cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
441
Views
0
Helpful
2
Replies

Cannot see remote network over remote access vpn

Ryan Fisher
Level 1
Level 1

Setting up another remote access vpn, and I cannot access the remote network from the client.  I've gotten this to work fine over other ASAs, but those were 5510's.  This time it's a 5505, and for whatever reason it's not liking it.  I've made sure I have a static route on the connected switch to return the traffic back to the ASA, and it must be doing that, because it packet captures I can see the echo reply.

I don't think it's an acl that's blocking it, because I'm monitoring for message 106023 and not seeing anything get dropped.  Although it's a little more difficult because the asdm is having problems with saying the syslog connection is lost.  So, I've been trying to log to the terminal on ssh.  Nothing is coming up with that filter, so I'm assuming nothing is getting dropped.

Any help is appreciated.

ausasa01-5505# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname ausasa01-5505

names

!

interface Ethernet0/0

description outside

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

description inside

speed 100

duplex full

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!            

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.37.194.2 255.255.255.252

!

interface Vlan2

nameif outside

security-level 0

ip address <outside ip> 255.255.255.248

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

object-group network DM_INLINE_NETWORK_1

network-object 10.37.0.0 255.255.0.0

network-object 192.168.37.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 209.242.145.130

network-object host 216.115.85.212

access-list inside_access_in extended permit ip 192.168.37.0 255.255.255.0 any log warnings

access-list inside_access_in extended permit ip 10.37.1.0 255.255.255.0 any log warnings

access-list outside_1_cryptomap extended permit ip 10.37.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.37.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.37.0.0 255.255.0.0 10.254.37.0 255.255.255.240

access-list inside_access_in_1 extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings

access-list SLOW-PRINTING extended permit ip 10.37.5.0 255.255.255.0 any

access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_2 host <outside ip> log warnings

access-list RemoteAccess_splitTunnelAcl standard permit 10.37.0.0 255.255.0.0

pager lines 24

logging enable

logging list acl-drop message 106023

logging monitor acl-drop

logging asdm acl-drop

mtu inside 1500

mtu outside 1500

ip local pool vpn_ip_ppol 10.254.37.0-10.254.37.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

asdm history enable

arp timeout 14400

global (inside) 2 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.37.1.0 255.255.255.0

nat (inside) 1 192.168.37.0 255.255.255.0

access-group inside_access_in_1 in interface inside

access-group outside_access_in in interface outside

!

router eigrp 100

network 10.0.0.0 255.0.0.0

network 0.0.0.0 0.0.0.0

passive-interface default

no passive-interface inside

!

route outside 0.0.0.0 0.0.0.0 <outside> 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

snmp-server location

snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer <some IP>

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 60

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.200.1.41

webvpn

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccess_splitTunnelAcl

default-domain value procopio.local

split-tunnel-all-dns disable

vlan none

tunnel-group <some ip> type ipsec-l2l

tunnel-group <some ip> ipsec-attributes

pre-shared-key *****

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

address-pool vpn_ip_ppol

default-group-policy RemoteAccess

tunnel-group RemoteAccess ipsec-attributes

pre-shared-key *****

!

class-map SLOW-PRINTING

description Throttles upload speed from 10.37.5.0/24

match access-list SLOW-PRINTING

!            

!

policy-map SLOW-PRINTING

class SLOW-PRINTING

  police input 2048000

!

service-policy SLOW-PRINTING interface inside

prompt hostname context

no call-home reporting anonymous

Packet Trace...

14 packets captured

   1: 23:54:06.578156 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request

   2: 23:54:06.579544 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply

   3: 23:54:07.577255 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request

   4: 23:54:07.578171 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply

   5: 23:54:08.576843 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request

   6: 23:54:08.578262 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply

   7: 23:54:09.576813 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request

   8: 23:54:09.578613 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply

   9: 23:54:10.577088 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request

  10: 23:54:10.578735 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply

  11: 23:54:11.576706 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request

  12: 23:54:11.577316 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply

  13: 23:54:12.576615 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request

  14: 23:54:12.578125 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply

14 packets shown

2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

Hi Ryan,

What  networks from the internal switch behind your firewall  are you trying to reach from RA network?   the packet capture you provided is  towards your switch gateway IP 10.37.194.1  which is directly connected interface to the firewall , but you have not shown  what other subnets  from your switch your RA Pool is unable to reach .

You also have a routing process in place for eigrp , are you  eigrp peering with your internal switch?  if you are doing static routing  make sure your RA IP Pool network  10.254.37.0/24  is indeed routed back to  the FW inside interface IP 10.37.194.2, and perhaps provide more details  on your inside L3 logical topology and what networks  the RA pool is required to access.

Regards

Jorge Rodriguez

Ryan Fisher
Level 1
Level 1

Thanks for the reply. At this point I'm just trying to access the networks that are on the connected switch. The packet capture I gave shows that reply packets are sent, but my VPN client never sees them. At this point, I would just be happy for my VPN client to be able to access the connected switch at 10.37.194.1, which it cannot do, even though the packet capture shows that the switch is replying.

Thanks

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: