Able to establish VPN, hosts not accessible

jomar050485 · ‎08-18-2011

Trying to figure out what the problem is. I am able to VPN but I can't access the internal hosts. I am trying to telnet to 10.10.59.1 which is allowed through the split tunnel.

Can anyone review my config and tell me if they see anything wrong?

hostname UMC-ASA

domain-name default.domain.invalid

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 1

ip address 10.15.59.10 255.255.255.0

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.10.59.11 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

boot system disk0:/asa704-12-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list Outside_access_in extended permit icmp any any

access-list Outside_access_in extended permit gre any any

access-list Outside_access_in extended permit tcp any host 10.10.59.1 eq telnet

access-list Outside_access_in extended permit ip 10.10.2.0 255.255.255.0 any

access-list Outside_access_in extended permit ip host 168.54.8.19 any

access-list Outside_access_in extended permit ip 168.0.0.0 255.0.0.0 host 10.10.59.75

access-list Outside_access_in extended permit ip any host 10.10.73.180

access-list Outside_access_in extended permit ip any host 10.10.59.55

access-list Outside_access_in extended permit tcp any host 10.59.7.1 eq telnet

access-list Outside_access_in extended permit tcp any host 10.10.59.7 eq telnet

access-list UMC-SPLIT-TUNNEL standard permit 10.10.38.0 255.255.255.0

access-list UMC-SPLIT-TUNNEL standard permit 10.10.59.0 255.255.255.0

access-list UMC-SPLIT-TUNNEL standard permit 10.10.60.0 255.255.255.0

access-list UMC-SPLIT-TUNNEL standard permit 10.10.61.0 255.255.255.0

access-list UMC-SPLIT-TUNNEL standard permit 10.10.73.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 8096

logging buffered notifications

logging asdm emergencies

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPNPOOL 10.59.200.10-10.59.200.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

asdm image disk0:/asdm-501.bin

no asdm history enable

arp timeout 14400

nat (Inside) 0 0.0.0.0 0.0.0.0

static (Inside,Outside) 10.10.59.1 10.10.59.1 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.2 10.10.59.2 netmask 255.255.255.255

static (Inside,Outside) 10.10.162.111 10.10.162.111 netmask 255.255.255.255

static (Inside,Outside) 10.10.61.1 10.10.61.1 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.75 10.10.59.75 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.220 10.10.59.220 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.92 10.10.59.92 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.8 10.10.59.8 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.200 10.10.59.200 netmask 255.255.255.255

static (Inside,Outside) 10.10.73.180 10.10.73.180 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.117 10.10.59.117 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.55 10.10.59.55 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.22 10.10.59.22 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.33 10.10.59.33 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.34 10.10.59.34 netmask 255.255.255.255

static (Inside,Outside) 10.59.7.1 10.59.7.1 netmask 255.255.255.255

static (Inside,Outside) 10.10.59.7 10.10.59.7 netmask 255.255.255.255

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 10.15.59.1 1

route Inside 10.10.38.0 255.255.255.0 10.10.59.1 1

route Inside 10.10.60.0 255.255.255.0 10.10.59.1 1

route Inside 10.10.61.0 255.255.255.0 10.10.59.1 1

route Inside 10.10.73.0 255.255.255.0 10.10.59.1 1

route Inside 10.11.38.0 255.255.255.0 10.10.59.1 1

route Inside 10.11.60.0 255.255.255.0 10.10.59.1 1

route Inside 10.11.61.0 255.255.255.0 10.10.59.1 1

route Inside 10.11.73.0 255.255.255.0 10.10.59.1 1

route Inside 10.59.1.0 255.255.255.0 10.10.59.1 1

route Inside 10.59.6.0 255.255.255.0 10.10.59.1 1

route Inside 10.59.254.0 255.255.255.0 10.10.59.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.0.0 255.255.0.0 Outside

http 10.10.59.0 255.255.255.0 Inside

http 0.0.0.0 0.0.0.0 Outside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map OUTSIDE_DYN_MAP 20 set pfs group1

crypto dynamic-map OUTSIDE_DYN_MAP 20 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map OUTSIDE_DYN_MAP 20 set security-association lifetime seconds 288000

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTSIDE_DYN_MAP

crypto map OUTSIDE_MAP interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.10.1.29 255.255.255.255 Outside

telnet 10.10.59.1 255.255.255.255 Inside

telnet 10.10.1.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy UMC-DEFAULT-GP internal

group-policy UMC-DEFAULT-GP attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value UMC-SPLIT-TUNNEL

default-domain value domain.com

username jmartinez password *** encrypted

username jmartinez attributes

vpn-group-policy UMC-DEFAULT-GP

tunnel-group UMC type remote-access

tunnel-group UMC general-attributes

address-pool VPNPOOL

default-group-policy UMC-DEFAULT-GP

tunnel-group UMC ipsec-attributes

pre-shared-key *****

!

smtp-server 10.10.2.21

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e3dd87af93e1663220093447836f822b

: end

UMC-ASA#

jomar050485 · ‎08-18-2011

Also about 5 mins being connected i see this:

%ASA-3-713123: Group = UMC, Username = jmartinez, IP = 10.10.1.35, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

%ASA-5-713259: Group = UMC, Username = jmartinez, IP = 10.10.1.35, Session is being torn down. Reason: Lost Service

%ASA-4-113019: Group = UMC, Username = jmartinez, IP = 10.10.1.35, Session disconnected. Session Type: IPsec, Duration: 0h:05m:08s, Bytes xmt: 800, Bytes rcv: 0, Reason: Lost Service

and the route in the routing table is removed.

raga.fusionet · ‎08-18-2011

Hi,

What version are you running?

It looks you are missing the NAT bypass.

Thanks.

Raga

jomar050485 · ‎08-18-2011

asa825-k8

NAT Bypass? Isn't that for site-to-site VPN only?

raga.fusionet · ‎08-18-2011

NAT bypass is for any VPN Connection, site to site or VPN clients.

Add the following lines to your config and try again:

access-list nonat permit ip 10.10.38.0 255.255.255.0 10.59.200.0 255.255.255.0

access-list nonat permit ip 10.10.59.0 255.255.255.0 10.59.200.0 255.255.255.0

access-list nonat permit ip 10.10.60.0 255.255.255.0 10.59.200.0 255.255.255.0

access-list nonat permit ip 10.10.61.0 255.255.255.0 10.59.200.0 255.255.255.0

access-list nonat permit ip 10.10.73.0 255.255.255.0 10.59.200.0 255.255.255.0

nat (inside) 0 access-list nonat

jomar050485 · ‎08-18-2011

I tried it but no luck.

I thought this would take care of NAT:

nat (Inside) 0 0.0.0.0 0.0.0.0

On the statistics of the client, I see encrypted packets counter increase when I try to ping 10.10.59.1 so my tunneling is correct I believe.

Any other suggestions?

raga.fusionet · ‎08-18-2011

And it should, sorry I didnt see that line.

So, since you are not doing NAT on this ASA I assume this is not the default gateway of your network.

You probably need a route on your Default Gateway or your core switch to 10.59.200.0/24 via 10.10.59.11 (inside interface of the ASA), so that the hosts on those LANs can route the traffic back to the ASA.

Rigth now if you issue a show crypto ipsec sa you'd probably see a lot of packets decrypted but none encrypted. This is usually due to NAT problems (discarded) or Routing.

jomar050485 · ‎08-19-2011

Thanks for the tip!

Does it need a route?

Router > ASA > Internal Router.

The internal router has a default route to the ASA so traffic to this new VPN dhcp pool should make it to the asa anyways. I tried it anyways but didn't work. I don't understand why it doesn't..

No we are not natting on the ASA. Any other suggestions?

raga.fusionet · ‎08-19-2011

Ok add this command:

management-access inside

Connect with the client and ping the inside interface of the ASA: 10.10.59.11, you should get replies from that one. Tell me if it doesnt.

Disconnect the client and connect one more time. Ping 10.10.59.1 a couple of times

Then get the output of this command: show crypto ipsec sa.

You should see if the packets are being at least decrypted and decapsulated by the ASA.

raga.fusionet · ‎08-19-2011

management-access Inside

With Capital "I".

Thx

Javier Portuguez · ‎08-19-2011

The nat (inside) 0 0.0.0.0 0.0.0.0, is not a best practice, since it might break other rules, the NAT exempt in conjuction with an ACL is better.

On the other hand, a ping to the inside interface of the ASA is very required in order to rule out any routing problem, as mentioned by Luis, please issue the "management-access Inside" command, and then try to ping the ASA's internal IP from the VPN client.

If that works but you can't still ping the inside network, you will need to place a packet-capture on the internal interface of the ASA in order to check the traffic flow.

An additional debugging command is the "debug icmp trace", so you will see the ICMP packet being proccesed by the ASA.

Also, make sure that the internal network knows how to get back to the VPN pool.

Please keep us posted on any updates.