Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall.
KB ID 0000199
Problem
If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.
In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the NO NAT, or “nat 0” on pre 8.3 firewalls. (that’s the command that says “DONT change the address of my remote VPN client as it passes up and down the VPN tunnel).
Update 08/09/16: Due to a bug, I found an exception to this problem being broken NAT (see below)
Solution
Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running.
Option 1 Connect to the ASA Via Command Line.
Then go to enable mode > Configure Terminal mode > and issue a “crypto isakmp nat-traversal 20” command >Then save the change with a “write mem” command.
[box]
User Access Verification Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# configure terminal Petes-ASA(config)# crypto isakmp nat-traversal 20 Petes-ASA# write mem Building configuration... Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d 7424 bytes copied in 1.710 secs (7424 bytes/sec) [OK] Petes-ASA#
[/box]
Option 2 Connect to the ASA Via ASDM – Version used here is 6.2.(5)
If you can find this in the ASDM post version 7 – You are better than me!
Navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick “Enable IPSec over NAT-T” option > Set the “NAT Keepalive” to 20 seconds > Apply > File > Save running configuration to flash.
I’ve done that and its still not working?
On a Firewall Running 8.3 (or Newer)
1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static (the remote VPN network). I’ve highlighted it below.
[box]
User Access Verification Password: Type help or '?' for a list of available commands. Petes-ASA>enable Password: ******** Petes-ASA# show run nat nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0 route-lookup ! object network obj_any nat (inside,outside) dynamic interface object network Media_PC nat (inside,outside) static interface service tcp 123 123 ! nat (outside,outside) after-auto source dynamic VPN_Pool interface PetesASA#
[/box]
2. Make sure the correct network(s) are in the correct groups.
[box]
PetesASA# show run object object network obj-10.254.254.0 subnet 10.254.254.0 255.255.255.0 <- Subnet behind the ASA object network obj-10.253.253.0 <- Remote VPN Subnet subnet 10.253.253.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network Media_PC host 10.254.254.5 PetesASA#
[/box]
3. Also make sure you don’t have any legacy nat rules breaking things.
On a Firewall Older than Version 8.3
On the firewall issue a “show run nat 0” command > take note of the access-list name.
[box]
User Access Verification Password: Type help or '?' for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# show run nat 0 nat (inside) 0 access-list NO-NAT-TRAFFIC nat (inside) 1 0.0.0.0 0.0.0.0
[/box]
In this example mines called NO-NAT-TRAFFIC (cause I like to keep things simple) yours can be called anything (inside_nat0_outbound is the norm if you used the ASDM to set up the VPN).
Now make sure that you have the correct addresses in that access-list, issue a show run access-list {name} command.
[box]
Petes-ASA#show run access-list NO-NAT-TRAFFIC
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.252.252.0 255.255.255.0
Petes-ASA#
[/box]
Above we have two subnets that are going to be exempt from NAT, they are 10.253.253.0/24 and 10.252.252.0/24, if the range of IP addresses your remote clients are using is NOT on this list you need to add them.
If you don’t know what addresses they are supposed to be using, then issue a “show run ip local pool” command.
[box]
Petes-ASA#show run ip local pool
ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
ip local pool SSL-VPN-DHCP-POOL 10.252.252.1-10.252.252.5
Petes-ASA#
[/box]
Again I’ve got a sensible naming policy – so we can see what my pools are for, to see what pools are being used for what, issue a “show run tunnel-group” command.
[box]
Petes-ASA# show run tunnel-group tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's my IPSEC VPN's tunnel-group IPSEC-VPN-GROUP general-attributes address-pool IPSEC-VPN-DHCP-POOL <<< And here's my matching DHCP scope (IPSEC) authentication-server-group PNL-KERBEROS default-group-policy IPSEC-VPN-POLICY tunnel-group IPSEC-VPN-GROUP ipsec-attributes pre-shared-key ***** tunnel-group SSL-VPN-POLICY type remote-access <<< Here's my SSL VPN's tunnel-group SSL-VPN-POLICY general-attributes address-pool SSL-VPN-DHCP-POOL <<< And here's my matching DHCP scope (SSL) authentication-server-group PNL-KERBEROS default-group-policy SSL-VPN-GROUP-POLICY tunnel-group SSL-VPN-POLICY webvpn-attributes group-alias PNL enable Petes-ASA#
[/box]
If any of yours are missing then change accordingly.
BUG (08/09/16)
Had this problem again recently, and after staying on the phone to TAC until 03:00, it turned out to be a bug in the SFR (FirePOWER service module) code. That was causing the firewall to silently drop the AnyConnect traffic. So debugs showed nothing, and packet captures were empty. Fixed by removing ‘sfr fail-open’ from the firewall and upgrading the code by re-imaging the SFR module.
Related Articles, References, Credits, or External Links
NA