cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1275
Views
0
Helpful
1
Replies

Configure vpn server + nat exemption

ukirukuk13
Level 1
Level 1

Hi

I have a problem with access from vpn client to inside private network across asa 5510.

I have asa 5510 with 8.2 boot loaded bin. I make classic configuration nat exemption for vpn server, but vpn client can’t ping and doesn’t see local file share.

Can any see configuration and debug log and help me, why nat exemption doesn’t working? May be it is a hardware problem?

I think doesn’t work nat exemption, but maybe I am mistaken

asa 5510 with remote vpn configuration

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.99.60 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside extended permit ip 192.168.99.0 255.255.255.0 any

access-list inside extended permit icmp 192.168.99.0 255.255.255.0 any

access-list remote_vpn extended permit ip 192.168.99.0 255.255.255.0 192.168.199.0 255.255.255.0

access-list remote_vpn extended permit ip 192.168.199.0 255.255.255.0 192.168.99.0 255.255.255.0

ip local pool vpnpool1 192.168.199.128-192.168.199.254 mask 255.255.255.0

nat-control

global (outside) 1 interface

nat (inside) 0 access-list remote_vpn

nat (inside) 1 192.168.99.0 255.255.255.0

access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

sysopt noproxyarp outside

sysopt noproxyarp inside

crypto ipsec transform-set vpn_dyn_map esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map vpn_map 10 set pfs

crypto dynamic-map vpn_map 10 set transform-set vpn_dyn_map

crypto dynamic-map vpn_map 10 set security-association lifetime seconds 28800

crypto dynamic-map vpn_map 10 set security-association lifetime kilobytes 4608000

crypto map VpnAccess 65535 ipsec-isakmp dynamic vpn_map

crypto map VpnAccess interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

group-policy BossVpnAcc internal

group-policy BossVpnAcc attributes

dns-server value 8.8.8.8

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value remote_vpn

default-domain value greenteam.ua

address-pools value vpnpool1

username cisco password xxxx encrypted privilege 15

username cisco attributes

vpn-group-policy BossVpnAcc

vpn-framed-ip-address 192.168.199.250 255.255.255.0

service-type remote-access

tunnel-group BossVpnAcc type remote-access

tunnel-group BossVpnAcc general-attributes

address-pool vpnpool1

default-group-policy BossVpnAcc

tunnel-group BossVpnAcc ipsec-attributes

pre-shared-key *****

tunnel-group-map default-group BossVpnAcc

vpn client get access to the asa

VNPGate# sh crypto isakmp sa

   Active SA: 1

   Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 172.16.2.2

   Type   : user           Role   : responder

   Rekey   : no             State   : AM_ACTIVE

VNPGate#

VNPGate#

VNPGate#

VNPGate# sh crypto ipsec sa

interface: outside

   Crypto map tag: vpn_map, seq num: 10, local addr: 172.16.1.2

     local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

     remote ident (addr/mask/prot/port): (192.168.199.250/255.255.255.255/0/0)

     current_peer: 172.16.2.2, username: cisco

     dynamic allocated peer ip: 192.168.199.250

     #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

     #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0

     #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

     #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

     #send errors: 0, #recv errors: 0

     local crypto endpt.: 172.16.1.2/4500, remote crypto endpt.: 172.16.2.2/11458

     path mtu 1400, ipsec overhead 82, media mtu 1500

     current outbound spi: B1991A16

     current inbound spi : 2EAF644C

   inbound esp sas:

     spi: 0x2EAF644C (783246412)

         transform: esp-aes esp-sha-hmac no compression

        in use settings ={RA, Tunnel, NAT-T-Encaps, }

         slot: 0, conn_id: 16384, crypto-map: vpn_map

         sa timing: remaining key lifetime (sec): 28332

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x0001FFFF

   outbound esp sas:

     spi: 0xB1991A16 (2979600918)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel, NAT-T-Encaps, }

         slot: 0, conn_id: 16384, crypto-map: vpn_map

         sa timing: remaining key lifetime (sec): 28332

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x00000001

Vpn client ping office server:

c:\>ping 192.168.99.60 (ping 4 packet)

Обмен пакетами с 192.168.99.60 по 32 байт:

Превышен интервал ожидания для запроса.

Превышен интервал ожидания для запроса.

Превышен интервал ожидания для запроса.

Превышен интервал ожидания для запроса.

Статистика Ping для 192.168.99.60:

   Пакетов: отправлено = 4, получено = 0, потеряно = 4 (100% потерь),

c:\>windump -i \Device\NPF_{4E2ACD58-EBD9-448A-94B9-BDE72400693E} -n

windump: listening on \Device\NPF_{4E2ACD58-EBD9-448A-94B9-BDE72400693E}

18:30:17.978851 arp who-has 192.168.99.60 tell 192.168.199.250

18:30:17.978906 arp reply 192.168.99.60 is-at 00:02:cf:a7:82:54

18:30:17.978915 IP 192.168.199.250 > 192.168.99.60: ICMP echo request, id 768, seq 1280, length 40

18:30:23.133749 IP 192.168.199.250 > 192.168.99.60: ICMP echo request, id 768, seq 1536, length 40

18:30:28.633687 IP 192.168.199.250 > 192.168.99.60: ICMP echo request, id 768, seq 1792, length 40

18:30:34.133618 IP 192.168.199.250 > 192.168.99.60: ICMP echo request, id 768, seq 2048, length 40

VNPGate# term mon  

Dec 25 2011 18:30:17: %ASA-7-609001: Built local-host identity:192.168.99.60

Dec 25 2011 18:30:17: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)

ICMP echo request from 192.168.199.250 to 192.168.99.60 ID=768 seq=1280 len=32

Dec 25 2011 18:30:18: %ASA-7-609001: Built local-host outside:193.193.193.107

Dec 25 2011 18:30:19: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)

Dec 25 2011 18:30:19: %ASA-7-609002: Teardown local-host identity:192.168.99.60 duration 0:00:02

Dec 25 2011 18:30:22: %ASA-7-609001: Built local-host identity:192.168.99.60

Dec 25 2011 18:30:22: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)

ICMP echo request from 192.168.199.250 to 192.168.99.60 ID=768 seq=1536 len=32

Dec 25 2011 18:30:23: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=8bfe7cb2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Dec 25 2011 18:30:23: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing hash payload

Dec 25 2011 18:30:23: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing notify payload

Dec 25 2011 18:30:23: %ASA-7-715075: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0xcaf9c72a)

Dec 25 2011 18:30:23: %ASA-7-715036: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xcaf9c72a)

Dec 25 2011 18:30:23: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing blank hash payload

Dec 25 2011 18:30:23: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing qm hash payload

Dec 25 2011 18:30:23: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=e3eda86f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Dec 25 2011 18:30:24: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)

Dec 25 2011 18:30:24: %ASA-7-609002: Teardown local-host identity:192.168.99.60 duration 0:00:02

Dec 25 2011 18:30:28: %ASA-7-609001: Built local-host identity:192.168.99.60

Dec 25 2011 18:30:28: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)

ICMP echo request from 192.168.199.250 to 192.168.99.60 ID=768 seq=1792 len=32

Dec 25 2011 18:30:30: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)

Dec 25 2011 18:30:30: %ASA-7-609002: Teardown local-host identity:192.168.99.60 duration 0:00:02

Dec 25 2011 18:30:33: %ASA-7-609001: Built local-host identity:192.168.99.60

Dec 25 2011 18:30:33: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)

ICMP echo request from 192.168.199.250 to 192.168.99.60 ID=768 seq=2048 len=32

Dec 25 2011 18:30:34: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=4aff2d40) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Dec 25 2011 18:30:34: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing hash payload

Dec 25 2011 18:30:34: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing notify payload

Dec 25 2011 18:30:34: %ASA-7-715075: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0xcaf9c72b)

Dec 25 2011 18:30:34: %ASA-7-715036: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xcaf9c72b)

Dec 25 2011 18:30:34: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing blank hash payload

Dec 25 2011 18:30:34: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing qm hash payload

Dec 25 2011 18:30:34: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=74063804) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Dec 25 2011 18:30:35: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)

Dec 25 2011 18:30:35: %ASA-7-609002: Teardown local-host identity:192.168.99.60 duration 0:00:02

VNPGate# sh crypto ipsec sa

interface: outside

   Crypto map tag: vpn_map, seq num: 10, local addr: 172.16.1.2

     local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

     remote ident (addr/mask/prot/port): (192.168.199.250/255.255.255.255/0/0)

     current_peer: 172.16.2.2, username: cisco

     dynamic allocated peer ip: 192.168.199.250

     #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

     #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0

     #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

     #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

     #send errors: 0, #recv errors: 0

     local crypto endpt.: 172.16.1.2/4500, remote crypto endpt.: 172.16.2.2/11458

     path mtu 1400, ipsec overhead 82, media mtu 1500

     current outbound spi: B1991A16

     current inbound spi : 2EAF644C

   inbound esp sas:

     spi: 0x2EAF644C (783246412)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel, NAT-T-Encaps, }

         slot: 0, conn_id: 16384, crypto-map: vpn_map

         sa timing: remaining key lifetime (sec): 28210

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x001FFFFF

   outbound esp sas:

     spi: 0xB1991A16 (2979600918)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel, NAT-T-Encaps, }

         slot: 0, conn_id: 16384, crypto-map: vpn_map

         sa timing: remaining key lifetime (sec): 28210

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

         0x00000000 0x00000001

VNPGate# sh xlate

0 in use, 0 most used

We ping vnl client from server:

VNPGate# ping 192.168.199.250 (ping 5 packet)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.199.250, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
VNPGate#


VNPGate# term mon  
Dec 25 2011 18:36:53: %ASA-5-111008: User 'enable_15' executed the 'terminal monitor' command.
Dec 25 2011 18:36:56: %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.199.250/0 gaddr 172.16.1.2/34614 laddr 172.16.1.2/34614
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
Dec 25 2011 18:36:58: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=f982b1f6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 25 2011 18:36:58: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing hash payload
Dec 25 2011 18:36:58: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing notify payload
Dec 25 2011 18:36:58: %ASA-7-715075: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0xcaf9c74e)
Dec 25 2011 18:36:58: %ASA-7-715036: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xcaf9c74e)
Dec 25 2011 18:36:58: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing blank hash payload
Dec 25 2011 18:36:58: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing qm hash payload
Dec 25 2011 18:36:58: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=ac5e02a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
Dec 25 2011 18:37:06: %ASA-5-111008: User 'enable_15' executed the 'ping 192.168.199.250' command.
Dec 25 2011 18:37:06: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/0 gaddr 172.16.1.2/34614 laddr 172.16.1.2/34614
term no mon
VNPGate#


c:\>windump -i \Device\NPF_{4E2ACD58-EBD9-448A-94B9-BDE72400693E} -n
windump: listening on \Device\NPF_{4E2ACD58-EBD9-448A-94B9-BDE72400693E}
18:36:56.861181 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
18:36:58.857967 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
18:37:00.858261 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
18:37:02.857359 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
18:37:04.857490 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80


VNPGate# sh crypto ipsec sa 
interface: outside
    Crypto map tag: vpn_map, seq num: 10, local addr: 172.16.1.2

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.199.250/255.255.255.255/0/0)
      current_peer: 172.16.2.2, username: cisco
      dynamic allocated peer ip: 192.168.199.250

      #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
      #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.2/4500, remote crypto endpt.: 172.16.2.2/11458
      path mtu 1400, ipsec overhead 82, media mtu 1500
      current outbound spi: B1991A16
      current inbound spi : 2EAF644C

    inbound esp sas:
      spi: 0x2EAF644C (783246412)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: vpn_map
         sa timing: remaining key lifetime (sec): 27836
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0000000F 0xFFFFFFFF
    outbound esp sas:
      spi: 0xB1991A16 (2979600918)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: vpn_map
         sa timing: remaining key lifetime (sec): 27836
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

VNPGate# 
VNPGate# sh xlate
0 in use, 0 most used

VNPGate# sh route

S    192.168.199.250 255.255.255.255 [1/0] via 172.16.1.1, outside
C    192.168.99.0 255.255.255.0 is directly connected, inside
C    172.16.1.0 255.255.255.252 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.1.1, outside

What is wrong in my configuration?

PS:

While inside client want ping remote client, debug show:


ICMP echo request from 192.168.99.1 to 192.168.99.60 ID=1 seq=904 len=64
ICMP echo reply from 192.168.99.60 to 192.168.99.1 ID=1 seq=904 len=64

ICMP echo request from inside:192.168.99.1 to outside:192.168.199.1 ID=1 seq=907 len=64
ICMP echo request translating inside:192.168.99.1/1 to outside:172.16.1.2/25336

1 Reply 1

andrew.prince
Level 10
Level 10

Post the output from the client when connected of:-

ipconfig/all

route print

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: