Wrong default Gateway VPN IPSEC ASA5510

avburren1 · ‎11-25-2011

Hi,

I've configured a VPN IPSEC on my ASA5510. It Assigned IP/NETMASK/Gateway via a DHCP Server on the LAN.

The problem is that when a client is connected to the VPN , it takes the right IP and NETMASK. ( 192.168.1.109 / 255.255.255.0) but the Default Gateway is wrong ( 192.168.1.1). It should be the default Gateway of my LAN router ( 192.168.1.229).

Any Ideas?

Thank you

ajay chauhan · ‎11-25-2011

Hi,

What type of VPN is it ? Please post your ASA config.

Thanks

Ajay

avburren1 · ‎11-25-2011

It's a VPN IPSEC.

Here is the VPN ASA Config:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set RA-AES256SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set RA-AES256SHA

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map WAN_map interface WAN

crypto isakmp enable WAN

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign local

telnet timeout 5

ssh timeout 5

console timeout 0

no threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy IPSecGroupPolicy internal

group-policy IPSecGroupPolicy attributes

vpn-tunnel-protocol IPSec

username vrichard password SLnrnvkgDCGbFzSy encrypted

username admin password s4eZ65wMkbzN/t/U encrypted

tunnel-group SecureMeIPSEC type remote-access

tunnel-group SecureMeIPSEC general-attributes

default-group-policy IPSecGroupPolicy

dhcp-server 192.168.1.4

tunnel-group SecureMeIPSEC ipsec-attributes

pre-shared-key *

ajay chauhan · ‎11-25-2011

can you post full config?

avburren1 · ‎11-25-2011

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(1)

!

hostname asaCDM

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 7pnMci0DbmR0wKYW encrypted

names

name 194.x.x.x WAN

!

interface Ethernet0/0

speed 100

nameif LAN

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/1

speed 100

nameif DMZ

security-level 50

ip address 10.1.1.1 255.0.0.0

!

interface Ethernet0/2

speed 100

nameif WAN

security-level 0

ip address WAN 255.255.255.248

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 172.16.1.254 255.255.0.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup DMZ

dns domain-lookup WAN

dns server-group DefaultDNS

name-server 194.2.0.20

name-server 194.2.0.50

same-security-traffic permit intra-interface

access-list WAN_access_in extended deny ip any any

access-list DMZ_nat0_outbound extended permit ip host 10.1.1.2 host 192.168.1.4

access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.248.0 object-group DM_INLINE_NETWORK_24

access-list DMZ_nat0_outbound_1 extended permit ip host 10.1.1.2 host 192.168.1.4

pager lines 24

logging enable

logging asdm warnings

mtu LAN 1500

mtu DMZ 1500

mtu WAN 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (WAN) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 1 192.168.1.0 255.255.255.0

nat (DMZ) 0 access-list DMZ_nat0_outbound_1 outside

static (DMZ,LAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255

static (DMZ,LAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255

static (DMZ,WAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255

static (DMZ,WAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255

static (LAN,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.248.0

access-group LAN_access_in in interface LAN

access-group DMZ_access_in in interface DMZ

access-group WAN_access_in in interface WAN

route WAN 0.0.0.0 0.0.0.0 194.x.x.z 1

route LAN 192.168.0.1 255.255.255.255 192.168.1.229 1

route LAN 192.168.2.0 255.255.255.0 192.168.1.230 1

route LAN 192.168.2.2 255.255.255.255 192.168.1.240 1

route LAN 192.168.2.209 255.255.255.255 192.168.1.240 1

route LAN 192.168.2.210 255.255.255.255 192.168.1.240 1

route LAN 192.168.4.0 255.255.255.0 192.168.1.229 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.0.0 255.255.0.0 management

http 192.168.1.0 255.255.255.0 LAN

no service resetoutbound interface management

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set RA-AES256SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set RA-AES256SHA

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map WAN_map interface WAN

crypto isakmp enable WAN

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign local

telnet timeout 5

ssh timeout 5

console timeout 0

no threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy IPSecGroupPolicy internal

group-policy IPSecGroupPolicy attributes

vpn-tunnel-protocol IPSec

username vrichard password SLnrnvkgDCGbFzSy encrypted

username admin password s4eZ65wMkbzN/t/U encrypted

tunnel-group SecureMeIPSEC type remote-access

tunnel-group SecureMeIPSEC general-attributes

default-group-policy IPSecGroupPolicy

dhcp-server 192.168.1.4

tunnel-group SecureMeIPSEC ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2c69d62bdf751b2bcbbe68b181e0bd09

: end

avburren1 · ‎11-25-2011

Here is journal logging of the VPN Client

avburren1 · ‎11-25-2011

I forgot to say that I use VISTA as operating system.

When I use XP , Default Gateway is the same IP that the Cisco system adapter interface. Is it normal ?

In the Two Cases, I have access to my LAN ressources but I don't have access to Internet.

Thank you.

avburren1 · ‎11-29-2011

I Add manually the DNS in the ASA config and i'am able to access internet now. In fact, VPN client just received the IP address and the Netmask from the DHCP.

Does someone have explaination about the default gateway ?

Without the right gateway I only have access to the 192.168.1.0/24 network. I would like to join other network.

Thank you