cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2884
Views
0
Helpful
17
Replies

VPN Natting

Arvo Bowen
Level 1
Level 1

I'm having issues with getting traffic from my VPN client (IP 10.71.2.2) to my inside local network client (IP 10.71.1.11).  I have my config attached.  Is there something I'm missing?

1 Accepted Solution

Accepted Solutions

Arvo, you are hitting a bug man!

Check it out:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

That's why the inside interface doesnt respond even with the management access command.

Someone else reported a similar problem a few minutes ago.

Have fun!

PS: Please remember to mark this question as answered unless you have any other questions.Thx!

View solution in original post

17 Replies 17

raga.fusionet
Level 4
Level 4

Arvo,

Try adding this for the NAT bypass:

object network INSIDE_LAN

subnet 10.71.1.0 255.255.255.0

object network VPN-pool

subnet 10.71.2.0 255.255.255.0

nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static VPN-pool VPN-pool

Then test again.

Let us know how it goes. Thanks.

Raga

That didn't seem to work...

I added the following...

object network LAN-INSIDE

subnet 10.71.1.0 255.255.255.0

description Local area network

object network LAN-VPN

subnet 10.71.2.0 255.255.255.0

description All VPN clients

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-VPN LAN-VPN

*No errors popup in the log...

My latest config...

: Saved

:

ASA Version 8.4(2)

!

hostname ACS-000-ROU2

domain-name MYDOMAIN.LOCAL

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 21

!

interface Ethernet0/3

switchport access vlan 31

!

interface Ethernet0/4

switchport access vlan 100

shutdown

!

interface Ethernet0/5

switchport access vlan 100

shutdown

!

interface Ethernet0/6

switchport access vlan 100

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1,31

switchport mode trunk

!

interface Vlan1

nameif inside

security-level 100

ip address 10.71.1.1 255.255.255.0

!

interface Vlan2

description All outgoing traffic to the internet

nameif outside

security-level 0

ip address 12.12.30.204 255.255.255.224

!

interface Vlan21

nameif dmz_ftp

security-level 50

ip address 10.71.5.1 255.255.255.0

!

interface Vlan31

nameif corp

security-level 10

ip address 10.71.3.1 255.255.255.0

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.71.1.3

domain-name MYDOMAIN.LOCAL

object network LAN-INSIDE

subnet 10.71.1.0 255.255.255.0

description My Business Name local area network

object network LAN-VPN

subnet 10.71.2.0 255.255.255.0

description All VPN clients

object network ASA-INSIDE

host 10.71.1.1

description ASA 5505's IP address

object network ACS-000-APB2

host 10.71.1.11

description User

object service 63210

service tcp source eq 63210

description 63210

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object host 10.22.161.4

network-object host 10.61.1.13

access-list outside_access_in remark Allow ping replys from outside to inside (hosts on the internet)

access-list outside_access_in extended permit ip any 10.71.1.0 255.255.255.0

access-list inside_access_in extended deny tcp object ACS-000-APB2 object-group DM_INLINE_NETWORK_1 log disable

access-list inside_access_in remark Allow ssh from the inside to the ASA (used to admin the ASA)

access-list inside_access_in extended permit tcp object LAN-INSIDE object ASA-INSIDE eq ssh

access-list inside_access_in remark Allow all tcp and ping traffic from inside to outside

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object LAN-INSIDE any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz_ftp 1500

mtu corp 1500

ip local pool GRM_VPN_IP_POOL 10.71.2.2-10.71.2.253

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-VPN LAN-VPN

nat (inside,outside) source static ACS-000-APB2 interface service 63210 63210

nat (inside,outside) source dynamic any interface description Used to preform a port address translation on traffic going from the inside int to the outside int

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 12.12.30.193 255

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server GRM_AUTH_GROUP protocol kerberos

aaa-server GRM_AUTH_GROUP (inside) host 10.71.1.3

kerberos-realm MYDOMAIN.LOCAL

aaa authentication ssh console GRM_AUTH_GROUP LOCAL

http server enable

http 10.71.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint MY_BUSINESS_NAME

enrollment self

subject-name O=My Business Name,C=US,St=TX,L="Somewhere, TX"

keypair mydomain.local

proxy-ldc-issuer

crl configure

crypto ca certificate chain MY_BUSINESS_NAME

certificate 69b2564e

    308202ca 30820233 a0030201 02020469 b2564e30 0d06092a 864886f7 0d010105

    05003077 31153013 06035504 07130c4e 6f726372 6f73732c 20474131 0b300906

    03550408 13024741 310b3009 06035504 06130255 53311530 13060355 040a130c

    41637320 4e6f7263 726f7373 312d302b 06092a86 4886f70d 01090216 1e414353

    2d303030 2d524f55 322e4143 532d4154 4c414e54 412e4c4f 43414c30 1e170d31

    31303832 36303530 3233385a 170d3231 30383233 30353032 33385a30 77311530

    13060355 0407130c 4e6f7263 726f7373 2c204741 310b3009 06035504 08130247

    41310b30 09060355 04061302 55533115 30130603 55040a13 0c416373 204e6f72

    63726f73 73312d30 2b06092a 864886f7 0d010902 161e4143 532d3030 302d524f

    55322e41 43532d41 544c414e 54412e4c 4f43414c 30819f30 0d06092a 864886f7

    0d010101 05000381 8d003081 89028181 00908394 7143ba7c e5e01486 0bdd4c5d

    ecb01961 8b6cfdae 02daf9cc 1d34e63e 23adcacb 81797e22 306cf3ff 628affa2

    e281e7fd 6ee0aee0 9d98d69d 91d3edd0 63fcac93 b76a3df1 d26a6af7 8ceef157

    8f767a97 19744eeb 1f2b32ba 0358697d 88c7b850 785db121 a2677c83 2389dd14

    f687e4a1 e5b6c628 af0d0832 6db59505 4d020301 0001a363 3061300f 0603551d

    130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355

    1d230418 30168014 952d0a89 9fa0eaab d0efcbe6 faf03ae0 0517e28e 301d0603

    551d0e04 16041495 2d0a899f a0eaabd0 efcbe6fa f03ae005 17e28e30 0d06092a

    864886f7 0d010105 05000381 81005938 70b2c186 50459016 c7b245aa 1166d6fc

    ba6a3959 0f090b87 bd66a43c 9f7f9d82 f908b612 8ce6c67c affba5b7 08fa277f

    65b95fb5 31019677 f9b3ec4e c78c7c42 4199e84d 70419209 2a3fce73 9757718b

    877a8c96 a1d08464 1c6cf64b 18a16ea6 881a50db d03f6959 433518e4 159d4ed0

    957f95a7 79fb2284 0e4cf306 a2af

  quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.71.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.71.1.5-10.71.1.132 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev2 ssl-clientless

group-policy VPN_GROUP_POLICY internal

group-policy VPN_GROUP_POLICY attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group MYBUSSINESNAME type remote-access

tunnel-group MYBUSSINESNAME general-attributes

address-pool GRM_VPN_IP_POOL

authentication-server-group GRM_AUTH_GROUP

default-group-policy VPN_GROUP_POLICY

tunnel-group MYBUSSINESNAME ipsec-attributes

ikev1 pre-shared-key *****

ikev1 trust-point MY_BUSINESS_NAME

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:c44b2c6b077607cc0a50f38c05a3a11d

: end

asdm image disk0:/asdm-645.bin

no asdm history enable

Ok try this, add the following command:

management-access inside

then connect with the VPN client and ping 10.71.1.1.

You should get replies.

Then ping something else on your network and grab the output of the "show crypto ipsec sa".

Post it here.

Another question, this ASA is the default gateway of the subnets you are trying to reach right?

Thx.

Does the answer below work for you too Luis?

Mohammad Alhyari
Cisco Employee
Cisco Employee

HI ,

BE SURE WHAT NAT RULE YOUR TRAFFIC IS HITTING , PROVIDE THE FOLLOWING :

PACKET-TRACER INPUT INSIDE ICMP [LOCAL INSIDE IP ADDRESS] 8 8 [YOUR VPN CLIENT IP ADDRESS] DET

DO THE FOLLOWING :

SHOW CRYPTO IPSEC SA PEER [PUBLIC IP ADDRESS OF THE MACHINE THAT YOU ARE CONNECTON THE VPN FROM]

SEE IF YOU GET ENCAPS AND DECAPS FOR THAT CONNCTION .

AFTER THOSE WE CAN CONCLUDE WHAT IS THE PROBLEM.

CHEERS.

ACS-000-ROU2(config)# PACKET-TRACER INPUT inside ICMP 10.71.1.11 8 8 10.71.2.2 ICMP 10.71.1.11 8 8 10.71.2.2 DET

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb48ce80, priority=1, domain=permit, deny=false

        hits=9045989, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object LAN-INSIDE any

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcbd93c30, priority=13, domain=permit, deny=false

        hits=2088, user_data=0xc94fadc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.71.1.0, mask=255.255.255.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcbd9b0d0, priority=0, domain=inspect-ip-options, deny=true

        hits=66678, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcbd9ae38, priority=66, domain=inspect-icmp-error, deny=false

        hits=22, user_data=0xcb3e69e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-VPN LAN-VPN

Additional Information:

Static translate 10.71.1.11/0 to 10.71.1.11/0

Forward Flow based lookup yields rule:

in  id=0xcc09e210, priority=6, domain=nat, deny=false

        hits=1, user_data=0xcc09dd18, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.71.1.0, mask=255.255.255.0, port=0

        dst ip/id=10.71.2.0, mask=255.255.255.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb3e2ed0, priority=0, domain=host-limit, deny=false

        hits=52786, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 78102, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

--------------------------------------------------------------------------------------------------------------------

ACS-000-ROU2(config)# show crypto ipsec sa peer 71.129.152.103

peer address: 71.199.156.103

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.12.30.204

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.71.2.2/255.255.255.255/0/0)

      current_peer: 71.129.152.103, username: arvo.bowen

      dynamic allocated peer ip: 10.71.2.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 12.12.30.204/4500, remote crypto endpt.: 71.129.152.103/4500

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: 001A53ED

      current inbound spi : 68C6FE98

    inbound esp sas:

      spi: 0x68C6FE98 (1757871768)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3574

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x000000FF

    outbound esp sas:

      spi: 0x001A53ED (1725421)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3574

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Arvo,

I dont see any reference to the VPN rules on the above output for the packet tracker.

What do you have on the client statistics undert "Tunnel Details" and "Route Details" ?

Do you see packets encrypted?

What do you see as secured routes?

Thanks.

It seems like it was working the whole time...  I asked someone else and found out that the machine I was trying to ping was simply not responding to my ping (echo) requests...  The reason I was thinking that it was not working was because I tried to ping the inside ip of the ASA itself...  For some reason I can not ping the ASA itself but I can get to everything on that network (the inside network).

Huh, interesting .

Now, the ASA itself will not respond to pings unless you add the following command:

management-access inside

That will allow the inside interface to respond to the ICMP packets.

Have fun

PS: Please remember to mark this question as answered. Thanks!

Actually currently the ASA responds to pings on my local INSIDE interface (10.71.1.1 being the ASA) and there is nothing in the config at all about "management-access".  Though I can not ping 10.71.1.1 from my VPN client 10.71.2.2  :/  any ideas?

Yeap, That's the default behavior, the inside interface will respond from the inside LAN but not from the VPN client unless you add the management-access inside command.

In other words:

ping from inside to inside interface: responds

ping from vpn to inside interface: fails

ping from vpn to inside interface with management access enabled: responds.

Here is the info about it from command reference of the ASA 8.4

management-access

To allow management access to an interface other than the one from which you entered the ASA when using VPN, use the management-access command in global configuration mode. To disable management access, use the no form of this command.

management-access mgmt_if

no management-access mgmt_if

This command allows you to connect to an interface other than the one  you entered the ASA from when using a full tunnel IPSec VPN or SSL VPN  client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec  tunnel. For example, if you enter the ASA from the outside interface,  this command lets you connect to the inside interface using Telnet; or  you can ping the inside interface when entering from the outside  interface.

You can define only one management-access interface.

With the management-access command, an internal  interface does not accept UDP or ICMP traffic over a clear-text  interface even when the traffic was self-initiated.

Have a good one!

Thanks Luis!

Well, tried that and no dice.  I enabled it for the inside interface and even tried reconnecting the VPN client...  I can not ping the ASA's inside IP (10.71.1.1) AKA the gateway for my inside network.

Any other ideas?

Well, that's weird ...  the only thing I could think of is enabling debug icmp trace and then start a continuous ping to the 10.71.1.1 and see what the ASA tells you about it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: