ASA 8.2 ipsec-ra cisco vpnclient tunnel established, traffic won't pass

drivelineretail · ‎07-13-2011

please disregard 158.60.168.0/24 being used as our internal private network

phase 1 and 2 - no problems

vpnclient gets correct ip from pool and dns/etc

traffic will not pass through tunnel.

debug icmp shows something like this when i ping from vpnclient thru asa to lan

ICMP echo request from outside:10.10.10.1 to inside:158.60.168.29 ID=768 seq=2048 len=32

vpnclient statistics shows packets sent incrementing, but packets received won't increment.

vpnclient is 5.x

I have sysopt connection permit-vpn enabled even though show run sysopt doesn't display anything

Thanks in advance!!!!

ASA5510

ASA Version 8.2(1)

!

hostname ciscoasa

enable password P8mtLTam1zoMz9X6 encrypted

passwd P8mtLTam1zoMz9X6 encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 158.60.168.2 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address a.b.66.14 255.255.255.252

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list inside_nat0_outbound extended permit ip 158.60.168.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_access_in extended permit tcp any any eq ssh

access-list vpnclient-splittunnel standard permit 158.60.168.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool vpnclient-pool 10.10.10.1-10.10.10.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 158.60.168.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 a.b.66.13 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 158.60.168.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map vpnclient_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic vpnclient_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy vpnclient-policy internal

group-policy vpnclient-policy attributes

dns-server value 158.60.168.29

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient-splittunnel

username dlindsey password 7U2c32fEqsZtcCv0 encrypted privilege 15

tunnel-group driveline type remote-access

tunnel-group driveline general-attributes

address-pool vpnclient-pool

default-group-policy vpnclient-policy

tunnel-group driveline ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7e217f15d83ac741ff5e65105c81a42e

: end

Jennifer Halim · ‎07-14-2011

A couple of things to add:

policy-map global_policy

class inspection_default

inspect icmp

management-access inside

Then from the VPN Client, try to see if you can ping the ASA inside interface (158.60.168.2).

If you can, then that's good.

You would need to check the host that you are trying to ping to see if the default gateway is the ASA inside interface (158.60.168.2) and also there is no personal firewall, etc on the host that might be preventing inbound access.

ajcaruana · ‎09-30-2011

I have a similar problem. I have 1 user able to log in to the ipsec-ra VPN using the cisco VPN client and access the servers, but another user is not able to access the servers. Did you manage to solve the problem ? If yes, what did you do ?