I put a ‘net use’ command in a logon script for a client today, and the drive refused to appear. So I executed the offending line and saw the following error;
System error 1935 has occurred
The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate the computer.
Solution
This error is seen because the user, (or group the user is a member of), has been granted the correct rights to access the share. BUT the share is in another domain, and even though that domain trusts the one the user is coming from, the trust was set up with ‘selective authentication’.
Go to the domain that’s providing the share, log into a domain controller > Open ‘Active Directory Users and Computers’ > View > Advanced Features > Locate the COMPUTER you are trying to authenticate TO > Properties > Security > Add in the user (or group) that requires access > Grant the “Allowed to authenticate” right > Apply > OK.
Related Articles, References, Credits, or External Links
I see this get asked in forums A LOT, so I though I’d get around to getting it written up. If you have an existing VPN to a remote site and then need to add another network how do you do it?
Well that depends on where the new network is, and how it’s entering the firewall, these diagrams can be either way round, but the new network will either be coming into the ASA on the same interface (i.e you’ve spun up a new network for phones, or a new department etc.) Or the traffic will be coming into the ASA through a different interface, (like a DMZ, or partner network).
Note: The process for adding the new network is the same for both, BUT depending on which interface the new traffic is coming in on, this will change your NAT command.
Solution
Option A: New Network is on a Different Interface
Let’s flesh our diagram out a bit, to make things easier to explain;
Tasks on ASA-1
Locate the ACL that’s handling the site to site VPN and add the new network to it.
Locate the NAT Exemption for the site to site VPN and add a new one for the new interface.
Locate the ACL that’s handling the VPN: This will be declared in the crypto map that points to the other ASA (203.0.113.100)
[box]
ASA-1# show run crypto map
crypto map PNL-MAP 1 match address VPN-BACKUP-TRAFFIC
crypto map PNL-MAP 1 set pfs
crypto map PNL-MAP 1 set peer 123.123.123.123
crypto map PNL-MAP 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map PNL-MAP 1 set security-association lifetime kilobytes unlimited
crypto map PNL-MAP 2 match address VPN-INTERESTING-TRAFFIC
crypto map PNL-MAP 2 set pfs
crypto map PNL-MAP 2 set peer 203.0.113.100
crypto map PNL-MAP 2 set ikev1 transform-set VPN-TRANSFORM
crypto map PNL-MAP interface outside
[/box]
From the output above we can see that the ACL for this VPN is called VPN-INTERESTING-TRAFFIC, yours, probably, will have a less friendly name. Let’s see what that’s doing.
[box]
ASA-1# show run access-list VPN-INTERESTING-TRAFFIC
access-list VPN-INTERESTING-TRAFFIC extended permit ip object Obj-Local-LAN object Obj-Remote-LAN
[/box]
Again I’ve got nice neat groups, yours may simply have the networks listed, let’s check those objects marry up with the subnets we expect.
[box]
ASA-1# show run object id Obj-Local-LAN
object network Obj-Local-LAN
subnet 192.168.1.0 255.255.255.0
ASA-1# show run object id Obj-Remote-LAN
object network Obj-Remote-LAN
subnet 192.168.2.0 255.255.255.0
[/box]
So now create an object for the new network and add it to the existing ACL.
Locate the ACL that’s handling the site to site VPN and add the new network to it.
Locate the NAT Exemption for the site to site VPN and add the new network to it.
Locate the ACL that’s handling the VPN: This will be declared in the crypto map that points to the other ASA (203.0.113.1)
[box]
ASA-2# show run crypto mapcrypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 203.0.113.1
crypto map outside_map 1 set ikev1 transform-set VPN-TRANSFORM
crypto map outside_map interface outside
[/box]
From the output above we can see that the ACL for this VPN is called outside_cryptomap_1 . Let’s see what that’s doing.
[box]
ASA-2# show run access-list outside_cryptomap_1
access-list outside_cryptomap_1 extended permit ip object Obj-Local-LAN object Obj-Remote-LAN
[/box]
I’ve got nice neat groups, yours may simply have the networks listed, let’s check those objects mary up with the subnets we expect.
[box]
ASA-2# show run object id Obj-Local-LAN
object network Obj-Local-LAN
subnet 192.168.2.0 255.255.255.0
ASA-2# show run object id Obj-Remote-LAN
object network Obj-Remote-LAN
subnet 192.168.1.0 255.255.255.0
[/box]
So now create an object for the new network and add it to the existing AC.L
DON’T FORGET to save the config on both firewalls with a ‘write mem‘ command!
Option B: New Network is on the Same Interface
Let’s flesh our diagram out a bit, to make thinks easier to explain;
Tasks on ASA-1
Locate the ACL that’s handling the site to site VPN and add the new network to it.
Locate the NAT Exemption for the site to site VPN and add the new network to it.
Locate the ACL that’s handling the VPN: This will be declared in the crypto map that points to the other ASA (203.0.113.100)
[box]
ASA-1# show run crypto map
crypto map PNL-MAP 1 match address VPN-BACKUP-TRAFFIC
crypto map PNL-MAP 1 set pfs
crypto map PNL-MAP 1 set peer 123.123.123.123
crypto map PNL-MAP 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map PNL-MAP 1 set security-association lifetime kilobytes unlimited
crypto map PNL-MAP 2 match address VPN-INTERESTING-TRAFFIC
crypto map PNL-MAP 2 set pfs
crypto map PNL-MAP 2 set peer 203.0.113.100
crypto map PNL-MAP 2 set ikev1 transform-set VPN-TRANSFORM
crypto map PNL-MAP interface outside
[/box]
From the output above we can see that the ACL for this VPN is called VPN-INTERESTING-TRAFFIC, yours ,probably, will have a less friendly name. Let’s see what that’s doing.
[box]
ASA-1# show run access-list VPN-INTERESTING-TRAFFIC
access-list VPN-INTERESTING-TRAFFIC extended permit ip object Obj-Local-LAN object Obj-Remote-LAN
[/box]
Again I’ve got nice neat groups, yours may simply have the networks listed, let’s check those objects mary up with the subnets we expect.
[box]
ASA-1# show run object id Obj-Local-LAN
object network Obj-Local-LAN
subnet 192.168.1.0 255.255.255.0
ASA-1# show run object id Obj-Remote-LAN
object network Obj-Remote-LAN
subnet 192.168.2.0 255.255.255.0
[/box]
So now create an object for the new network and add it to the existing ACL
Locate the ACL that’s handling the site to site VPN and add the new network to it.
Locate the NAT Exemption for the site to site VPN and add the new network to it.
Locate the ACL that’s handling the VPN: This will be declared in the crypto map that points to the other ASA (203.0.113.1)
[box]
ASA-2# show run crypto mapcrypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 203.0.113.1
crypto map outside_map 1 set ikev1 transform-set VPN-TRANSFORM
crypto map outside_map interface outside
[/box]
From the output above we can see that the ACL for this VPN is called outside_cryptomap_1 . Let’s see what thats doing.
[box]
ASA-2# show run access-list outside_cryptomap_1
access-list outside_cryptomap_1 extended permit ip object Obj-Local-LAN object Obj-Remote-LAN
[/box]
I’ve got nice neat groups, yours may simply have the networks listed, let’s check those objects marry up with the subnets we expect.
[box]
ASA-2# show run object id Obj-Local-LAN
object network Obj-Local-LAN
subnet 192.168.2.0 255.255.255.0
ASA-2# show run object id Obj-Remote-LAN
object network Obj-Remote-LAN
subnet 192.168.1.0 255.255.255.0
[/box]
So now create an object for the new network and add it to the existing ACL
Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location.
You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information.
Solution
Before proceeding are you sure Split-Tunnelling has ever been setup and configured? See the following article.
From the output above, we know the name of the Group Policy and the Tunnel Group. The fact we can see BOTH is an indication that the tunnel group is setup correctly, but it does no harm to check.
[box]
Petes-ASA# show run tunnel-group ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ANYCONNECT-POOL
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
Petes-ASA#
[/box]
Then check that that group-policy has enabled split tunnelling, and referenced the correct access control list.
[box]
Petes-ASA# show run group-policy GroupPolicy_ANYCONNECT-PROFILE
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
webvpn
anyconnect profiles value testbench type user
Petes-ASA#
[/box]
Finally take the ACL name (SPLIT-TUNNEL) and make sure that’s OK.
[box]
Petes-ASA# show run access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.115.0 255.255.255.0
[/box]
Troubleshoot Split Tunnel From ASDM
As above connect a remote AnyConnect client > Monitoring > VPN > VPN Statistics > Sessions > AnyConnect Client > Select your connected client > Details.
Note: The info we actually want, is shown on this screen, but let’s look at the session anyway.
Now you can see the Group Policy and Connection Profile thats been applied to this user.
Configuration > Remote Access VPN > AnyConnect Connection Profiles > Select the one shown above > Edit.
Check the Group-Policy is correct, (Note: You can manage it directly from here, but I will take the long way round).
Configuration > Remote Access VPN > Network (Client Access) > Group Policies > Select the one shown above > Edit.
Advanced > Split Tunneling > Ensure Policy is ‘untucked’ and set to ‘Tunnel Network List Below’ > Ensure Network list is ‘untucked’ and set to the name of your split tunnel ACL > Manage.
Make sure the network(s) or IP addresses behind your ASA, that you want to access over the VPN, are listed.
Related Articles, References, Credits, or External Links
Changing a users UPN suffix is easy (as long as it’s been added – see below). There is some confusion about the User Login Name though.
A few weeks ago I had a client that needed this done, (for an office 365 migration). But they had the added problem that some of their User Logon Names had spaces in them, they were in first-name{space}last-name format.
What would happen if I changed their user logon names? Would they have to use a different logon name? Would their profile break? Or worse still, would they all lose their roaming profiles?
Solution
Adding A New UPN Suffix
Before you can add a new UPN suffix you need to make it available in the domain. Administrative Tools > Active Directory Domains and Trusts > Right Click ‘Active Directory Domains and Trusts’ > Properties > Add the new Suffix >Apply > OK.
From this point forward you can add that as a new suffix for any/all users.
The Effect of Changing a User Logon Name
Using the same user as above, I’ve changed the ‘User Logon Name’, and added the new UPN Suffix to test.
How Does Changing a User Logon Name Affect Profile and Home Drive Paths?
Put simply it does not! To prove it I did some testing. The profile and home drive path of this user’s is set on the ‘profile’ tab of their user object.
It remains the same after the User Logon Name changes. When these users were setup the profile paths and home drive paths were all set ‘on mass’, by selecting multiple users and setting the path to \\server-name\folder-name\%username% and it fills in all the ‘usernames‘ with the sAMAccountName and that has not changed.
Does the User Have to Change their Logon Name?
Confusingly users don’t log on with their User Logon Name (Usually, but they can if they wanted to) from all the way back to NT4 we have logged on with the DOMAIN-NAME\USER-NAME format which uses the sAMAccountName, NOT the User Logon Name. If you look at the very first picture at the top of the page you can see that below the UPN. Its called the User name (pre-Windows 2000). You may not of even have noticed, but on Windows 10 they put this right in your face on the logon screen.
Whats the Point of a UPN Then?
You can actually authenticate, and log on with your UPN, (see below)
This logs on as the user in the example above with the correct profile, and group membership etc. Though it’s not common practice to logon with a UPN. Microsoft Now Have a Very BAD HABIT of telling users, (and putting in their documentation), to ‘Log on with your Email Address‘ This is wrong, you actually are logging on with your UPN, Microsoft are making the assumption, that your Email and UPN are the same. This is why blogs and forums are full of scripts to change your UPN so that it matches your email address. They assume, (usually quite rightly, that if you tell users to log on with their UPN they will be confused and not know what that is). So rather than address this problem, they tell users to log on with their Email addresses. That’s the real reason we are talking about changing UPN’s, and probably why your here in the first place.
Some Users Don’t Have UPN’s?
This is normal, don’t panic, a user does not have to have a UPN, if you are seeing blank entries that user was probably migrated via a script or tool into your AD, or simply was migrated from an older version of AD as part of a domain upgrade.
So Nothing Broke?
No, the local cached copy of the profile is still named the same as the sAMAccountName;
And the roaming profile and home drive also stayed the same;
WARNING: Just so I don’t do the same thing Microsoft did and ‘Make an Assumption’. Where changing the User Logon Names would affect you is if users were already logging into their machines with their UPN, Then they would need to change their login names to the new UPN, (or use the pre-Windows 2000 login name). But I’ve never seen a user logon with a UPN, the only time I’ve ever logged onto something with a UPN, is when I can’t type a back slash to log on as DOMAIN\Username (I use a Mac).
Remove Spaces From User Logon Names
Seriously who does this? I don’t even like spaces in folder names! Below is a PowerShell script that will search through AD and find users with a space in the middle of their logon name and replace the login name with firstname.lastname
Note: If you have users with spaces in their GivenName or Surname attributes in AD this wont work, i.e if AD thinks a users first name is Juan Carlos, and the Surname is Rodriquez, then it would change the user logon name to ‘Juan Carlos.Rodriquez’ which is the very problem we are trying to fix! Also the first name and surname fields in AD have to have properties in them as well, or you will see red errors.
Change UPN Suffix For All Users Script
In the script below I’ve targeted a specific OU, but you can change the $ou parameter to point at the root of the domain, and do all users at once if you wish. Change the values in red to suit your domain.
Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following.
Solution
I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.)
[box]
!The Firewall needs a domain name of its own.
!
domain-name petenetlive.com
!
!Setup DNS Lookups so the firewall can resolve the FQDNs we are going to use.
!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
!
!Create objects for each of the activation FQDN's.
!
object network Obj-go.microsoft.com
fqdn go.microsoft.com
object network Obj-wpa.one.microsoft.com
fqdn wpa.one.microsoft.com
object network Obj-crl.microsoft.com
fqdn crl.microsoft.com
object network Obj-wwwtk2test1.microsoft.com
fqdn wwwtk2test1.microsoft.com
object network Obj-wwwtk2test2.microsoft.com
fqdn wwwtk2test2.microsoft.com
object network Obj-db3.sls.microsoft.com
fqdn db3.sls.microsoft.com
!
!Create objects for each of the activation subnets.
!
object network Obj-MS-Activation-Subnet-1
subnet 64.4.0.0 255.255.192.0
object network Obj-MS-Activation-Subnet-2
subnet 65.52.0.0 255.252.0.0
!
!Create an object group that holds all the objects.
!
object-group network Obj-GP-MS-Activation
network-object object Obj-go.microsoft.com
network-object object Obj-wpa.one.microsoft.com
network-object object Obj-crl.microsoft.com
network-object object Obj-wwwtk2test1.microsoft.com
network-object object Obj-wwwtk2test2.microsoft.com
network-object object Obj-db3.sls.microsoft.com
network-object object Obj-MS-Activation-Subnet-1
network-object object Obj-MS-Activation-Subnet-2
!
!Create a service object for the activation ports.
!
object-group service Obj-SVC-MS-Activation tcp
port-object eq www
port-object eq https
!
!Allow the traffic Out (SEE THE WARNING BELOW!)
!
access-list outbound extended permit tcp any object-group Obj-GP-Microsoft-Activation object-group Obj-SVC-MS-Activation
[/box]
Warning: Before Executing the access-list command, make sure the ACL name matches your existing ACL. In the example above I’ve used outbound, See the following article for clarification;
The VPN connection failed due to unsuccessful domain name resolution.
Solution
Firstly, (and obviously) the name you are typing in the AnyConnect window can be resolved can’t it? If not then you might want to consider some employment that does not involve computers.
Secondly (this is what usually trips me up) did you copy and paste the name? If so is there a space on the end?
This name may also be incorrect in the profile.xml that’s associated with this VPN, to check, the location of that file is covered in this article.
Also check that the VPN device, does not need to be connected to on a different port, as per this article.
Related Articles, References, Credits, or External Links
Moving a machine onto a Windows domain, is a simple task, I’ve done this for a lot of clients. The main complaint (post migration,) is that something is missing. This is because your-account-name on your PC or laptop, and your-account-name in the domain are TWO DIFFERENT ACCOUNTS, (even if they have the same name).
Microsoft have produced some tools help you, but I challenge you to start reading the USMT documentation for more than 15 minutes without losing the will to live.
Below is a list of things people have complained to me about losing post migration;
Desktop wallpaper.
Files & Folders from the desktop.
My Documents.
Internet Favorites.
My Pictures.
Outlook Signatures.
Outlook Mail Accounts.
Word Custom Dictionaries.
Work Autocomplete Settings.
MS Access Macro settings.
So I setup a test Windows 10 machine, with all of the above setup, and used two tools to migrate my local profile into my domain profile.
Solution
Test 1 ForensIT User Profile Wizard
Software is free (there are paid for versions) but I plumbed for the free one, you don’t have to install anything as it runs from an executable, (which is a bonus if you have a lot to do). Its VERY fast, and simple to use.
I’ve joined my target machine to the new domain and logged on once as the domain user and created a blank profile, then logged back on as the domain admin to carry out the following.
Launch the software > Next > Select the profile you want to copy from.
Select your domain name > Enter the logon name for the ‘DOMAIN USER’ you want to copy the profile to > Next > Next.
Verdict: Of the two, this ones quicker, more intuitive and free.
Test 2 USMT GUI 10
This is a graphical wrapper that sits on-top of the Microsoft USMT tools, I donated $10.00 for the cheapest version, and repeated the tests above.
First you have to take a backup of the local profile(s).
I’m just choosing one (Pete) > RUN > My profile was 177Mb and it took about 5 minutes.
Now resort the profile back to your domain profile, as you can see that’s a little more complicated, but not that difficult > RUN.
At this point it ran thought and gave me an error, even though it did migrate the profile successfully.
Verdict: Well it does the job, it’s probably a lot more versatile than the first tool, but nowhere near as intuitive, and it costs $10. I know that’s cheap, and the dev deserves to be paid for their hard work, but I prefer the free one.
Related Articles, References, Credits, or External Links
I’ve written at length about setting up failover firewall configurations. But what if you already have a working pair, and you need to remove one? There’s plenty of reasons to do this, i.e. another site needs a firewall in a hurry, you’re replacing failover firewalls with a single firewall, or you just need to do sone testing and don’t have a spare.
Solution
It goes without saying, before doing anything, take a backup of the firewall. I used to do this with TFTP, but now I simply run ‘more system:running config‘ and my console software logs all the output. (I use the awesome Royal TSX software, though PuTTY will do the same).
Make sure you know which is the primary firewall, and which is the secondary firewall, and which is active and which is passive.
[box]
Petes-ASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/3
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 9.1(4), Mate 9.1(4)
Last Failover at: 15:57:12 GMT/BDT Jul 2 2016
This host: Primary - Active
Active time: 5768814 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (Up Sys)
Interface outside (123.123.123.123): Normal (Waiting)
Interface inside (192.168.1.10): Normal (Waiting)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 2755983 (sec)
slot 0: ASA5520 hw/sw rev (2.0/9.1(4)) status (UP SYS)
Interface outside (123.123.123.123): Normal (Monitored)
Interface inside (192.168.1.10): Normal (Monitored)
slot 1: empty
[/box]
So above I’m going to power off the other firewall, (if there was a drama I could connect that back in, and get comms back up again quickly).
Now stop the remaining ‘primary active’ firewall from attempting to be part of a failover pair.
[box]
Petes-ASA(config)# no failover
[/box]
Thankfully we can get rid of ‘nearly’ all the failover configuration with the following command;
[box]
Petes-ASA(config)# clear configure failover
[/box]
Which is brilliant as it removes all the failover section and reverts statefull and failover link interfaces, back to default, what it does not do though, is remove the standby IP addresses from your interfaces, you will need to do that manually.
[box]
-----Config Removed For the Sake of Brevity-----
!
interface GigabitEthernet0/0
description WAN Interface
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.240 standby 123.123.123.124
!
interface GigabitEthernet0/1
description LAN Interface
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
!
interface GigabitEthernet0/2
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
description MGMT Interface
shutdown
no nameif
security-level 100
no ip address
!
-----Config Removed For the Sake of Brevity-----
So to Remove the Standby IP's
Petes-ASA(config)# interface GigabitEthernet0/0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.240
Petes-ASA(config-if)# interface GigabitEthernet0/1
Petes-ASA(config-if)# ip address 192.168.1.10 255.255.255.0
[/box]
Don’t forget to save the changes with a ‘write mem‘ command when you are happy.
Related Articles, References, Credits, or External Links
Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall.
KB ID 0000199
Problem
If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.
In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the NO NAT, or “nat 0” on pre 8.3 firewalls. (that’s the command that says “DONT change the address of my remote VPN client as it passes up and down the VPN tunnel).
Update 08/09/16: Due to a bug, I found an exception to this problem being broken NAT (see below)
Solution
Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running.
Then go to enable mode > Configure Terminal mode > and issue a “crypto isakmp nat-traversal 20” command >Then save the change with a “write mem” command.
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********Petes-ASA# configure terminal
Petes-ASA(config)# crypto isakmp nat-traversal 20
Petes-ASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Petes-ASA#
If you can find this in the ASDM post version 7 – You are better than me!
Navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick “Enable IPSec over NAT-T” option > Set the “NAT Keepalive” to 20 seconds > Apply > File > Save running configuration to flash.
I’ve done that and its still not working?
On a Firewall Running 8.3 (or Newer)
1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static (the remote VPN network). I’ve highlighted it below.
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA>enable
Password: ********
Petes-ASA# show run natnat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0 route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Media_PC
nat (inside,outside) static interface service tcp 123 123
!
nat (outside,outside) after-auto source dynamic VPN_Pool interface
PetesASA#
[/box]
2. Make sure the correct network(s) are in the correct groups.
On the firewall issue a “show run nat 0” command > take note of the access-list name.
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run nat 0
nat (inside) 0 access-list NO-NAT-TRAFFIC
nat (inside) 1 0.0.0.0 0.0.0.0
[/box]
In this example mines called NO-NAT-TRAFFIC (cause I like to keep things simple) yours can be called anything (inside_nat0_outbound is the norm if you used the ASDM to set up the VPN).
Now make sure that you have the correct addresses in that access-list, issue a show run access-list {name} command.
[box]
Petes-ASA#show run access-list NO-NAT-TRAFFIC
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.252.252.0 255.255.255.0
Petes-ASA#
[/box]
Above we have two subnets that are going to be exempt from NAT, they are 10.253.253.0/24 and 10.252.252.0/24, if the range of IP addresses your remote clients are using is NOT on this list you need to add them.
If you don’t know what addresses they are supposed to be using, then issue a “show run ip local pool” command.
[box]
Petes-ASA#show run ip local pool
ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
ip local pool SSL-VPN-DHCP-POOL 10.252.252.1-10.252.252.5
Petes-ASA#
[/box]
Again I’ve got a sensible naming policy – so we can see what my pools are for, to see what pools are being used for what, issue a “show run tunnel-group” command.
[box]
Petes-ASA# show run tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's my IPSEC VPN's
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL <<< And here's my matching DHCP scope (IPSEC)
authentication-server-group PNL-KERBEROS
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's my SSL VPN's
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL <<< And here's my matching DHCP scope (SSL)
authentication-server-group PNL-KERBEROS
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes
group-alias PNL enable
Petes-ASA#
[/box]
If any of yours are missing then change accordingly.
BUG (08/09/16)
Had this problem again recently, and after staying on the phone to TAC until 03:00, it turned out to be a bug in the SFR (FirePOWER service module) code. That was causing the firewall to silently drop the AnyConnect traffic. So debugs showed nothing, and packet captures were empty. Fixed by removing ‘sfr fail-open’ from the firewall and upgrading the code by re-imaging the SFR module.
Related Articles, References, Credits, or External Links