Nat Exemption Rule? VPN Appliance
-
Hey All,
I'm having issues getting pfsense to route VPN traffic back to the VPN appliance after hitting it's intended target.
I recently purchased and installed a Netgate 7100 and hooked into my 1G Fiber. I have a fiber trunk from Netgate to Cisco Switch. My file server (physical) sits on this switch on VLAN 77. I also have a Cisco ASA behind my Netgate, outside int pointing at LAN on Netgate, and inside int sits on the Cisco switch, vlan 77. Everyone can ping just fine, everything works. When I turn on AnyConnect for Mobile Clients, I was able to hit the authentication payload wall using nat (port forward). This works and I am able to connect and establish a connection. It's split tunneled, to the 7.x subnet / VLAN.Mobile Clients (Cisco ASA) Pool is 8.x. NetGate Lan Is 4.250 Vlan 77 is 7.x file Server: 7.100 ASA : 4.251 (outside), 7.251 (inside)
I have a Netgate firewall rule for vlan 77 to allow all essentially (testing purposes) Source Vlan77 dest * any port (udp/TCP) any any any allow
My issues is, I can't connect to any servers, can't ping my fs, can't rdp. I can ping the asa inside ip (7.x).
I look at the firewall logs and it's showing 7.100 -> 8.1 (my cell phone) drop (3389)-> (some random port) Reason: default drop rule (0x103)
I thought maybe the pfsense doesn't know where 8.x is because it's not an official vlan, it's a DHCP pool on the ASA.
So I created a new Gateway (probably wrong here), ip 7.251(ASA). then created a static routing saying 8.0/24 traffic goto ASA 7.251 as your gateway (essentially passing the traffic from my server to my ASA, not Netgate).
But this didn't work either. Any ideas? Did I miss a step? Thanks for any help or suggestions.
-
@dimitri21
So the ASA 7.251 IP is the default gateway on the file server and pfSense LAN 4.250 is the gw on the ASA as I got it, right?I look at the firewall logs and it's showing 7.100 -> 8.1 (my cell phone) drop (3389)-> (some random port) Reason: default drop rule (0x103)
Check the packet flags in the log. I suspect that they are out of state.
-
@viragomann
The pfsense Netgate is the gateway for the file server. The only gateway the ASA should handle is is the VPN pool, everything else the Netgate should cover. -
@dimitri21
So the traffic between the VPN clients (who are connected to the ASA) and the fileserver should never pass pfSense, since the ASA has an interface in vlan77 as well as the server.
However, presumably the server is missing the route to the vpn clients and hence respond traffic is sent to the default gateway, which is pfSense.So either add a static route for the vpn client subnet to the server or remove the ASA from the servers vlan and put it into a transit network and set proper static routes between it and pfSense.
-
@viragomann "So the traffic between the VPN clients (who are connected to the ASA) and the fileserver should never pass pfSense, since the ASA has an interface in vlan77 as well as the server."
-Absolutely correct! Same cisco switch, came vlan, only when it leaves the ASA to go outside, does it pass through pfsense under an ssl tunnel.
"However, presumably the server is missing the route to the vpn clients and hence respond traffic is sent to the default gateway, which is pfSense."
- I get what your saying, My hope was pfsense could route any traffic going to the VPN subnet through the IP of the ASA inside interface.
"So either add a static route for the vpn client subnet to the server or remove the ASA from the servers vlan and put it into a transit network and set proper static routes between it and pfSense."
-
sad news is it's not JUST a file server, I might be able to add a route on a windows server, but I have other devices I need access to that don't have those kind of options to add routes. Camera portal front for example.
-
put the ASA inside interface into vlan 9 for example (which I create with the Netgate, and add to my trunk on the switch )
-set firewall rules (allow vlan7 -> 9, vlan 9 -> 7).
-set static routes (add gateway 9.251 (ASA), add route : dest net 8.0/24, GW: 9.251)-Update nat with new IP address to point to ASA 9.251 so port forwarding works.
-Update Cisco ASA (add vlan, set sec level, move inside to it's new home on the 9 network)
Am I missing anything? Thanks for the help! I haven't touched pfsense in quite some time.
-
@dimitri21 said in Nat Exemption Rule? VPN Appliance:
put the ASA inside interface into vlan 9 for example (which I create with the Netgate, and add to my trunk on the switch )
So the ASA has no interface in vlan7 anymore?
Then now you have to add a static route to the ASA for vlan7 pointing to the pfSense vlan9 IP.
Also ensure that you have a firewall rule on vlan9 to allow the incoming traffic to vlan7.
-
@viragomann thanks again for the reply. Next Tuesday afternoon I'll be able to test it and see if that fixes it. Yes, I'll be removing it from vlan 7 and creating a VLAN just for the ASA.