Solved: Unable to ping LAN hosts via Remote Access VPN ASA 5505

m.spagnoli · ‎11-28-2013

Hi all,

i tried to configure with VPN wizard (via ASDM) a remote access IPsec VPN with a Cisco ASA 5505 but I have some troubles.

With my iPad I can connect to it via public IP in fact VPN establishes but then I cannot ping anything in my LAN.

I enabled the debug vpn-sessiondb via commandline on ASA and when I try to connect this notice appears: "account start failure".

I guess the proble concern of ACL or selection of the right interface but I don't sure. I also configured a IP pool of the same subnet of my LAN to assign to clients connected via remote access IPsec VPN.

Any suggests about how to resolve this issue? Anything is much appreciated.

Thanks a lot!

Marius Gunnerud · ‎12-02-2013

You should use a separate subnet for the VPN users. If you use the same subnet that is connected to the ASA, the ASA will think it is directly connected to the network on a different interface and not send VPN traffic out the interface where the VPN connects to. Once you change the pool you will also need to change the NAT exempt statements. when that is done test and let us know if the problem still persists.

If that does not solve the problem, please post a full sanitized running config of the ASA.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-02-2013

You should use a separate subnet for the VPN users. If you use the same subnet that is connected to the ASA, the ASA will think it is directly connected to the network on a different interface and not send VPN traffic out the interface where the VPN connects to. Once you change the pool you will also need to change the NAT exempt statements. when that is done test and let us know if the problem still persists.

If that does not solve the problem, please post a full sanitized running config of the ASA.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

m.spagnoli · ‎12-02-2013

Hi Marius,

thanks for your reply. I tried to add a NAT exempt rule as the following, where: "FIBRE" is the WAN interface, source is the NAT pool (192.168.5.0/24) and destination is the network of my DMZ (192.168.0.0/24). Which is the right option for NAT exempt direction? I suppose the second because ASA receives traffic from FIBRE and pushes it toward DMZ.

Then I added a policy rule to permit traffic from FIBRE to DMZ but I don't know if the statement is correct (see the image below). I don't understand if I have to create only one rule or two. In this case the source interface if FIBRE (=WAN) or DMZ?

Finally I used the packet tracer tool in the ADSM but an error about access list occured (see the image below). As before, I don't understand if I select FIBRE as the source interface or DMZ.

When I connect from my iPAD via remote access VPN I still cannot ping anything.

Tell me if this information is enought or you need more specific ones.

Thanks a lot for any help

Marius Gunnerud · ‎12-02-2013

Hi Mattia,

You have the nat exempt config backwards. Source should be the DMZ (or LAN for that matter) and destination should be the VPN pool.

On the CLI it would look something like this if you are running version 8.2 or earlier

Access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

Nat (DMZ) 0 access-list NONAT

you do not need to permit the traffic in the interface ACL as vpn traffic bypasses the interface ACL by default.

Also the packet tracer you did is set up backwards. Set the DMZ as the source and the vpn as the destination. Run the packet tracer twice if the first atempt fails.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

m.spagnoli · ‎12-03-2013

Hi Marius,

first of all, thanks for your patience.

I changed the NAT exempt rule as the following:

The security level of DMZ01 is 50 while the FIBRE one is 0.

Unfortunately nothing changed about ping.

I ran the packet tracer again but the result was like before, if i choose IP as packet type. The problem seems like access list but probably ASA doesn't know the originating traffic is VPN and then access lists don't apply (based on what you said). Is it right?

I noticed that when I'm connected with my PC to remote access VPN (via Cisco client), 2 defaults gateway appear: the first is related to my LAN, the second one to VPN pool. But in the configuration of ASA the default gateway 192.168.5.1 does not appear anywhere, so who tell to ASA how to route packet from the VPN pool (192.168.5.0/24) to DMZ01 (192.168.0.0/24)?

Just for clarity, the ASDM version is 5.2 and the ASA software version is 7.2(4).

I don't able to isolate the problem and concentrate on a specific part of the configuration....I might be wrong in the configuration of Tunnel Group or Group Policy, I don't know...

Any tips? I can post some outputs if you tell me what commands run.

Thanks a lot again!

Marius Gunnerud · ‎12-03-2013

Could you post a full sanitized running configuration please.

Also in the packet tracer, if you expand the Access-list field do you have the option to "show rule in configuration" or similar? If so click on that link and analyze the rule it points to.

--
Please remember to select a correct answer and rate helpful posts

m.spagnoli · ‎12-03-2013

This is the sanitized running-config:

fw01# show run

: Saved

:

ASA Version 7.2(4)

!

hostname fw01

domain-name xxx

enable password JFI.0pS.oNZEA3gl encrypted

passwd JFI.0pS.oNZEA3gl encrypted

names

.............................................

!

interface Vlan2

description Internet

nameif FIBRE

security-level 0

ip address asa5505.xxx 255.255.255.0

!

interface Vlan3

description DMZ Web

nameif DMZ01

security-level 50

ip address 192.168.0.1 255.255.255.0

!

interface Vlan23

description DMZ Clienti

nameif DMZ02

security-level 50

ip address 172.16.16.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 23

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 23

!

interface Ethernet0/4

switchport access vlan 23

!

interface Ethernet0/5

switchport access vlan 33

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name xxx

same-security-traffic permit inter-interface

OBJECT-GROUP NETWORK

.............................................

access-list FIBRE_access_in extended permit object-group DM_INLINE_PROTOCOL_3 VPN-Pool 255.255.255.0 192.168.0.0 255.255.255.0 log debugging

access-list COPPER_access_in extended permit ip 192.168.99.0 255.255.255.0 any

access-list COPPER_access_in extended permit ip 192.168.99.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list COPPER_access_in extended permit icmp 46.14.223.200 255.255.255.248 192.168.23.0 255.255.255.0 echo-reply inactive

access-list COPPER_access_in extended deny ip 46.14.223.200 255.255.255.248 192.168.23.0 255.255.255.0 inactive

access-list COPPER_access_in extended permit ip 46.14.223.200 255.255.255.248 any inactive

access-list DMZ_access_in extended permit icmp 192.168.0.0 255.255.255.0 192.168.23.0 255.255.255.0 echo-reply

access-list DMZ_access_in extended deny ip 192.168.0.0 255.255.255.0 192.168.23.0 255.255.255.0

access-list DMZ_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list DMZ_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_2 VPN-Pool 255.255.255.0 192.168.0.0 255.255.255.0 log debugging

.............................................

access-list DMZ01_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN-Pool 255.255.255.0

access-list DMZ01_nat0_outbound extended permit ip any VPN-Pool 255.255.255.192

access-list ASSI_access_in extended permit ip 172.16.11.0 255.255.255.0 any

.............................................

pager lines 24

logging asdm informational

mtu FIBRE 1500

mtu DMZ01 1500

mtu DMZ02 1500

ip local pool xxx-pool 192.168.5.5-192.168.5.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (FIBRE) 1 interface

global (FIBRE) 4 NAT-ASSI netmask 255.255.255.255

global (DMZ01) 3 interface

nat (DMZ01) 0 access-list DMZ01_nat0_outbound

nat (DMZ01) 1 192.168.0.0 255.255.255.0 dns

nat (DMZ02) 0 access-list DMZ02_nat0_outbound

nat (DMZ02) 4 srv02aut.swaut2.DMZ2 255.255.255.255 dns

nat (DMZ02) 4 srv52ts.swaut2.DMZ2 255.255.255.255 dns

nat (DMZ02) 4 srv02sql.swaut2.DMZ2 255.255.255.255 dns

nat (DMZ02) 4 srv42web.DMZ2 255.255.255.255 dns

nat (DMZ02) 4 srv42websecondary.DMZ2 255.255.255.255 dns

nat (DMZ02) 1 172.16.16.0 255.255.255.0 dns norandomseq

STATIC NAT

.............................................

access-group FIBRE_access_in in interface FIBRE

access-group DMZ_access_in in interface DMZ01

access-group DMZ02_access_in in interface DMZ02

route FIBRE 0.0.0.0 0.0.0.0 194.209.9.1 1

!

router rip

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 46.14.223.200 255.255.255.248 FIBRE

http 192.168.0.0 255.255.255.0 DMZ01

http 192.168.23.0 255.255.255.0 DMZ01

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map LAN_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map COPPER_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map FIBRE_dyn_map 20 set pfs

crypto dynamic-map FIBRE_dyn_map 20 set transform-set ESP-AES-128-SHA

crypto dynamic-map FIBRE_dyn_map 40 set pfs group1

crypto dynamic-map FIBRE_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map FIBRE_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map FIBRE_dyn_map 80 set pfs group1

crypto dynamic-map FIBRE_dyn_map 80 set transform-set ESP-3DES-SHA

crypto map LAN_map 65535 ipsec-isakmp dynamic LAN_dyn_map

crypto map COPPER_map 65535 ipsec-isakmp dynamic COPPER_dyn_map

crypto map FIBRE_map 1 match address FIBRE_1_cryptomap

crypto map FIBRE_map 1 set pfs group5

crypto map FIBRE_map 1 set peer 212.243.23.75

crypto map FIBRE_map 1 set transform-set ESP-3DES-SHA

crypto map FIBRE_map 2 match address FIBRE_2_cryptomap

crypto map FIBRE_map 2 set pfs group5

crypto map FIBRE_map 2 set peer 212.243.10.140

crypto map FIBRE_map 2 set transform-set ESP-3DES-SHA

crypto map FIBRE_map 65535 ipsec-isakmp dynamic FIBRE_dyn_map

crypto map FIBRE_map interface FIBRE

crypto isakmp enable FIBRE

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

telnet 192.168.0.98 255.255.255.255 DMZ01

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 DMZ01

ssh 172.16.16.0 255.255.255.0 DMZ02

ssh timeout 5

console timeout 0

dhcpd auto_config FIBRE

!

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelall

username admin password I.y53wb9LdRh9rxO encrypted privilege 15

username xxx password RRXTBdyoXNriucJ2 encrypted privilege 15

username xxx attributes

vpn-group-policy DefaultRAGroup

vpn-tunnel-protocol IPSec

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_IP_POOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group 212.243.23.75 type ipsec-l2l

tunnel-group 212.243.23.75 ipsec-attributes

pre-shared-key *

tunnel-group 212.243.10.140 type ipsec-l2l

tunnel-group 212.243.10.140 ipsec-attributes

pre-shared-key *

tunnel-group xxxgroup type ipsec-ra

tunnel-group xxxgroup general-attributes

address-pool xxx-pool

default-group-policy DefaultRAGroup

tunnel-group xxxgroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect pptp

inspect dns

class class-default

policy-map ASSI-policy

class class-default

police input 1000000 1500

shape average 1000000

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1602d21b0eb97f169779e7ae437b2d3e

: end

If I click on "show rule in configuration" from the packet tracer the implicit DENY rule appears.

I'm going to become crazy

Thanks a lot!