07-31-2013 08:57 AM - edited 03-11-2019 07:19 PM
I have a Windows 2008 server doing DNS and DHCP at 192.168.1.9. I can reach any IP address on the public Internet but I can't resolve any hostnames from the server (and since all the clients are using the server for DNS, none of the clients can resolve, either.) Using nslookup, I set the server to be the ISP's DNS server (75.75.75.75) and attempt to resolve hostnames and all I get are "DNS request timed out" responses. The ASA has "acl filter" debugging enabled and I'm logging debugging messages but the only things that I am seeing are the "built connection" messages from my server to the DNS server:
%ASA-6-302015: Built outbound UDP connection 6004 for outside:75.75.75.75/53 (75.75.75.75/53) to inside:thunder/56559 (thunder/56559)
I don't recall seeing any messages saying "Built inbound UDP connection..."
Here is my config:
my-gw(config)# sh run
: Saved
:
ASA Version 8.4(5)
!
hostname my-gw
domain-name office.mydomain.local
enable password xxxxx encrypted
passwd xxxxxxx encrypted
names
name 192.168.1.9 thunder
name 192.168.1.55 printer
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan3
description dmz
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server thunder
name-server 75.75.75.75
name-server 75.75.76.76
domain-name office.mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1
subnet 192.168.1.0 255.255.255.0
access-list FROM-INTERNET extended permit icmp any any echo
access-list FROM-INTERNET extended permit icmp any any echo-reply
access-list FROM-INTERNET extended permit icmp any any time-exceeded
access-list FROM-INTERNET extended permit icmp any any unreachable
access-list FROM-INTERNET extended permit udp any eq domain any log
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN-SPLIT remark Corporate LAN
access-list VPN-SPLIT standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool VPN-POOL 192.168.1.240-192.168.1.248
ip local pool SSLVPN-POOL 192.168.1.249-192.168.1.250
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-192.168.1 obj-192.168.1 dns
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-192.168.1
nat (inside,outside) dynamic interface
access-group FROM-INTERNET in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location tele-closet
snmp-server contact itadmin@mydomain.com
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set WINMAC-VPN esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set WINMAC-VPN mode transport
crypto ipsec ikev1 transform-set IPSEC-VPN esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map OUTSIDE_VPN_MAP 20 set ikev1 transform-set WINMAC-VPN IPSEC-VPN
crypto map VPN-TUNNEL 65535 ipsec-isakmp dynamic OUTSIDE_VPN_MAP
crypto map VPN-TUNNEL interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.mydomain.com
subject-name CN=sslvpn.mydomain.com
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
<....>
output suppressed
<....>
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 45
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 75.75.75.75 75.75.76.76
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 0.pool.ntp.org
ssl trust-point localtrust outside
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 75.75.75.75 75.75.76.76
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
dns-server value 75.75.75.75 75.75.76.76
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT
username asa password xxxxxx encrypted privilege 15
username user.name1 password xxxxxxx nt-encrypted privilege 15
username user.name1 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
username user.name2 password xxxxxxx nt-encrypted privilege 15
username user.name2 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
username user.name3 password xxxxxxxx nt-encrypted privilege 15
username user.name3 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
address-pool VPN-POOL
default-group-policy IPSEC-VPN
tunnel-group IPSEC-VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group IPSEC-VPN ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
no dns-guard
no protocol-enforcement
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:c15a336f5e94b317482b0d2925853ab4
: end
Solved! Go to Solution.
07-31-2013 09:11 AM
Hi,
This NAT configuration is causing the problem
nat (inside,outside) source static obj-192.168.1 obj-192.168.1 dns
It NATs the server IP address to itself while going to the Internet (as you can see in the logs also)
So the ASA is NOT DOING any NAT for the server while it connects to the Internet and that is why all the DNS queries are failing.
Remove the above NAT configuration and it should work.
Though I am quite confused about the fact that you say you can reach any address on the Internet. The above configuration should mean that no host on the LAN should be able to access the Internet as they are going out with their unroutable private IP address.
Unless ofcourse you mean that the ASA can reach anything on the Internet. This works ofcourse since ASA uses its public IP address as the source for the traffic it generates.
Let me know if you need to configure Static NAT or Static PAT for the server instead. This is usually required if you want to host some services to the Internet from the LAN server.
- Jouni
07-31-2013 09:11 AM
Hi,
This NAT configuration is causing the problem
nat (inside,outside) source static obj-192.168.1 obj-192.168.1 dns
It NATs the server IP address to itself while going to the Internet (as you can see in the logs also)
So the ASA is NOT DOING any NAT for the server while it connects to the Internet and that is why all the DNS queries are failing.
Remove the above NAT configuration and it should work.
Though I am quite confused about the fact that you say you can reach any address on the Internet. The above configuration should mean that no host on the LAN should be able to access the Internet as they are going out with their unroutable private IP address.
Unless ofcourse you mean that the ASA can reach anything on the Internet. This works ofcourse since ASA uses its public IP address as the source for the traffic it generates.
Let me know if you need to configure Static NAT or Static PAT for the server instead. This is usually required if you want to host some services to the Internet from the LAN server.
- Jouni
07-31-2013 09:19 AM
Thanks for the help. I thought I was unable to reach my server over my VPN unless I had that statement. I'll test that now...
Yep, without that statement, I can't access anything over the VPN so I asked one of the people in the office to test it out for me. They confirmed that they can get online, but now, I can't access anything over the VPN. Can I get the best of both worlds (which I think is NAT from inside to outside and no-NAT over VPN)? I am correctly authenticated and assigned a 192.168.1.x address but am unable to reach my server (192.168.1.9).
Thanks!
07-31-2013 09:31 AM
Hi,
I suggest that you change your VPN Pools to something else than your LAN network
Change them for example to 192.168.100.0/24 and 192.168.101.0/24 or something else.
The correct format to enable the NAT0 / NAT Exempt for the VPN client traffic is to use these configurations (presuming you use the above 2 network ranges for your 2 VPN Pools in the above configuration).
object-group network VPN-POOLS
network-object 192.168.100.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
object network LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOLS VPN-POOLS
After adding the above the VPN connections should work also. The key thing naturally is to change the current VPN IP Pools to something else, for example the above and then use those networks in the above configurations.
The reason why your original NAT configuration caused problems is the fact that it didnt define any "destination" parameters. Without those the ASA would apply the NAT to all traffic (all destination networks). The VPN and Internet traffic. The above configuration clearly specifies now that the NAT should only be applied to the traffic when the destination (or source depending which side of the firewall you are looking at) is the VPN Pools.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
07-31-2013 10:06 AM
Hi, Jouni. I appreciate your help. What you said about the VPN pools makes perfect sense. I am upgrading from 8.2 to 8.4 and the differences are quite astounding. I understood 8.2 a bit better than 8.4, it's a new beast for me to tackle.
I made the changes you suggested and their Internet still works and I can still connect to the VPN and am getting a 192.168.100.x address but I still can't ping or access the server at 192.168.1.9.
Here's my config as it stands now. Any other suggestions you have are welcomed.
my-gw(config)# sh run
: Saved
:
ASA Version 8.4(5)
!
hostname my-gw
domain-name office.mydomain.local
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
name 192.168.1.9 thunder
name 192.168.1.55 printer
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan3
description dmz
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server thunder
name-server 75.75.75.75
name-server 75.75.76.76
domain-name office.mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1
subnet 192.168.1.0 255.255.255.0
object-group network VPN-POOLS
network-object 192.168.100.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list FROM-INTERNET extended permit icmp any any echo
access-list FROM-INTERNET extended permit icmp any any echo-reply
access-list FROM-INTERNET extended permit icmp any any time-exceeded
access-list FROM-INTERNET extended permit icmp any any unreachable
access-list FROM-INTERNET extended permit udp any eq domain any log
access-list FROM-INTERNET extended permit ip any any log
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN-SPLIT remark Corporate LAN
access-list VPN-SPLIT standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool VPN-POOL 192.168.100.240-192.168.100.250
ip local pool SSLVPN-POOL 192.168.101.240-192.168.101.250
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-192.168.1
nat (inside,outside) dynamic interface
access-group FROM-INTERNET in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location tele-closet
snmp-server contact itadmin@mydomain.com
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set WINMAC-VPN esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set WINMAC-VPN mode transport
crypto ipsec ikev1 transform-set IPSEC-VPN esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map OUTSIDE_VPN_MAP 20 set ikev1 transform-set WINMAC-VPN IPSEC-VPN
crypto map VPN-TUNNEL 65535 ipsec-isakmp dynamic OUTSIDE_VPN_MAP
crypto map VPN-TUNNEL interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.mydomain.com
subject-name CN=sslvpn.mydomain.com
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
<...>
<...>
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 45
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd dns 75.75.75.75 75.75.76.76
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 0.pool.ntp.org
ssl trust-point localtrust outside
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 75.75.75.75 75.75.76.76
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
dns-server value 75.75.75.75 75.75.76.76
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT
username asa password xxxxxx encrypted privilege 15
username user.name1 password xxxxxx nt-encrypted privilege 15
username user.name1 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
username user.name2 password xxxxxx nt-encrypted privilege 15
username user.name2 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
username user.name0 password xxxxxx nt-encrypted privilege 15
username user.name0 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1 l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
address-pool VPN-POOL
default-group-policy IPSEC-VPN
tunnel-group IPSEC-VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group IPSEC-VPN ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
no dns-guard
no protocol-enforcement
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
07-31-2013 10:17 AM
Hi,
The configuration on the ASA seems fine.
Though I would add the ICMP Inspections
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
In the above we basically only add the "inspect" commands. The above 2 comamnds are used to change the configuration mode only.
There is ofcourse always the possibility that there is something on the server side. Though you said you changed from older software level so I would presume this was already working for the VPNs back then?
Naturally now we changed the VPN Pools. Is there perhaps something on the server/LAN that could block these new VPN pool address ranges?
The software level 8.2 was the last software level to use the older NAT configuration format. Starting from 8.3 the NAT format changed completely and the old NAT configuration format is not supported anymore.
You could always take a look at a document I wrote about the subject here on the CSC. Maybe it might help.
https://supportforums.cisco.com/docs/DOC-31116
- Jouni
07-31-2013 11:17 AM
Quite an impressive article. I am still stumped, though. Based on your article, I set up a static PAT to the Windows server so I can RDP from the outside to troubleshoot this further. I checked the firewall and I have icmp IN and OUT being allowed from any address. I don't want to turn the firewall off completely because of the fact it is now exposed to the world so I enabled logging (log all allowed or denied traffic) and can't find anything in the logs except other local traffic from other local clients accessing files on the server.
I can get a reply if I ping my VPN client's IP address (192.168.100.240) from the server but I'm not sure if that is a proxy-ARP response or not because the ARP table on the server doesn't have an entry for 192.168.100.240.
There is nothing helpful in the ASA's logs, just the building and teardown of dynamic connections and translations. Not to mention, nothing at all from my client's VPN IP address. Do you have any suggestions on how to configure logging to watch some ICMP & NAT messages?
my-gw(config)# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 15488 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level warnings, 1656 messages logged
Thanks so much!
07-31-2013 11:24 AM
This is helpful but makes it seem like the ASA is configured correctly, that is if I did the packet-tracer correctly.
my-gw(config)# packet-tracer input outside icmp 192.168.100.240 8 0 192.168.1.9
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS
Additional Information:
NAT divert to egress interface inside
Untranslate thunder/0 to thunder/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FROM-INTERNET in interface outside
access-list FROM-INTERNET extended permit icmp any any echo
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS
Additional Information:
Static translate 192.168.100.240/0 to 192.168.100.240/0
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.1 obj-192.168.1 destination static VPN-POOLS VPN-POOLS
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: PPP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6737, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
07-31-2013 11:38 AM
Hi,
If you can ICMP from the server to the VPN Client this should already indicate that there is connectivity. It would start to seem that the servers itself is blocking the ICMP from the VPN clients. Its pretty common that a server will allow the ICMP Echo reply back to an ICMP Echo that it has sent but will deny ICMP arriving to itself.
So it would start looking at the server side software firewalls and other softwares/settings that might block these connections.
This should have nothing to do with ARP. The VPN Pool is now on a different network so the server is not using ARP to determine the MAC address of the destination IP address. It rather sends the traffic to the default gateway because the destination is in another network.
Naturally if your servers network mask was /16 (255.255.0.0) then it would send ARP to determine the MAC address of the VPN host as both addresses would be in the same network according to how the server sees its connected network. Though in that case I think you shouldnt be able to ICMP the VPN client from the server at all.
Since you have configured Split Tunnel for the VPN you should be able to both have a VPN Client connection open and connect to the ASA remotely through ASDM. You could then use ASDM to monitor the connections through the firewall. You could enter the VPN Clients IP address as the filter.
Now if you tested some TCP based connection through the VPN Client to the server you should be able to see on the ASDM side the "Teardown" message for the TCP connection. It would probably mention something like SYN Timeout or Reset-I.
SYN Timeout would mean that the server isnt replying. The Reset-I would mean that the server actively Reset the TCP Connection and prevented the connection.
For ICMP you can configure traffic capture on the ASA CLI to determine if any ICMP Echo Reply are coming back from the server
access-list VPN-CAP permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN-CAP permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
capture VPN-CAP type raw-data access-list VPN-CAP interface inside buffer 1000000 circular buffer
After the ACL and the capture are configure you could then try to ICMP the server once or twice from the VPN Client.
Then you could use the following command to determine if anything is being captured
show capture
You could then use this command to view the capture contents on the CLI
show capture VPN-CAP
You could also copy the contents of the capture to a PC with TFTP so you could view the capture with software like Wireshark. It makes it a lot easier to view the capture.
copy /pcap capture:VPN-CAP tftp://x.x.x.x/VPN-CAP.pcap
You can remove the capture and its contents with the command
no capture VPN-CAP
The "access-list" we created to match to the traffic has to be removed separately.
- Jouni
07-31-2013 12:27 PM
I changed my VPN client to send all traffic over the tunnel and I can reach my server, now. Thanks so much for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide