Solved: Unable to access inside network using Split tunnel RA VPN

mahesh18 · ‎01-26-2014

Hi Everyone,

I configured RA Split tunnel VPN.

Connection works fine.

Inside Interface of ASA has connection to Switch IP 10.1.12.1.

When connected via RA VPN i try https://10.1.12.1 but it does not open up.

Inside Interface of ASA has IP 10.0.0.1

ASA1# $

Session Type: IKEv1 IPsec Detailed

Username     : ipsec-user             Index        : 23
Assigned IP : 10.0.0.51              Public IP    : 192.168.98.2
Protocol     : IKEv1 IPsec
License      : Other VPN
Encryption   : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing      : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx     : 2130969                Bytes Rx     : 259008
Pkts Tx      : 6562                   Pkts Rx      : 3682
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : ipsec-group            Tunnel Group : ipsec-group
Login Time   : 11:10:41 MST Sun Jan 26 2014
Duration     : 0h:40m:30s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
Tunnel ID    : 23.1
UDP Src Port : 62751                  UDP Dst Port : 500
IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
Encryption   : AES256                 Hashing      : SHA1
Rekey Int (T): 86400 Seconds          Rekey Left(T): 83975 Seconds
D/H Group    : 2
Filter Name :
Client OS    : WinNT                  Client OS Ver: 5.0.07.0440

IPsec:
Tunnel ID    : 23.2
Local Addr   : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.0.0.51/255.255.255.255/0/0
Encryption   : AES128                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 26375 Seconds
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Bytes Tx     : 2137160                Bytes Rx     : 259088
Pkts Tx      : 6571                   Pkts Rx      : 3684

NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 2426 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :

From ASA i can ping the switch IP

ASA1# ping 10.1.12.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA1#

logs from firewall

Jan 26 2014 11:53:20: %ASA-6-302014: Teardown TCP connection 51636 for outside:10.0.0.51/50747(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:00:00 bytes 1075 TCP Reset-O (ipsec-user)

Jan 26 2014 11:53:20: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/50747 to 10.0.0.1/443 flags FIN ACK on interface outside

Why firewall logs show https connection to 10.0.0.1 instead of 10.1.12.1?

Regards

Mahesh

Jouni Forss · ‎01-26-2014

Hi,

Have mostly dealt with Cisco switches through their CLI and know that they atleast used to have some very simply GUI (Graphical User Interface). Does the actual switch even use HTTPS for management?

To me it seems that the connection for which you are showing logs is to the actual ASAs interface IP address. What interface I dont know. Perhaps some internal interface? This is indicated by the fact that we see mention of "identity" in the log message which means that this IP address belongs to an actual ASA interface.

You can for example confirm this with the command

show ip address

So it likely is that you have a connection to the ASA with ASDM through the VPN connection for which these logs are and these have nothing to do with the actual connection attempt to the switch.

Also, the VPN Connection you are showing output for doesnt seem to be Split Tunnel but Full Tunnel.

This is indicated by this fact

IPsec:

Tunnel ID : 23.2

Local Addr : 0.0.0.0/0.0.0.0/0/0

Remote Addr : 10.0.0.51/255.255.255.255/0/0

It says that the remote address is the one that has been allocated to the VPN Client and the local address is "any" / 0.0.0.0/0 which means its essentially tunneling traffic to "any" destination for the VPN user. So this is not Split Tunnel VPN.

- Jouni

View solution in original post

Jouni Forss · ‎01-26-2014

Hi,

Would have to see a screenshot of the routes section of the VPN Client.

Atleast the above output that you provided lists a connection that uses Full Tunnel as the local network is defined as 0.0.0.0/0 if you are tunneling all networks then its Full Tunnel.

Naturally to confirm the settings we would need to look at the actual configurations on the ASA.

EDIT: Noticed later that the names of the below groups are listed in the above output so filled them here

show run tunnel-group ipsec-group

Check the Group Policy used

show run group-policy ipsec-group

Then check if there is mention of Split Tunnel and the ACL used for that Split Tunnel and finally check the ACL configuration.

If we forget the Full Tunnel/Split Tunnel altogether I would need to know about the following things that might cause problems to the connection to the switch.

Behind which interface of the ASA is the network located that contains IP address 10.1.12.1? Its not part of any of the connection ASA interfaces
Does the switch have a default gateway configured so it knows where to forward the traffic for the connections that are attempted to it?
Is there a NAT0 configuration for the traffic from the switch management IP address to the VPN Pool network used by the VPN Clients?

- Jouni

View solution in original post

Jouni Forss · ‎01-26-2014

Hi Mahesh,

This output would seem to indicate that the VPN connection you are using is configured as Split Tunnel.

Notice though that this Split Tunnel defines that the only network reached through the VPN connection is 10.0.0.0/24

This doesn not include the IP address 10.1.12.1. The Split Tunnel configuration only includes IP address between 10.0.0.1 - 10.0.0.255

So you will have to make changes to the Split Tunnel ACL and add that new network and also make sure you have similiar NAT0 configuration added for this network just like for the 10.0.0.0/24 network.

Seems your switch has the Vlan1 interface with network 10.0.0.0/24. I am not sure however why the default gateway is 10.1.12.2. I am not sure where this actual IP address is located at. I mean where 10.1.12.1 and 10.1.12.2 are located at.

Also, are we talking about a L3 switch doing routing or a simple L2 switch?

- Jouni

View solution in original post

Jouni Forss · ‎01-26-2014

Hi,

the Split Tunnel ACL addition seems fine.

However I am not sure about the NAT0

Wasnt your VPN Client IP address from some other network? Above it seems to be 10.0.0.51.

You will have to use that VPN Pool as the "destination" parameters of the NAT0 configuration.

Then it should be fine.

- Jouni

View solution in original post

Jouni Forss · ‎01-26-2014

Hi,

I mean that your suggested NAT0 configuration says that the network behind "outside" (the VPN pool) would be 10.1.12.0/25 which it doesnt seem to be according to the output you gave early in the discussion.

Seems your VPN Pool also has some overlap with the LAN network as 10.0.0.51 is part of the "inside" network 10.0.0.0/24

You should check the VPN Pool configuration with the command

show run ip local pool

This will list all the VPN pools. You should use the correct VPN Pool network as the destination of the NAT0 configuration

So lets say IF you had these networks

LAN = 10.1.12.0/24
VPN = 192.168.1.0/24

Then the NAT0 configuration could be

object network LAN

subnet 10.0.0.0 255.255.255.0

object network VPN-POOL

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination VPN-POOL VPN-POOL

Though this is just an example. You should check your configurations and configure the correct network instead of the above 192.168.1.0/24 that I used as the example

- Jouni

View solution in original post

Jouni Forss · ‎01-26-2014

Hi,

I just would not personally use a VPN pool that is overlapping with the LAN network.

Your previous post at the start listed this information

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG

And as you can see from your above VPN Pool network it means there is overlap. Though as long as it works then I guess its fine.

The above NAT0 configurations essentially means 2 things as its bidirectional.

If the ASA sees traffic from network 10.1.12.0/24 behind "inside" interface headed to network 10.0.0.0/24 behind "outside" interface it will not perform NAT for either the source or destination network (NAT0 essentially or perhaps Identity NAT)
If the ASA sees traffic from network 10.0.0.0/24 behind "outside" interface headed to network 10.1.12.0/24 behind "inside" interface it will not perform NAT for either the source or destination network.

- Jouni

View solution in original post

Jouni Forss · ‎01-26-2014

Hi,

Have mostly dealt with Cisco switches through their CLI and know that they atleast used to have some very simply GUI (Graphical User Interface). Does the actual switch even use HTTPS for management?

To me it seems that the connection for which you are showing logs is to the actual ASAs interface IP address. What interface I dont know. Perhaps some internal interface? This is indicated by the fact that we see mention of "identity" in the log message which means that this IP address belongs to an actual ASA interface.

You can for example confirm this with the command

show ip address

So it likely is that you have a connection to the ASA with ASDM through the VPN connection for which these logs are and these have nothing to do with the actual connection attempt to the switch.

Also, the VPN Connection you are showing output for doesnt seem to be Split Tunnel but Full Tunnel.

This is indicated by this fact

IPsec:

Tunnel ID : 23.2

Local Addr : 0.0.0.0/0.0.0.0/0/0

Remote Addr : 10.0.0.51/255.255.255.255/0/0

It says that the remote address is the one that has been allocated to the VPN Client and the local address is "any" / 0.0.0.0/0 which means its essentially tunneling traffic to "any" destination for the VPN user. So this is not Split Tunnel VPN.

- Jouni

mahesh18 · ‎01-26-2014

Hi Jouni,

ASA1# sh ip address

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG

Vlan2 outside 192.168.1.171 255.255.255.0 CONFIG

Vlan3 sales 10.12.12.1 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG

Vlan2 outside 192.168.1.171 255.255.255.0 CONFIG

Vlan3 sales 10.12.12.1 255.255.255.0 CONFIG

Connection is split tunnel.

when i check stats on vpn client all i see bypassed packets.

ASA1# sh run group-polic$

group-policy ipsec-group internal

group-policy ipsec-group attributes

dns-server value 64.59.144.19

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

ipv6-split-tunnel-policy excludespecified

split-tunnel-network-list value ipsec-group_splitTunnelAcl

Regards

Mahesh

Message was edited by: mahesh parmar

Jouni Forss · ‎01-26-2014

Hi,

Would have to see a screenshot of the routes section of the VPN Client.

Atleast the above output that you provided lists a connection that uses Full Tunnel as the local network is defined as 0.0.0.0/0 if you are tunneling all networks then its Full Tunnel.

Naturally to confirm the settings we would need to look at the actual configurations on the ASA.

EDIT: Noticed later that the names of the below groups are listed in the above output so filled them here

show run tunnel-group ipsec-group

Check the Group Policy used

show run group-policy ipsec-group

Then check if there is mention of Split Tunnel and the ACL used for that Split Tunnel and finally check the ACL configuration.

If we forget the Full Tunnel/Split Tunnel altogether I would need to know about the following things that might cause problems to the connection to the switch.

Behind which interface of the ASA is the network located that contains IP address 10.1.12.1? Its not part of any of the connection ASA interfaces
Does the switch have a default gateway configured so it knows where to forward the traffic for the connections that are attempted to it?
Is there a NAT0 configuration for the traffic from the switch management IP address to the VPN Pool network used by the VPN Clients?

- Jouni

mahesh18 · ‎01-26-2014

Hi Jouni,

Switch is allowed to use https.

MAhesh

mahesh18 · ‎01-26-2014

Hi jouni,

here is info

ASA1# show run tunnel-group ipsec-group

tunnel-group ipsec-group type remote-access

tunnel-group ipsec-group general-attributes

address-pool 10-pool

default-group-policy ipsec-group

tunnel-group ipsec-group ipsec-attributes

ikev1 pre-shared-key *****

ASA1# show run group-policy ipsec-group

group-policy ipsec-group internal

group-policy ipsec-group attributes

dns-server value 64.59.144.19

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

ipv6-split-tunnel-policy excludespecified

split-tunnel-network-list value ipsec-group_splitTunnelAcl

ASA1# ping 10.1.12.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA1# sh run route

route outside 0.0.0.0 0.0.0.0 192.168.1.172 1

route inside 10.1.12.0 255.255.255.0 10.0.0.2 1

ASA1#

So ASA inside interface is connected to the Switch.

Switch config

interface Vlan1

ip address 10.0.0.2 255.255.255.0

!

sh run int fastEthernet 1/0/2
Building configuration...

Current configuration : 115 bytes
!
interface FastEthernet1/0/2
description Connection To ASA INTERFACE Inside Eth 0/1
spanning-tree portfast

Switch has default gateway going to next hop switch as shown

ip default-gateway 10.1.12.2.

Regards

MAhesh

Jouni Forss · ‎01-26-2014

Hi Mahesh,

This output would seem to indicate that the VPN connection you are using is configured as Split Tunnel.

Notice though that this Split Tunnel defines that the only network reached through the VPN connection is 10.0.0.0/24

This doesn not include the IP address 10.1.12.1. The Split Tunnel configuration only includes IP address between 10.0.0.1 - 10.0.0.255

So you will have to make changes to the Split Tunnel ACL and add that new network and also make sure you have similiar NAT0 configuration added for this network just like for the 10.0.0.0/24 network.

Seems your switch has the Vlan1 interface with network 10.0.0.0/24. I am not sure however why the default gateway is 10.1.12.2. I am not sure where this actual IP address is located at. I mean where 10.1.12.1 and 10.1.12.2 are located at.

Also, are we talking about a L3 switch doing routing or a simple L2 switch?

- Jouni

mahesh18 · ‎01-26-2014

Hi Jouni,

I just checked that i can https to switch by using IP 10.0.0.2 as this belongs to inside interface of ASA.

That makes sense.

i was making mistake by using ip 10.1.12.1 of switch instead of 10.0.0.2.

IP 10.1.12.1 is switch interface IP and it is using EIGRP to connect to nei switch 10.1.12.2.

Seems i need to allow IP 10.1.12.1 through split tunnel so that i can do https access to the switch.

here is what i did to allow 10.1.12.1

ACL config

access-list ipsec-group_splitTunnelAcl standard permit 10.1.12.0 255.255.255.0

NAT

nat (inside,outside) source static Allow_10.1.12.0_24 Allow_10.1.12.0_24 destination static Allow_10.1.12.0_25 Allow_10.1.12.0_25 no-proxy-arp route-lookup

so i allowed the network and also did NAT0 as above is above config good to go?

Regards

MAhesh

Jouni Forss · ‎01-26-2014

Hi,

the Split Tunnel ACL addition seems fine.

However I am not sure about the NAT0

Wasnt your VPN Client IP address from some other network? Above it seems to be 10.0.0.51.

You will have to use that VPN Pool as the "destination" parameters of the NAT0 configuration.

Then it should be fine.

- Jouni

mahesh18 · ‎01-26-2014

Hi Jouni,

With current config i see below logs

Jan 26 2014 14:12:21: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/52494(LOCAL\ipsec-user) dst inside:10.1.12.1/443 denied due to NAT reverse path failure.

VPN client IP is 10.0.0.51.

When you say " VPN Pool as the "destination" parameters of the NAT0 configuration"

does it mean that i have to use ip pool 10.1.12.0 instead of 10.0.0.?

Regards

MAhesh

Jouni Forss · ‎01-26-2014

Hi,

I mean that your suggested NAT0 configuration says that the network behind "outside" (the VPN pool) would be 10.1.12.0/25 which it doesnt seem to be according to the output you gave early in the discussion.

Seems your VPN Pool also has some overlap with the LAN network as 10.0.0.51 is part of the "inside" network 10.0.0.0/24

You should check the VPN Pool configuration with the command

show run ip local pool

This will list all the VPN pools. You should use the correct VPN Pool network as the destination of the NAT0 configuration

So lets say IF you had these networks

LAN = 10.1.12.0/24
VPN = 192.168.1.0/24

Then the NAT0 configuration could be

object network LAN

subnet 10.0.0.0 255.255.255.0

object network VPN-POOL

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination VPN-POOL VPN-POOL

Though this is just an example. You should check your configurations and configure the correct network instead of the above 192.168.1.0/24 that I used as the example

- Jouni

mahesh18 · ‎01-26-2014

Hi Jouni,

i did below nat0 config and it worked great

object network LOCAL_LAN -------------------this is Switch IP

subnet 10.1.12.0 255.255.255.0

object network REMOTE_LAN ------------------------this is VPN pool

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

i kept local pool to 10.0.0.x as shown below

ASA1# sh run ip local pool

ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0

ASA1#

So does this mean now for any traffic going over vpn tunnel for destination IP 10.1.12.0 and 10.0.0.x subnet will not be

natted right?

Regards

Mahesh

Jouni Forss · ‎01-26-2014

Hi,

I just would not personally use a VPN pool that is overlapping with the LAN network.

Your previous post at the start listed this information

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG

And as you can see from your above VPN Pool network it means there is overlap. Though as long as it works then I guess its fine.

The above NAT0 configurations essentially means 2 things as its bidirectional.

If the ASA sees traffic from network 10.1.12.0/24 behind "inside" interface headed to network 10.0.0.0/24 behind "outside" interface it will not perform NAT for either the source or destination network (NAT0 essentially or perhaps Identity NAT)
If the ASA sees traffic from network 10.0.0.0/24 behind "outside" interface headed to network 10.1.12.0/24 behind "inside" interface it will not perform NAT for either the source or destination network.

- Jouni

mahesh18 · ‎01-26-2014

Hi Jouni,

i was trying to get deeper into RA VPN with and without split tunnel before i move to anyconnect and ssl.

Seems it is good enough to pass the exam .

Regards

Mahesh