cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5947
Views
0
Helpful
12
Replies

VPN tunnel is built via ASA5505 ver8.4, but unable to RDP & ICMP & unable to SSH outside intrfc

omercer123
Level 1
Level 1

I'm new to the ASA5505 ver8.4 platform, so need some assistance.  I'm able to build my tunnel but unable to RDP nor ICMP back to the INTERNAL network. 

VPN Client IP: 192.168.200.200

INTERNAL IP:  172.17.130.200

my configuration is below:

HOME-ASAFW02(config)# wr t
: Saved
:
ASA Version 8.4(4)
!
hostname HOME-ASAFW02
domain-name hsd1.nj.comcast.net
enable password ViPq56cvd3SGvB08 encrypted
passwd 8bcozHCAwCqA5BmN encrypted
names
!
interface Ethernet0/0
description OUTSIDE-Connection
switchport access vlan 2
switchport protected
!
interface Ethernet0/1
description INSIDE-Connection
switchport protected
speed 100
duplex full
!
interface Ethernet0/2
description WiFi-LinkSYS
switchport access vlan 3
switchport protected
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description INTERNAL-Network
nameif inside
security-level 100
ip address 172.17.130.129 255.255.255.128
!
interface Vlan2
description OUTSIDE-Link-to-ISP
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description WiFi
no nameif
security-level 100
ip address 192.168.1.3 255.255.255.0
!
banner exec
banner motd **************************************************************************
banner motd *                      !!! WARNING !!!                                   *
banner motd * Use of this system is restricted to authorized users only.  Law        *
banner motd * prohibits unauthorized use and access. Violators will be prosecuted.   *
banner motd * Authorized system users must comply with the information Security      *
banner motd * Policies and Standard of this institution.  Your continued use of this *
banner motd * system implies your acceptance of the above conditions and of the legal*
banner motd * or disciplinary actions, which can be taken against you if you attempt *
banner motd * to gain access without authorization.                                  *
banner motd **************************************************************************
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name hsd1.nj.comcast.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


object network obj_192.168.200.128
subnet 192.168.200.128 255.255.255.128


object network CABLE
host 108.x.x.x


object network inside-network
subnet 172.17.130.128 255.255.255.128


object-group icmp-type DefaultICMP
description default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit udp any any eq syslog
access-list outside_access_in extended permit tcp any any eq domain
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any object CABLE eq ssh
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any any eq ssh
access-list vpn_SplitTunnel standard permit 172.17.130.128 255.255.255.128
pager lines 24
logging timestamp
logging buffer-size 36000
logging console debugging
logging buffered warnings
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.200.200-192.168.200.220
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,any) source static inside-network inside-network destination static obj_192.168.200.128 obj_192.168.200.128
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.45.16.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 172.17.130.128 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set ikev1 transform-set strong-des
crypto map HOMEVPN 65535 ipsec-isakmp dynamic dynmap
crypto map HOMEVPN interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.17.130.129 255.255.255.255 inside
ssh 108.x.x.x. 255.255.255.255 outside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 30

dhcp-client client-id interface outside
dhcpd dns 75.x.x.x 75.x.x.x

dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain hsd1.nj.comcast.net
dhcpd auto_config outside vpnclient-wins-override
!
dhcpd address 172.17.130.200-172.17.130.220 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy HOMEVPN internal
group-policy HOMEVPN attributes
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
default-domain value hsd1.nj.comcast.net
username administrator password 7G4wOnQn0GM1bnAy encrypted privilege 15
username Admin2 password hkSZ2UwVuNX3qj94 encrypted privilege 15
username HOMEVPN password CVEvGED/HvQodxDz encrypted privilege 15
tunnel-group HOMEVPN type remote-access
tunnel-group HOMEVPN general-attributes
address-pool vpnpool
default-group-policy HOMEVPN
tunnel-group HOMEVPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:de4aa96301ab568e10b8f5cb36cd78cd
              

1 Accepted Solution

Accepted Solutions

Hello Ohmar,

The last output from the ASA shows that there is one way communication happening.  Traffic from your vpn client is passing to the inside interface but you are not getting reply from the inside host back to vpn client ( That is the  reason you are seeing only decaps but no encaps)

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35

The issue is not with the VPN in my opinion.. you may need to check the following things

1. Is there any firewall turned on on the inside PC

2. The gateway of the inside PC is proper ( It should be respective ASA interface)

3. If wifi is enabled on inside PC, please turn it off

let me know the result

Harish.

View solution in original post

12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Are you just configuring this VPN Client for use or has this worked at some point?

I see that you have added the LAN network to the Split-tunnel list so that should handle that traffic from your computer gets forwarded to the tunnel.

You havent altered the access-list behaviour relating to VPN connections so the connections taken from the VPN Client computer should bypass your outside interface access-list completely.

The command is "sysopt connection permit-vpn". Its enabled by default but to my understanding doesnt show up in the configuration as its the default setting.

Can you test (or get someone to test) the VPN Client connection and at the sametime monitor if the connections are coming to the ASA? Or if not possible, just gather the logs from a server or ASA after the test.

Could there be some problem with using IPsec client with a WWAN card or something that makes it possible for you to form the VPN Client connection but DOESNT forward traffic to the VPN tunnel. Monitor the counters in your VPN Client statistics and see if traffic is being both encrypted and decrypted.

I'm not sure why your SSH aint working as it should go through your local Internet connection and NOT get forwarded to the VPN tunnel.

EDIT:

If for reason that traffic is forwarded to the VPN tunnel you need to add ssh configuration for the VPN pool

ssh 192.168.200.0 255.255.255.0 outside   , for example

- Jouni

Hi Jouni,

No, this is the 1st time i'm bringing up the VPN tunnel and connecting to my network.  I've set up several VPN tunnels for my job via the old software Pre-8.4.  But kind of confused with this new version.  Attached find diagram::

I will configure "sysopt connection permit-vpn" asap, as I could have sworn this was in my config as default originally.  I guess it was removed somehow. 

I did run some packet capture tests last night and below is the output:

  1. First packet capture trace was to do ICMP from the source:192.168.200.200/remote-user-vpn-client to 172.17.130.200/internal-home-user-workstation  (RESULT=NO Good)

HOME-ASAFW02(config)# packet-tracer input outside icmp 192.168.200.200 0 0 172.17.130.200

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,any) source static inside-network inside-network destination static obj_192.168.200.128 obj_192.168.200.128

Additional Information:

NAT divert to egress interface inside

Untranslate 172.17.130.200/0 to 172.17.130.200/0

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.200.200 255.255.255.255 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit icmp any any echo-reply

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

-------------------------------------------------------------------------------------------------------------------------------------------------------------

  2.  Second packet capture trace to see what happens when TCP/3389 is initiated from the source:192.168.200.200/remote-user-vpn-client to destination:172.17.130.200/internal-home-user-workstation     (RESULT = NO Good)

HOME-ASAFW02(config)# packet-tracer input outside tcp 192.168.200.200 3389 3389 172.17.130.200

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,any) source static inside-network inside-network destination static obj_192.168.200.128 obj_192.168.200.128

Additional Information:

NAT divert to egress interface inside

Untranslate 172.17.130.200/3389 to 172.17.130.200/3389

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.200.200 255.255.255.255 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any eq 3389

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcbcbb080, priority=13, domain=permit, deny=false

       hits=5, user_data=0xc9618a60, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=3389, dscp=0x0

       input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcb4c0c78, priority=0, domain=inspect-ip-options, deny=true

       hits=25738, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

       input_ifc=outside, output_ifc=any

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xcc07b4b0, priority=79, domain=punt, deny=true

       hits=3, user_data=0xcad57e78, cs_id=0x0, flags=0x0, protocol=0

       src ip/id=192.168.200.200, mask=255.255.255.255, port=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

       input_ifc=outside, output_ifc=any

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc83dca10, priority=69, domain=ipsec-tunnel-flow, deny=false

       hits=3, user_data=0x61edc, cs_id=0x0, reverse, flags=0x0, protocol=0

       src ip/id=192.168.200.200, mask=255.255.255.255, port=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

       input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hello Ohmar,

Can you make the nat specific to outside interface as follows

no  nat (inside,any) source static inside-network inside-network destination static obj_192.168.200.128 obj_192.168.200.128

nat (inside,outside) 1  source static inside-network inside-network destination static obj_192.168.200.128 obj_192.168.200.128

clear local-host all

regards

Harish

Hi Harish,

I will implement this as soon as I get home tonight and let you know the results.  Appreciate your feedback as this issue has been haunting me.  I really hope this is the fix. 

Cheers,

Hi,

I actually meant that if you dont see the "sysopt" command in your running config then it means its in use. I think the ASA is permitting VPN traffic past ACL by default and since the its the default setting it doesnt get listed in the configuration. (Even if you enter it)

If you used the "no" format of the command it should be visible in the configuration but this is ofcourse not something youre after anyway.

Do you have the VPN Client connection active when you do those "packet-tracers" ?

I'm not 100% sure but the packet-tracer might fail just because the VPN connection isnt active. Packet-tracer aint ideal for testing VPN but it does have its uses in VPN situations too (can activate L2L VPN negotiations etc) So your packet-tracer might fail but doesnt necesarily give information why the actual VPN Client users connections arent going through.

Would be good to confirm while VPN Client connections is on if the traffic from the client even gets encrypted by the VPN Client and if it reaches the ASA. ASDM should easily show you  whats happening to the connection attempts in real time.

I also assume that you have made sure that there are no problems with possible LAN routing/gateway settings for the return traffic from LAN to VPN Client?

- Jouni

Jouni,

Yes, the VPN client and tunnel were initiated and built, while the packet trace was running.  I wanted to see what the capture looked like and why I wasnt able to initiate the RDP and ICMP from the VPN client. 

Yes, there are NO problems on the LAN.  I'm sure its just something simple I need to fix on the ACL, but i'm NOT able to find the solution. 

Hi Gents,

I changed the config according to what Harish mentioned above. BUT still it did not work.

no  nat (inside,any) source static inside-network inside-network destination static obj_192.168.200.128 obj_192.168.200.128

nat (inside,outside) 1  source static inside-network inside-network destination static obj_192.168.200.128 obj_192.168.200.128

clear local-host all

As soon as I got home, these are the steps I performed:::

1.  Launched the VPN client from my test remote workstation.  (I have 2 different WiFi-Linksys-routers = Downstairs uses Verizon Fios, Upstairs uses Comcast).  So, i'm able to mimic as if i'm at a remote location. 

2.  VPN tunnel came up immediately:  VPN Details | Statistics are below: 

          Address Information:   CLIENT:  192.168.200.200  SERVER:  68.45.17.105

          Connection Info:         ENTRY:  HOMEVPN  TIME:  0day(s), 00:15:39

          Bytes:                       RCVD:   0      SENT: 480

          Crypto:                      ENCRYPTION:  168-bit-3-DES  AUTHENTICATION: HMAC-MD5

          Packets:                   ENCRYPTION: 8,  DECRYPTED: 0,  DISCARD:1, BYPASSED:1555

          Transport:                  XPARENT TUNNELING: Active on UDP port4500,  LOCAL LAN: Disabled,    Compression:None

3.  Turned on the logs on the ASA-5505:

4.  Went to the Remote workstation with the launched/established/active-VPN client and did a PING from SOURCE-Remote-Station:192.168.200.200 to the DESTINATION-Internal-Workstation:172.17.130.200      

5.  Noticed in the ASA-logs, the ICMP packet is being built and teared down.  However, i'm STILL NOT able to ping from 192.168.200.200 to 172.17.130.200

See logs below:

Aug 30 2008 18:21:37: %ASA-7-609001: Built local-host outside:192.168.200.200


Aug 30 2008 18:21:37: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.200.200/1024(LOCAL\IBCFVPN) gaddr 172.17.130.200/0 laddr 172.17.130.200/0


Aug 30 2008 18:21:39: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.200.200/1024(LOCAL\HOMEVPN) gaddr 172.17.130.200/0 laddr 172.17.130.200/0


Aug 30 2008 18:21:39: %ASA-7-609002: Teardown local-host outside:192.168.200.200 duration 0:00:02
Aug 30 2008 18:21:42: %ASA-7-609001: Built local-host outside:192.168.200.200
Aug 30 2008 18:21:42: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.200.200/1024(LOCAL\HOMEVPN) gaddr 172.17.130.200/0 laddr 172.17.130.200/0
Aug 30 2008 18:21:42: %ASA-7-713236: IP = 98.109.105.24, IKE_DECODE RECEIVED Message (msgid=9ea5b516) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Aug 30 2008 18:21:42: %ASA-7-715047: Group = HOMEVPN, Username = HOMEVPN, IP = 98.x.x.x, processing hash payload
Aug 30 2008 18:21:42: %ASA-7-715047: Group = HOMEVPN, Username = HOMEVPN, IP = 98.x.x.x, processing notify payload
Aug 30 2008 18:21:42: %ASA-7-715075: Group = HOMEVPN, Username = HOMEVPN, IP = 98.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xc616c11d)
Aug 30 2008 18:21:42: %ASA-7-715036: Group = HOMEVPN, Username = HOMEVPN, IP = 98.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xc616c11d)
Aug 30 2008 18:21:42: %ASA-7-715046: Group = HOMEVPN, Username = HOMEVPN, IP = 98.x.x.x, constructing blank hash payload
Aug 30 2008 18:21:42: %ASA-7-715046: Group = HOMEVPN, Username = HOMEVPN, IP = 98.x.x.x, constructing qm hash payload
Aug 30 2008 18:21:42: %ASA-7-713236: IP = 98.x.x.x, IKE_DECODE SENDING Message (msgid=e0bbb25b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Aug 30 2008 18:21:44: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.200.200/1024(LOCAL\HOMEVPN) gaddr 172.17.130.200/0 laddr 172.17.130.200/0
Aug 30 2008 18:21:44: %ASA-7-609002: Teardown local-host outside:192.168.200.200 duration 0:00:02
Aug 30 2008 18:21:47: %ASA-7-609001: Built local-host outside:192.168.200.200
Aug 30 2008 18:21:47: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.200.200/1024(LOCAL\HOMEVPN) gaddr 172.17.130.200/0 laddr 172.17.130.200/0

Aug 30 2008 18:21:49: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.200.200/1024(LOCAL\HOMEVPN) gaddr 172.17.130.200/0 laddr 172.17.130.200/0


Getting this as well on my ASA:

HOME-ASAFW02(config)# sho crypto ipsec sa
interface: outside
    Crypto map tag: dynmap, seq num: 30, local addr: 68.45.17.105

     local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.200.200/255.255.255.255/0/0)
      current_peer: 98.109.105.24, username: IBCFVPN
      dynamic allocated peer ip: 192.168.200.200

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 68.x.x.x/4500, remote crypto endpt.: 98.x.x.x/1188
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 6A86B2ED
      current inbound spi : 019297F0

    inbound esp sas:
      spi: 0x019297F0 (26384368)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 40960, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 23416
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0000000F 0xFFFFFFFF
    outbound esp sas:
      spi: 0x6A86B2ED (1787212525)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 40960, crypto-map: dynmap
         sa timing: remaining key lifetime (sec): 23416
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hello Ohmar,

The last output from the ASA shows that there is one way communication happening.  Traffic from your vpn client is passing to the inside interface but you are not getting reply from the inside host back to vpn client ( That is the  reason you are seeing only decaps but no encaps)

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35

The issue is not with the VPN in my opinion.. you may need to check the following things

1. Is there any firewall turned on on the inside PC

2. The gateway of the inside PC is proper ( It should be respective ASA interface)

3. If wifi is enabled on inside PC, please turn it off

let me know the result

Harish.

Hi Harish,

I appreciate & thank you for all your input.  Yes, you are correct, there is only 1-way communication for some reason. 

From the Remote-VPN-client-side::  its only XMITTING traffic, NOT RCVG traffic

On the Internal-PC:   its only RCVG traffic, and NOT XMITTING

I will definitely investigate as soon as I get home your suggestions, as this could be a possibility that if the Windows Firewall and WiFI are turned on, it could possibly be blocking the traffic. 

To answer your questions:

1. Is there any firewall turned on on the inside PC

        -  Will check this as soon as I get home tonight, as i'm not quite sure how I left it.

2. The gateway of the inside PC is proper (It should be respective ASA interface)

       -  The inside PC is DIRECTLY ATTACHED to the INSIDE interface of the ASA-FW and its getting its IP

           Address from the DHCP-address-pool currently configured on the ASA-FW: 

             dhcpd address 172.17.130.200-172.17.130.220 inside

             dhcpd enable inside

3. If wifi is enabled on inside PC, please turn it off

       -  Yes, I believe WiFi was enabled on the inside PC and I will definitely turn it off as soon as I get home tonight,

           just to see if this is the reason, why I dont have a 2-way-handshake. 

Hi,

Even though the NAT change didn't help I suggest always using specific source and destination interfaces in the NAT configurations. Pretty much the only place I use "any" is when I'm doing basic/default PAT configuration for networks behind the firewall.

Seems your connection attempts are beeing correctly forwarded to the VPN Client connection and are decrypted by the firewall.

The question is, why isnt there any return traffic.

For ICMP can you add the "inspect icmp" and try again

class inspection_default

  inspect dns preset_dns_map

   inspect icmp

This is needed for the firewall to automatically pass through the echo-replys (Though I'm not sure if it matters in this case but still I usually always add icmp inspection anyway.

Since you have another Internet connection available, can you test the VPN Client connection with TCP and check the logs at the sametime. Does the TCP connection get terminated by SYN Timeout perhaps. Which again would mean that either the computer aint replying or has no route to the VPN Client. I'm just asking as sometimes in similiar cases I just ignore the possiblity of having wrong default gateways (or lack of it) on the hosts beeing connected to.

If you want to go a step further you could configure a capture on the firewall for Remote Desktop connection and test it. For example in the following way

access-list RDP-CAPTURE-IN permit tcp 192.168.200.0 255.255.255.0 host 172.17.130.200 eq 3389

access-list RDP-CAPTURE-OUT permit tcp host 172.17.130.200 3389 192.168.200.0 255.255.255.0

capture RDP-CAPTURE-IN type raw-data packet-length 1522 access-list RDP-CAPTURE-IN interface inside buffer 10000000

capture RDP-CAPTURE-OUT type raw-data packet-length 1522 access-list RDP-CAPTURE-OUT interface inside buffer 10000000

And after test copy the capture files to computer and either go through them yourself or attach them here to your post.

copy /pcap capture:RDP-CAPTURE-IN tftp://x.x.x.x/RDP-CAPTURE-IN.pcap

copy /pcap capture:RDP-CAPTURE-OUT tftp://x.x.x.x/RDP-CAPTURE-OUT.pcap

There might be easier way to configure the capture but I've just gotten used to doing it the above way and merging the files on my computer. The capture should give a clear picture of whats actually coming from the LAN host during the test (if anything is coming from there at all)

- Jouni

Hi Jouni,

I appreciate & thank you for all your input.  Great idea!  I will definitely try your suggestions and the RDP captures.  This would great to see exactly what is happening with the traffic.  Will try this as soon as I get home.

--Ohmar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: