cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3047
Views
0
Helpful
5
Replies

IPSEC VPN clients can't reach internal nor external resources

3moloz123
Level 1
Level 1

Hi!

At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.

Im pretty sure it's not ACL's, although I might be wrong.

The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.

# Issue 1.

IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.

When trying to access an external resource, the "translate_hits" below are changed:

Auto NAT Policies (Section 2)

1 (outside) to (outside) source dynamic vpn_nat interface

   translate_hits = 37, untranslate_hits = 11

When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:

5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

    translate_hits = 31, untranslate_hits = 32

Most NAT, some sensitive data cut:

Manual NAT Policies (Section 1)

<snip>

3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29

    translate_hits = 0, untranslate_hits = 0

4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28

    translate_hits = 0, untranslate_hits = 0

5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

    translate_hits = 22, untranslate_hits = 23

Auto NAT Policies (Section 2)

1 (outside) to (outside) source dynamic vpn_nat interface

    translate_hits = 37, untranslate_hits = 6

Manual NAT Policies (Section 3)

1 (something_free) to (something_outside) source dynamic any interface

    translate_hits = 0, untranslate_hits = 0

2 (something_something) to (something_outside) source dynamic any interface

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source dynamic any interface

    translate_hits = 5402387, untranslate_hits = 1519419

##  Issue 2, vpn user cannot access anything on internet

asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Relevant configuration snippet:

interface Vlan2

nameif outside

security-level 0

ip address 1.2.3.2 255.255.255.248

!

interface Vlan3

nameif inside

security-level 100

ip address 10.0.0.5 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network anywhere

subnet 0.0.0.0 0.0.0.0

object network something_free

subnet 10.0.100.0 255.255.255.0

object network something_member

subnet 10.0.101.0 255.255.255.0

object network obj-ipsecvpn

subnet 172.16.31.0 255.255.255.0

object network allvpnnet

subnet 172.16.32.0 255.255.255.0

object network OFFICE-NET

subnet 10.0.0.0 255.255.255.0

object network vpn_nat

subnet 172.16.32.0 255.255.255.0

object-group network the_office

network-object 10.0.0.0 255.255.255.0

access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0

ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0

ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0

nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29

nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

!

object network vpn_nat

nat (outside,outside) dynamic interface

!

nat (some_free,some_outside) after-auto source dynamic any interface

nat (some_member,some_outside) after-auto source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

group-policy companyusers attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

default-domain value company.net

tunnel-group companyusers type remote-access

tunnel-group companyusers general-attributes

address-pool ipsecvpnpool

default-group-policy companyusers

tunnel-group companyusers ipsec-attributes

pre-shared-key *****

!

!


5 Replies 5

puseth
Level 1
Level 1

This configuration looks good to u-turn the VPN-Clients from Outside interface back to the Internet

ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0

object network vpn_nat

subnet 172.16.32.0 255.255.255.0

object network vpn_nat

nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

You do have a no-nat as well to allow traffic from inside network back to the Outside network without any translation

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

Can you please provide us syslogs from the ASA and initiate a continuous ping from the Vpn Client to the inside network as well as to outside to 4.2.2.2.

And Can you please post the complete show run from the ASA.

Puneet

Hi Puneet,

There is condifential data in there. I am pretty certain that I did show you all configuration that matters. What are you missing?

I have now logged some data, but I don't see anything weird. Let me add that I am testing it from an iphone, if that matters. Im sorry for the format, the syslog server didnt obey my command to log all to disk, so this is actually a packet capture on the syslog server (with the 172.16.32-address grepped):

..N......v.<166>%ASA-6-302016: Teardown UDP connection 5643873 for outside:172.16.32.1/56139 to outside:8.8.8.8/53 duration 0:02:32 bytes 234

+<166>%ASA-6-737026: IPAA: Client assigned 172.16.32.1 from local pool

..N......`.<167>%ASA-7-713906: Group = companyusers, Username = user, IP = 2.69.143.104, Obtained IP addr (172.16.32.1) prior to initiating Mode Cfg (XAuth enabled)

..N......4.<166>%ASA-6-713228: Group = companyusers, Username = user, IP = 2.69.143.104, Assigned private IP address 172.16.32.1 to remote user

172.16.32.1

..N........<167>%ASA-7-713025: Group = companyusers, Username = user, IP = 2.69.143.104, Received remote Proxy Host data in ID Payload:  Address 172.16.32.1, Protocol 0, Port 0

..N.......v<167>%ASA-7-713222: Group = companyusers, Username = user, IP = 2.69.143.104, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:172.16.32.1 dst:0.0.0.0

v<167>%ASA-7-713222: Group = companyusers, Username = user, IP = 2.69.143.104, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:172.16.32.1 dst:0.0.0.0

  Remote host: 172.16.32.1  Protocol 0  Port 0

..N......g.<167>%ASA-7-713204: Group = companyusers, Username = user, IP = 2.69.143.104, Adding static route for client address: 172.16.32.1

# Trying to reach www.whatsmyip.net, as you can see I am using google dns

..N.....x]U<166>%ASA-6-305011: Built dynamic UDP translation from outside:172.16.32.1/59397 to outside:195.67.37.149/31360

..N........<166>%ASA-6-302015: Built inbound UDP connection 5644619 for outside:172.16.32.1/59397 (195.67.37.149/31360) to outside:8.8.8.8/53 (8.8.8.8/53) (user)

..N....... <166>%ASA-6-302015: Built inbound UDP connection 5644628 for outside:172.16.32.1/59397 (195.67.37.149/31360) to outside:8.8.4.4/53 (8.8.4.4/53) (user)

..N.....w.b<166>%ASA-6-305011: Built dynamic UDP translation from outside:172.16.32.1/58907 to outside:195.67.37.149/7050

..N......S.<166>%ASA-6-302015: Built inbound UDP connection 5644634 for outside:172.16.32.1/58907 (195.67.37.149/7050) to outside:8.8.4.4/53 (8.8.4.4/53) (user)

..N......Q.<166>%ASA-6-302015: Built inbound UDP connection 5644651 for outside:172.16.32.1/58907 (195.67.37.149/7050) to outside:8.8.8.8/53 (8.8.8.8/53) (user)

..N......p.<166>%ASA-6-302020: Built inbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)

# Trying to reach an internal resource

..N.......d<166>%ASA-6-106100: access-list inside_access_in permitted icmp inside/10.0.0.72(0) -> outside/172.16.32.1(0) hit-cnt 1 first hit [0xa925365e, 0x0]

..N......@.<166>%ASA-6-106100: access-list outside_access_out permitted icmp inside/10.0.0.72(0) -> outside/172.16.32.1(0) hit-cnt 1 first hit [0x3bdfb084, 0x0]

..N.....z..<166>%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0

..N........<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)

..N.....t`.<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0

..N......p.<166>%ASA-6-302020: Built inbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)

..N.....z..<166>%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0

..N........<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)

..N.....t`.<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0

..N......p.<166>%ASA-6-302020: Built inbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)

..N.....z..<166>%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0

..N........<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)

..N.....t`.<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0

..N......p.<166>%ASA-6-302020: Built inbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)

..N.....z..<166>%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0

..N........<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)

..N.....t`.<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0

Looking at these logs

%ASA-6-305011: Built dynamic UDP translation from outside:172.16.32.1/59397 to outside:195.67.37.149/31360

%ASA-6-302015: Built inbound UDP connection 5644619 for outside:172.16.32.1/59397 (195.67.37.149/31360) to outside:8.8.8.8/53 (8.8.8.8/53) (user)

%ASA-6-302015: Built inbound UDP connection 5644628 for outside:172.16.32.1/59397 (195.67.37.149/31360) to outside:8.8.4.4/53 (8.8.4.4/53) (user)

We can see that the VPN Client ip address 172.16.32.1 was translated to 195.67.37.149 ip address while getting u-turned on the outside interface and we can see the packet going towards the DNS server 8.8.8.8 and 8.8.4.4.

But these logs dont show us the Teardown messages for this traffic.

Do you get a successfule reply of nslookup from your vpnclient using 8.8.8.8?

Can you ping 4.2.2.2 from the vpn client and collect these outputs on the ASA?

1. debug icmp trace.

2. cap capo interface outside match icmp any host 4.2.2.2

and show me the output of show cap capo

And then do this

ping Lan ip address 10.0.0.72 from the Vpn Client

1. Debug icmp trace

2. cap capi interface inside match icmp any host 10.0.0.72

and send me the output of show cap capi

and provide the output of this command

packet-tracer input inside icmp 10.0.0.72 0 0 172.16.32.1

Puneet

Hi,

I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.

asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28

ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012

ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28

ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912

ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28

ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012

ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28

ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912

ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28

ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012

ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28

ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912

asa# show capture capo

12 packets captured

   1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request

   2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply

   3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request

   4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply

   5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request

   6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply

   7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request

   8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply

   9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request

  10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply

  11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request

  12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply

asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28

ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28

ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28

ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28

ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28

ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28

ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28

ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28

asa# show capture capi

8 packets captured

   1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request

   2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply

   3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request

   4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply

   5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request

   6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply

   7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request

   8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply

Packet-capture.

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.16.32.1     255.255.255.255 outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any log

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7     

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24

Additional Information:

Static translate 10.0.0.72/0 to 10.0.0.72/0

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: VPN    

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_out out interface outside

access-list outside_access_out extended permit ip any any log

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5725528, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

hello,

 

i am setting up a VPN IP'sec times through the ASA.Am finding great difficulty, create a VPN through the VPN wizards and when I test the  network and receive the return so with the information and terminates connection with my client without even request the password validating aaa.

 

teardown udp connection is 91028286 outside:177.114.178.70/54998 to identity:10.209.8.253/500 duration 00:02:15

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: