12-20-2011 06:08 AM - edited 03-11-2019 03:04 PM
Hi!
At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
Im pretty sure it's not ACL's, although I might be wrong.
The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
# Issue 1.
IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
When trying to access an external resource, the "translate_hits" below are changed:
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 11
When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 31, untranslate_hits = 32
Most NAT, some sensitive data cut:
Manual NAT Policies (Section 1)
<snip>
3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
translate_hits = 0, untranslate_hits = 0
4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
translate_hits = 22, untranslate_hits = 23
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic vpn_nat interface
translate_hits = 37, untranslate_hits = 6
Manual NAT Policies (Section 3)
1 (something_free) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (something_something) to (something_outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic any interface
translate_hits = 5402387, untranslate_hits = 1519419
## Issue 2, vpn user cannot access anything on internet
asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Relevant configuration snippet:
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.248
!
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network anywhere
subnet 0.0.0.0 0.0.0.0
object network something_free
subnet 10.0.100.0 255.255.255.0
object network something_member
subnet 10.0.101.0 255.255.255.0
object network obj-ipsecvpn
subnet 172.16.31.0 255.255.255.0
object network allvpnnet
subnet 172.16.32.0 255.255.255.0
object network OFFICE-NET
subnet 10.0.0.0 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object-group network the_office
network-object 10.0.0.0 255.255.255.0
access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
!
object network vpn_nat
nat (outside,outside) dynamic interface
!
nat (some_free,some_outside) after-auto source dynamic any interface
nat (some_member,some_outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
group-policy companyusers attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain value company.net
tunnel-group companyusers type remote-access
tunnel-group companyusers general-attributes
address-pool ipsecvpnpool
default-group-policy companyusers
tunnel-group companyusers ipsec-attributes
pre-shared-key *****
!
!
12-20-2011 06:28 AM
This configuration looks good to u-turn the VPN-Clients from Outside interface back to the Internet
ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
object network vpn_nat
subnet 172.16.32.0 255.255.255.0
object network vpn_nat
nat (outside,outside) dynamic interface
same-security-traffic permit intra-interface
You do have a no-nat as well to allow traffic from inside network back to the Outside network without any translation
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Can you please provide us syslogs from the ASA and initiate a continuous ping from the Vpn Client to the inside network as well as to outside to 4.2.2.2.
And Can you please post the complete show run from the ASA.
Puneet
12-20-2011 07:35 AM
Hi Puneet,
There is condifential data in there. I am pretty certain that I did show you all configuration that matters. What are you missing?
I have now logged some data, but I don't see anything weird. Let me add that I am testing it from an iphone, if that matters. Im sorry for the format, the syslog server didnt obey my command to log all to disk, so this is actually a packet capture on the syslog server (with the 172.16.32-address grepped):
..N......v.<166>%ASA-6-302016: Teardown UDP connection 5643873 for outside:172.16.32.1/56139 to outside:8.8.8.8/53 duration 0:02:32 bytes 234
+<166>%ASA-6-737026: IPAA: Client assigned 172.16.32.1 from local pool
..N......`.<167>%ASA-7-713906: Group = companyusers, Username = user, IP = 2.69.143.104, Obtained IP addr (172.16.32.1) prior to initiating Mode Cfg (XAuth enabled)
..N......4.<166>%ASA-6-713228: Group = companyusers, Username = user, IP = 2.69.143.104, Assigned private IP address 172.16.32.1 to remote user
172.16.32.1
..N........<167>%ASA-7-713025: Group = companyusers, Username = user, IP = 2.69.143.104, Received remote Proxy Host data in ID Payload: Address 172.16.32.1, Protocol 0, Port 0
..N.......v<167>%ASA-7-713222: Group = companyusers, Username = user, IP = 2.69.143.104, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:172.16.32.1 dst:0.0.0.0
v<167>%ASA-7-713222: Group = companyusers, Username = user, IP = 2.69.143.104, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:172.16.32.1 dst:0.0.0.0
Remote host: 172.16.32.1 Protocol 0 Port 0
..N......g.<167>%ASA-7-713204: Group = companyusers, Username = user, IP = 2.69.143.104, Adding static route for client address: 172.16.32.1
# Trying to reach www.whatsmyip.net, as you can see I am using google dns
..N.....x]U<166>%ASA-6-305011: Built dynamic UDP translation from outside:172.16.32.1/59397 to outside:195.67.37.149/31360
..N........<166>%ASA-6-302015: Built inbound UDP connection 5644619 for outside:172.16.32.1/59397 (195.67.37.149/31360) to outside:8.8.8.8/53 (8.8.8.8/53) (user)
..N....... <166>%ASA-6-302015: Built inbound UDP connection 5644628 for outside:172.16.32.1/59397 (195.67.37.149/31360) to outside:8.8.4.4/53 (8.8.4.4/53) (user)
..N.....w.b<166>%ASA-6-305011: Built dynamic UDP translation from outside:172.16.32.1/58907 to outside:195.67.37.149/7050
..N......S.<166>%ASA-6-302015: Built inbound UDP connection 5644634 for outside:172.16.32.1/58907 (195.67.37.149/7050) to outside:8.8.4.4/53 (8.8.4.4/53) (user)
..N......Q.<166>%ASA-6-302015: Built inbound UDP connection 5644651 for outside:172.16.32.1/58907 (195.67.37.149/7050) to outside:8.8.8.8/53 (8.8.8.8/53) (user)
..N......p.<166>%ASA-6-302020: Built inbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)
# Trying to reach an internal resource
..N.......d<166>%ASA-6-106100: access-list inside_access_in permitted icmp inside/10.0.0.72(0) -> outside/172.16.32.1(0) hit-cnt 1 first hit [0xa925365e, 0x0]
..N......@.<166>%ASA-6-106100: access-list outside_access_out permitted icmp inside/10.0.0.72(0) -> outside/172.16.32.1(0) hit-cnt 1 first hit [0x3bdfb084, 0x0]
..N.....z..<166>%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0
..N........<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)
..N.....t`.<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0
..N......p.<166>%ASA-6-302020: Built inbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)
..N.....z..<166>%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0
..N........<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)
..N.....t`.<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0
..N......p.<166>%ASA-6-302020: Built inbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)
..N.....z..<166>%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0
..N........<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)
..N.....t`.<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0
..N......p.<166>%ASA-6-302020: Built inbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)
..N.....z..<166>%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0
..N........<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0 (user)
..N.....t`.<166>%ASA-6-302021: Teardown ICMP connection for faddr 172.16.32.1/6912 gaddr 10.0.0.72/0 laddr 10.0.0.72/0
12-20-2011 07:58 AM
Looking at these logs
%ASA-6-305011: Built dynamic UDP translation from outside:172.16.32.1/59397 to outside:195.67.37.149/31360
%ASA-6-302015: Built inbound UDP connection 5644619 for outside:172.16.32.1/59397 (195.67.37.149/31360) to outside:8.8.8.8/53 (8.8.8.8/53) (user)
%ASA-6-302015: Built inbound UDP connection 5644628 for outside:172.16.32.1/59397 (195.67.37.149/31360) to outside:8.8.4.4/53 (8.8.4.4/53) (user)
We can see that the VPN Client ip address 172.16.32.1 was translated to 195.67.37.149 ip address while getting u-turned on the outside interface and we can see the packet going towards the DNS server 8.8.8.8 and 8.8.4.4.
But these logs dont show us the Teardown messages for this traffic.
Do you get a successfule reply of nslookup from your vpnclient using 8.8.8.8?
Can you ping 4.2.2.2 from the vpn client and collect these outputs on the ASA?
1. debug icmp trace.
2. cap capo interface outside match icmp any host 4.2.2.2
and show me the output of show cap capo
And then do this
ping Lan ip address 10.0.0.72 from the Vpn Client
1. Debug icmp trace
2. cap capi interface inside match icmp any host 10.0.0.72
and send me the output of show cap capi
and provide the output of this command
packet-tracer input inside icmp 10.0.0.72 0 0 172.16.32.1
Puneet
12-20-2011 11:28 PM
Hi,
I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
asa# show capture capo
12 packets captured
1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
asa# show capture capi
8 packets captured
1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
Packet-capture.
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.32.1 255.255.255.255 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
Additional Information:
Static translate 10.0.0.72/0 to 10.0.0.72/0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any log
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5725528, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
03-16-2015 02:09 PM
hello,
i am setting up a VPN IP'sec times through the ASA.Am finding great difficulty, create a VPN through the VPN wizards and when I test the network and receive the return so with the information and terminates connection with my client without even request the password validating aaa.
teardown udp connection is 91028286 outside:177.114.178.70/54998 to identity:10.209.8.253/500 duration 00:02:15
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: