topic Re: VPN traffic flow problem in Network Security

VPN traffic flow problem

JohanKardell — Mon, 11 Mar 2019 21:02:44 GMT

I'm having some trouble with getting cisco vpn traffic to flow from a remote site that's using NAT to my home Cisco VPN connection, the connection is established, but I can't do anything with my VPN connection, ping, and reach my home network is not working, the only thing I can reach is Internet, since I'm using Split Tunneling.

I have tried to connect from my iPhone to my home VPN, and that's no problem, I can then reach all resources on my home network.

I have also tried to set up a new VPN connection, on my home ASA, without Split Tunneling, and can then only reach my public ip at my home ASA, that's, only ping it.

The remote site is using a cisco firewall as well, but the problem is that I can't provide or get into that firewall, there should not however be any restrictions for outgoing VPN traffic.

I'm sorry for not being able to provide all information, my question is more If there's is anything in my config that could cause this behavior?

I do however understand that there's most certainly something on the remote network that's stopping me, and I do understand that there's very little information I'm providing, just curious, and wondering If someone can take a quick glance at my config... See if there's anything that's wrong.

I'm not however asking you to solve my problem, this is more a question see If I have configured anything strange / wrong.

Thanks so much!

Here's my config:

: Saved

ASA Version 8.0(3)

hostname UsersASA

domain-name default.domain.invalid

enable password XXXXXXXXXXXXXX encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 172.16.30.1 255.255.255.0

interface Vlan10

nameif outside

security-level 0

ip address 95.95.95.7 255.255.255.128

interface Ethernet0/0

switchport access vlan 10

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd XXXXXXXXXX encrypted

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list nonat extended permit ip 172.16.30.0 255.255.255.0 172.16.30.32 255.255.255.248

access-list MSS_EXCEEDED_ACL extended permit tcp any any

access-list VPN-SPLIT-TUNNEL remark VPN SPLIT TUNNEL

access-list VPN-SPLIT-TUNNEL standard permit 172.16.30.0 255.255.255.0

tcp-map MSS-MAP

exceed-mss allow

pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging console notifications

logging buffered notifications

logging asdm notifications

mtu inside 1500

mtu outside 1500

ip local pool VPN 172.16.30.33-172.16.30.38 mask 255.255.255.248

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 172.16.30.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 95.95.95.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 172.16.30.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 172.16.30.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 172.16.30.10-172.16.30.30 inside

dhcpd dns 95.95.95.52 95.95.95.67 interface inside

dhcpd lease 432000 interface inside

dhcpd domain HOME interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

group-policy VPNHOME internal

group-policy VPNHOME attributes

dns-server value 95.95.95.52 95.95.95.67

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SPLIT-TUNNEL

split-dns value 95.95.95.52 95.95.95.67

msie-proxy method no-proxy

username admin password XXXXXXXX encrypted privilege 15

username User password XXXXXXXX encrypted privilege 0

username User attributes

vpn-group-policy VPNHOME

tunnel-group VPNHOME type remote-access

tunnel-group VPNHOME general-attributes

address-pool VPN

default-group-policy VPNHOME

tunnel-group VPNHOME ipsec-attributes

pre-shared-key *

class-map MSS_EXCEEDED_MAP

match access-list MSS_EXCEEDED_ACL

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect tftp

inspect icmp error

inspect pptp

inspect ipsec-pass-thru

inspect icmp

class MSS_EXCEEDED_MAP

set connection advanced-options MSS-MAP

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

Cryptochecksum:f450c4621b8c6a366d3067c05313b959

: end

VPN traffic flow problem

Parminder Sian — Tue, 26 Jul 2011 07:17:10 GMT

Hi Johan,

To begin with, please assign a vpn pool with different range, say for example 10.10.10.0 255.255.255.0. Overlapping pools with internal network or in same range is not recommended even if you use different subnet mask.

Secondly enable "crypto isakmp nat-traversal", right now you have "no crypto isakmp nat-traversal".

Hope this helps,

Sian

Re: VPN traffic flow problem

JohanKardell — Tue, 26 Jul 2011 14:39:56 GMT

Thank you so much! I'll try this as soon as possible tomorrow

Sent from Cisco Technical Support iPhone App

Re: VPN traffic flow problem

JohanKardell — Wed, 27 Jul 2011 08:03:31 GMT

It kind of works :)!

I can now reach the resources on my lan from the remote site, for example I have a disk at 172.16.30.2 that I can reach when connected to the vpn, one problem though, I can't reach rescoures that's on my asa's dhcp scoop.... from the vpn client..

I have applied 10.10.10.0/24 to my vpn client pool..

this is now my current config

: Saved

ASA Version 8.0(3)

hostname KardesASA

domain-name default.domain.invalid

enable password XXXXXXXXXX encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 172.16.30.1 255.255.255.0

interface Vlan10

nameif outside

security-level 0

ip address 95.95.95.7 255.255.255.128

interface Ethernet0/0

switchport access vlan 10

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd XXXXXXXXXX encrypted

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list nonat extended permit ip 172.16.30.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list MSS_EXCEEDED_ACL extended permit tcp any any

access-list VPN-SPLIT-TUNNEL remark VPN SPLIT TUNNEL

access-list VPN-SPLIT-TUNNEL standard permit 172.16.30.0 255.255.255.0

tcp-map MSS-MAP

exceed-mss allow

pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging console debugging

logging buffered notifications

logging asdm notifications

mtu inside 1500

mtu outside 1500

ip local pool VPN 10.10.10.1-10.10.10.30 mask 255.255.255.0