Unable to access Cisco ASA through AnyConnect VPN?

I stepped on this issue few weeks ago. I was implementing a new ASA Firewall solution, first time for me with software newer than version 8.4.2

It seems that all those stories about changes in the NAT logic after that version were true. This is what I found out about ASA packet processing.firewall

Configuration was really straightforward and everything worked fine except one thing. When connected remotely using Cisco AnyConnect I was able to access all devices inside the network (inside ASA firewall), but not the ASA itself. I wasn’t able to connect with SSH nor with ASDM.

I, of course, configured management access inside:

management-access inside

And also same configuration that enables traffic forwarding between interfaces with same security level number:

same-security-traffic permit intra-interface

The thing that I didn’t know was the change in traffic forwarding and egress interface search process that was changed in ASA after 8.3.1 version and then once more in 8.4.2

My NAT rule (identity NAT) that is basically saying to translate VPN pool addresses to themselves when going back into VPN tunnel, was configured like this:

nat (inside,outside) source static LAN LAN destination static VPN_POOL VPN_POOL

Issue with this configuration is in that Cisco changed how ASA determines egress interface of a packet. It is not always found using routing table lookup as you might think but sometimes, in some particular cases, it uses NAT rule.

In routed mode with an optional interface configured, with 8.4.2 or higher, if you configure identity NAT for VPN access, default behavior will be for ASA to use NAT configuration in egress interface search. You then have the option to specifically define that you would like to change that and use route lookup. This was the part that I was missing in my config.

On the other hand, if you don’t specify a specific interface, and use let’s say (inside, any) then the ASA uses a route lookup by default to determine the egress interface.

So in my case NAT rule overrides my routing table and packets didn’t get trough. The solution was to switch back to using route lookup by changing above mentioned NAT rule to this:

nat (inside,outside) source static LAN LAN destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup

So, NAT processing happens before route processing in ASA for Identity NAT. It my case it caused traffic to be forwarded out the outside interface of a firewall due to a NAT rule and not out the inside interface as stated in the routing table.


Leave a Reply

%d bloggers like this: