IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
1 post • Page 1 of 1
Attempting to allow access for IPSEC VPNClient to management network. packet trace stops on vpn encrypt even through phase 7 states it is NAT EXEMPT, it says its still trying to NAT through a static. The only thing i can think of to put a nat exempt rule for the subnet on the outside interface... Please advise. Thanks. Phase: 1Type: ACCESS-LISTSubtype: Result: ALLOWConfig:Implicit RuleAdditional Information:MAC Access list Phase: 2Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flow Phase: 3Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 0.0.0.0 0.0.0.0 OUTSIDE Phase: 4Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group MANAGEMENT-IN in interface MANAGEMENTaccess-list MANAGEMENT-IN extended permit ip any any Additional Information: Phase: 5Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information: Phase: 6Type: FOVERSubtype: standby-updateResult: ALLOWConfig:Additional Information: Phase: 7Type: NAT-EXEMPTSubtype: Result: ALLOWConfig: match ip MANAGEMENT 10.10.10.0 255.255.255.0 OUTSIDE 172.18.0.32 255.255.255.240 NAT exempt translate_hits = 3, untranslate_hits = 33Additional Information: Phase: 8Type: NATSubtype: Result: ALLOWConfig:static MANAGEMENT,OUTSIDE 188.8.131.52 10.10.10.10 netmask 255.255.255.255 match ip MANAGEMENT host 10.10.10.10 OUTSIDE any static translation to 184.108.40.206 translate_hits = 0, untranslate_hits = 1Additional Information: Phase: 9Type: NATSubtype: host-limitsResult: ALLOWConfig:static (MANAGEMENT,OUTSIDE) 220.127.116.11 10.10.10.10 netmask 255.255.255.255 match ip MANAGEMENT host 10.10.10.10 OUTSIDE any static translation to 18.104.22.168 translate_hits = 0, untranslate_hits = 1Additional Information: Phase: 10Type: VPNSubtype: encryptResult: DROPConfig:Additional Information: Result:input-interface: MANAGEMENTinput-status: upinput-line-status: upoutput-interface: OUTSIDEoutput-status: upoutput-line-status: upAction: dropDrop-reason: (acl-drop) Flow is denied by configured rule ------------SNIPPET FROM CONFIG------------------ access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0 ip local pool CorpVPN 172.18.0.33-172.18.0.46 mask 255.255.255.240 access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.11 eq ssh access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.10 eq ssh access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.13 eq 3389 access-list 101 extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 nat (MANAGEMENT) 0 access-list NO-NAT-FROM-MGMTaccess-list NO-NAT-FROM-MGMT extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 any group-policy CorpVPN internalgroup-policy CorpVPN attributes dns-server value 22.214.171.124 vpn-simultaneous-logins 8 vpn-idle-timeout 720 vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value CorpVPN address-pools value CorpVPN tunnel-group CorpVPN type remote-accesstunnel-group CorpVPN general-attributes address-pool CorpVPN default-group-policy CorpVPNtunnel-group CorpVPN ipsec-attributes pre-shared-key
Split tunnel ACL needs to be standard ACL instead of extended ACL.Currently you have the following:access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240 access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0 Please kindly change it to:access-list CorpVPN standard permit 10.10.10.0 255.255.255.0 plus any other internal networks that you would like to access from the vpn client. Can you also advise if the MANAGEMENT interface has "management-only" configuration line? if you do, then please kindly remove it as you wouldn be able to pass traffic from vpn client towards servers connected to the MANAGEMENT interface if its configured with "management-only". Hope that helps.
Hi Jen, I think ive fixed it with: same-security-traffic permit intra-interface oops probably should of checked that. I have setup other vpn group policy split tunnel with extended acls with success. What is the reasoning for standard acl if I may ask. Thanks again.
Not too sure how "same-security-traffic permit intra-interface" will fix your issue. That command is only for traffic comingin and out of the same interface. In your case, you are coming into the Outside interface and leaving the MANAGEMENT interface, so that command shouldn really fix anything. Split tunnel ACL only supports standard ACL, not extended ACL. It used to support extended ACL back in PIX version 6.x and below. However, from ASA version 7.x and above, it has changed to standard ACL. Eventhough it might work, it is not officially supported and if it breaks, you know what it is Here is the configuration guide that states only standard ACL is allowed:http://www.cisco.com/en/US/docs/securit ... #wp1053494 Hope that answers your question.
OK so same-security ..... did not fix it. I changed the extended acl to a standard acl but it still does not work. Im seeing this in the logs when I enable logging monitor: IKE Initiator unable to find policy: Intf OUTSIDE, Src: 10.10.10.10, Dst: 172.18.0.33 Also I just noticed this:interface GigabitEthernet0/1.10 description - MANAGEMENT NETWORK , IPS INTERFACES vlan 10 nameif MANAGEMENT security-level 100 ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2 Its not the physical management0/0 interface but a user created one.