (MANAGEMENT,OUTSIDE) 203.23.23.75 10.10.10.10 netmask 255.255.255.255
  match ip MANAGEMENT host 10.10.10.10 OUTSIDE any
    static translation to 203.23.23.75
    translate_hits = 0, untranslate_hits = 1
Additional Information:

 

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

 

Result:
input-interface: MANAGEMENT
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

 

 

 


------------SNIPPET FROM CONFIG------------------

 

access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240
access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0

 

ip local pool CorpVPN 172.18.0.33-172.18.0.46 mask 255.255.255.240

 

                                    
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.11 eq ssh
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.10 eq ssh
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.13 eq 3389

 

access-list 101 extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240

 

nat (MANAGEMENT) 0 access-list NO-NAT-FROM-MGMT
access-list NO-NAT-FROM-MGMT extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240

 

access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240
access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 any

 

group-policy CorpVPN internal
group-policy CorpVPN attributes
dns-server value 203.23.23.23
vpn-simultaneous-logins 8
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CorpVPN
address-pools value CorpVPN

 

tunnel-group CorpVPN type remote-access
tunnel-group CorpVPN general-attributes
address-pool CorpVPN
default-group-policy CorpVPN
tunnel-group CorpVPN ipsec-attributes
pre-shared-key

Guest
 

Advertisement

Re:Allowing VPN Clients to management network - nat woes

Postby Guest » Mon Aug 09, 2010 2:52 am

Split tunnel ACL needs to be standard ACL instead of extended ACL.


Currently you have the following:

access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240
access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0

 

Please kindly change it to:

access-list CorpVPN standard permit 10.10.10.0 255.255.255.0

 

plus any other internal networks that you would like to access from the vpn client.

 

Can you also advise if the MANAGEMENT interface has "management-only" configuration line? if you do, then please kindly remove it as you wouldn be able to pass traffic from vpn client towards servers connected to the MANAGEMENT interface if its configured with "management-only".

 

Hope that helps.

Guest
 

Re:Allowing VPN Clients to management network - nat woes

Postby Guest » Mon Aug 09, 2010 3:47 am

Hi Jen,

 

I think ive fixed it with:

 

same-security-traffic permit intra-interface

 

oops probably should of checked that.

 

I have setup other vpn group policy split tunnel with extended acls with success.  What is the reasoning for standard acl if I may ask.

 

Thanks again.

Guest
 

Re:Allowing VPN Clients to management network - nat woes

Postby Guest » Mon Aug 09, 2010 5:20 am

Not too sure how "same-security-traffic permit intra-interface" will fix your issue. That command is only for traffic coming

in and out of the same interface. In your case, you are coming into the Outside interface and leaving the MANAGEMENT interface, so that command shouldn really fix anything.

 

Split tunnel ACL only supports standard ACL, not extended ACL. It used to support extended ACL back in PIX version 6.x and below. However, from ASA version 7.x and above, it has changed to standard ACL. Eventhough it might work, it is not officially supported and if it breaks, you know what it is

 

Here is the configuration guide that states only standard ACL is allowed:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1053494

 

Hope that answers your question.

Guest
 

Re:Allowing VPN Clients to management network - nat woes

Postby Guest » Mon Aug 09, 2010 5:42 am

OK so same-security ..... did not fix it.

 

I changed the extended acl to a standard acl but it still does not work.

 

Im seeing this in the logs when I enable logging monitor:

 

IKE Initiator unable to find policy: Intf OUTSIDE, Src: 10.10.10.10, Dst: 172.18.0.33

 

Also I just noticed this:

interface GigabitEthernet0/1.10
description - MANAGEMENT NETWORK  , IPS INTERFACES
vlan 10
nameif MANAGEMENT
security-level 100
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2

 

Its not the physical management0/0 interface but a user created one.

Guest
 



  • Advertisement


Similar topics

CDMA Network
Forum: Anything Networking
Author: Guest
Replies: 0

Performance effects of 802.11b clients on 802.11g clients
Forum: Cisco Wireless
Author: Anonymous
Replies: 0

Accessing VPN on Concentrator from inside network.
Forum: Virtual Private Networks
Author: Anonymous
Replies: 0

2950 switch - management ip
Forum: Cisco Switching
Author: Anonymous
Replies: 2

1142N radio configs to support older clients
Forum: Cisco Wireless
Author: Anonymous
Replies: 0


Return to Virtual Private Networks

Who is online

Users browsing this forum: No registered users and 2 guests