topic Dear Amir, in Network Security

Remote network unreachable when using VPN client through ASA

amir.glibic — Tue, 12 Mar 2019 04:51:23 GMT

Hi,

today i ran into a problem, of which I think that it is a ASA problem or bug.

We have a customer who has an ASA 5505 from us. He has only a few clients on the inside network, using address range 192.168.168.0.

He needs also to manage some production analyzing tools in another company, where he builds up a tunnel via Shrewsoft VPN-Client and then connects to the remote host (192.168.0.10/24). A new interface is created by VPN-Client (192.168.46.1) and the routing on the client is set properly:

With the old Zyxel FW this was working without problems. Without firewall (tethering over mobile-phone) it's also working perfectly.

But when the client is connected to ASA, there is a problem:

The remote client, that needs to be managed (192.168.0.10) isn't reachable. There is nothing logged on ASA - because it's passing through the tunnel.

I have no access to the remote FW, but as it is working from every other network except the one behind ASA, i assume that the configuration should be ok there.

Things I've tried until now:

- permit ESP

- enable inspection for pptp and ipsec-pass-thru

- access-list in- & outbound: permit gre any any, permit tcp pptp any any -> even permit IP any any in&out didn't help

- client: deactivate Windows firewall

- client: Wireshark-capture on tunnel-interface -> when pinging the remote client IP, I only get the ARP request and reply, no ICMP is started

- client ARP table has the entry for 192.168.0.10 with MAC bb:bb:bb:bb:bb:00

- ASA has a default route outside and only 192.168.168.0/24 inside. 192.168.0.0/24 is not routed on the ASA.

Later, I also tried the same VPN-profile from our headquarters and detailed logging-server -> same issue, tunnel connection OK, but 192.168.0.10 not reachable. Logging doen't show any permit/deny. Connecting over mobile connection (not going over ASA) -> tunnel ok, ping & RDP ok.

I would be thankful for any kind of solution!

Thanks in advance,

Amir

Hi, Can you pull anykind of

Jouni Forss — Thu, 02 Oct 2014 13:29:16 GMT

Hi,

Can you pull anykind of statistics of the VPN Client software when the VPN connection is active to see if any traffic is encapsulated/encrypted?

Can you list the connections from the client PC on the ASA when the VPN connection is active?

show conn | inc 192.168.168.x

Have you enabled Transparent Tunneling (UDP/4500) on the Client software so that the VPN connection works through a Dynamic PAT translation that the local ASA is probably using for internal hosts connections to the Internet?

- Jouni

Hi Jouni, a big Thanks to you

amir.glibic — Thu, 02 Oct 2014 14:04:03 GMT

Hi Jouni,

a big Thanks to you!

It was the NAT-Traversal setting in the Shrewsoft-Client. As we always use cisco and have a default profile where it is always enabled, I didn't even think of that.

BR
Amir

Dear Amir,

praveen.sena23 — Tue, 17 May 2016 05:06:43 GMT

Dear Amir,

Can you please provide what are the final settings need to be place and why?

Regards

Sena

Hi,

amir.glibic — Tue, 17 May 2016 07:25:53 GMT

Hi,

it was just the checkbox "enable NAT-Traversal" in the Shrewsoft Client Software. No changes on the FW necessary. Cisco VPN-Client/AnyConnect has this setting enabled by default, in Shrewsoft it isn't.

BR,

Amir