Solved: VPN Natting

Arvo Bowen · ‎08-26-2011

I'm having issues with getting traffic from my VPN client (IP 10.71.2.2) to my inside local network client (IP 10.71.1.11). I have my config attached. Is there something I'm missing?

raga.fusionet · ‎08-31-2011

Arvo, you are hitting a bug man!

Check it out:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

That's why the inside interface doesnt respond even with the management access command.

Someone else reported a similar problem a few minutes ago.

Have fun!

PS: Please remember to mark this question as answered unless you have any other questions.Thx!

View solution in original post

raga.fusionet · ‎08-26-2011

Arvo,

Try adding this for the NAT bypass:

object network INSIDE_LAN

subnet 10.71.1.0 255.255.255.0

object network VPN-pool

subnet 10.71.2.0 255.255.255.0

nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static VPN-pool VPN-pool

Then test again.

Let us know how it goes. Thanks.

Raga

Arvo Bowen · ‎08-26-2011

That didn't seem to work...

I added the following...

object network LAN-INSIDE

subnet 10.71.1.0 255.255.255.0

description Local area network

object network LAN-VPN

subnet 10.71.2.0 255.255.255.0

description All VPN clients

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-VPN LAN-VPN

*No errors popup in the log...

Arvo Bowen · ‎08-27-2011

My latest config...

: Saved

:

ASA Version 8.4(2)

!

hostname ACS-000-ROU2

domain-name MYDOMAIN.LOCAL

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 21

!

interface Ethernet0/3

switchport access vlan 31

!

interface Ethernet0/4

switchport access vlan 100

shutdown

!

interface Ethernet0/5

switchport access vlan 100

shutdown

!

interface Ethernet0/6

switchport access vlan 100

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1,31

switchport mode trunk

!

interface Vlan1

nameif inside

security-level 100

ip address 10.71.1.1 255.255.255.0

!

interface Vlan2

description All outgoing traffic to the internet

nameif outside

security-level 0

ip address 12.12.30.204 255.255.255.224

!

interface Vlan21

nameif dmz_ftp

security-level 50

ip address 10.71.5.1 255.255.255.0

!

interface Vlan31

nameif corp

security-level 10

ip address 10.71.3.1 255.255.255.0

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.71.1.3

domain-name MYDOMAIN.LOCAL

object network LAN-INSIDE

subnet 10.71.1.0 255.255.255.0

description My Business Name local area network

object network LAN-VPN

subnet 10.71.2.0 255.255.255.0

description All VPN clients

object network ASA-INSIDE

host 10.71.1.1

description ASA 5505's IP address

object network ACS-000-APB2

host 10.71.1.11

description User

object service 63210

service tcp source eq 63210

description 63210

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object host 10.22.161.4

network-object host 10.61.1.13

access-list outside_access_in remark Allow ping replys from outside to inside (hosts on the internet)

access-list outside_access_in extended permit ip any 10.71.1.0 255.255.255.0

access-list inside_access_in extended deny tcp object ACS-000-APB2 object-group DM_INLINE_NETWORK_1 log disable

access-list inside_access_in remark Allow ssh from the inside to the ASA (used to admin the ASA)

access-list inside_access_in extended permit tcp object LAN-INSIDE object ASA-INSIDE eq ssh

access-list inside_access_in remark Allow all tcp and ping traffic from inside to outside

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object LAN-INSIDE any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz_ftp 1500

mtu corp 1500

ip local pool GRM_VPN_IP_POOL 10.71.2.2-10.71.2.253

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-VPN LAN-VPN

nat (inside,outside) source static ACS-000-APB2 interface service 63210 63210

nat (inside,outside) source dynamic any interface description Used to preform a port address translation on traffic going from the inside int to the outside int

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 12.12.30.193 255

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server GRM_AUTH_GROUP protocol kerberos

aaa-server GRM_AUTH_GROUP (inside) host 10.71.1.3

kerberos-realm MYDOMAIN.LOCAL

aaa authentication ssh console GRM_AUTH_GROUP LOCAL

http server enable

http 10.71.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint MY_BUSINESS_NAME

enrollment self

subject-name O=My Business Name,C=US,St=TX,L="Somewhere, TX"

keypair mydomain.local

proxy-ldc-issuer

crl configure

crypto ca certificate chain MY_BUSINESS_NAME

certificate 69b2564e

308202ca 30820233 a0030201 02020469 b2564e30 0d06092a 864886f7 0d010105

05003077 31153013 06035504 07130c4e 6f726372 6f73732c 20474131 0b300906

03550408 13024741 310b3009 06035504 06130255 53311530 13060355 040a130c

41637320 4e6f7263 726f7373 312d302b 06092a86 4886f70d 01090216 1e414353

2d303030 2d524f55 322e4143 532d4154 4c414e54 412e4c4f 43414c30 1e170d31

31303832 36303530 3233385a 170d3231 30383233 30353032 33385a30 77311530

13060355 0407130c 4e6f7263 726f7373 2c204741 310b3009 06035504 08130247

41310b30 09060355 04061302 55533115 30130603 55040a13 0c416373 204e6f72

63726f73 73312d30 2b06092a 864886f7 0d010902 161e4143 532d3030 302d524f

55322e41 43532d41 544c414e 54412e4c 4f43414c 30819f30 0d06092a 864886f7

0d010101 05000381 8d003081 89028181 00908394 7143ba7c e5e01486 0bdd4c5d

ecb01961 8b6cfdae 02daf9cc 1d34e63e 23adcacb 81797e22 306cf3ff 628affa2

e281e7fd 6ee0aee0 9d98d69d 91d3edd0 63fcac93 b76a3df1 d26a6af7 8ceef157

8f767a97 19744eeb 1f2b32ba 0358697d 88c7b850 785db121 a2677c83 2389dd14

f687e4a1 e5b6c628 af0d0832 6db59505 4d020301 0001a363 3061300f 0603551d

130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355

1d230418 30168014 952d0a89 9fa0eaab d0efcbe6 faf03ae0 0517e28e 301d0603

551d0e04 16041495 2d0a899f a0eaabd0 efcbe6fa f03ae005 17e28e30 0d06092a

864886f7 0d010105 05000381 81005938 70b2c186 50459016 c7b245aa 1166d6fc

ba6a3959 0f090b87 bd66a43c 9f7f9d82 f908b612 8ce6c67c affba5b7 08fa277f

65b95fb5 31019677 f9b3ec4e c78c7c42 4199e84d 70419209 2a3fce73 9757718b

877a8c96 a1d08464 1c6cf64b 18a16ea6 881a50db d03f6959 433518e4 159d4ed0

957f95a7 79fb2284 0e4cf306 a2af

quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.71.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.71.1.5-10.71.1.132 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev2 ssl-clientless

group-policy VPN_GROUP_POLICY internal

group-policy VPN_GROUP_POLICY attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group MYBUSSINESNAME type remote-access

tunnel-group MYBUSSINESNAME general-attributes

address-pool GRM_VPN_IP_POOL

authentication-server-group GRM_AUTH_GROUP

default-group-policy VPN_GROUP_POLICY

tunnel-group MYBUSSINESNAME ipsec-attributes

ikev1 pre-shared-key *****

ikev1 trust-point MY_BUSINESS_NAME

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:c44b2c6b077607cc0a50f38c05a3a11d

: end

asdm image disk0:/asdm-645.bin

no asdm history enable

raga.fusionet · ‎08-27-2011

Ok try this, add the following command:

management-access inside

then connect with the VPN client and ping 10.71.1.1.

You should get replies.

Then ping something else on your network and grab the output of the "show crypto ipsec sa".

Post it here.

Another question, this ASA is the default gateway of the subnets you are trying to reach right?

Thx.

Arvo Bowen · ‎08-27-2011

Does the answer below work for you too Luis?

Mohammad Alhyari · ‎08-27-2011

HI ,

BE SURE WHAT NAT RULE YOUR TRAFFIC IS HITTING , PROVIDE THE FOLLOWING :

PACKET-TRACER INPUT INSIDE ICMP [LOCAL INSIDE IP ADDRESS] 8 8 [YOUR VPN CLIENT IP ADDRESS] DET

DO THE FOLLOWING :

SHOW CRYPTO IPSEC SA PEER [PUBLIC IP ADDRESS OF THE MACHINE THAT YOU ARE CONNECTON THE VPN FROM]

SEE IF YOU GET ENCAPS AND DECAPS FOR THAT CONNCTION .

AFTER THOSE WE CAN CONCLUDE WHAT IS THE PROBLEM.

CHEERS.

Arvo Bowen · ‎08-27-2011

ACS-000-ROU2(config)# PACKET-TRACER INPUT inside ICMP 10.71.1.11 8 8 10.71.2.2 ICMP 10.71.1.11 8 8 10.71.2.2 DET

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb48ce80, priority=1, domain=permit, deny=false

hits=9045989, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object LAN-INSIDE any

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcbd93c30, priority=13, domain=permit, deny=false

hits=2088, user_data=0xc94fadc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=10.71.1.0, mask=255.255.255.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcbd9b0d0, priority=0, domain=inspect-ip-options, deny=true

hits=66678, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcbd9ae38, priority=66, domain=inspect-icmp-error, deny=false

hits=22, user_data=0xcb3e69e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-VPN LAN-VPN

Additional Information:

Static translate 10.71.1.11/0 to 10.71.1.11/0

Forward Flow based lookup yields rule:

in id=0xcc09e210, priority=6, domain=nat, deny=false

hits=1, user_data=0xcc09dd18, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=10.71.1.0, mask=255.255.255.0, port=0

dst ip/id=10.71.2.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb3e2ed0, priority=0, domain=host-limit, deny=false

hits=52786, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 78102, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

--------------------------------------------------------------------------------------------------------------------

ACS-000-ROU2(config)# show crypto ipsec sa peer 71.129.152.103

peer address: 71.199.156.103

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.12.30.204

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.71.2.2/255.255.255.255/0/0)

current_peer: 71.129.152.103, username: arvo.bowen

dynamic allocated peer ip: 10.71.2.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 12.12.30.204/4500, remote crypto endpt.: 71.129.152.103/4500

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: 001A53ED

current inbound spi : 68C6FE98

inbound esp sas:

spi: 0x68C6FE98 (1757871768)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 3574

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x000000FF

outbound esp sas:

spi: 0x001A53ED (1725421)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 3574

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

raga.fusionet · ‎08-29-2011

Arvo,

I dont see any reference to the VPN rules on the above output for the packet tracker.

What do you have on the client statistics undert "Tunnel Details" and "Route Details" ?

Do you see packets encrypted?

What do you see as secured routes?

Thanks.