Solved: Allowing VPN Clients to management network - nat woes

stever4321 · ‎12-21-2010

Attempting to allow access for IPSEC VPNClient to management network. packet trace stops on vpn encrypt even through phase 7 states it is NAT EXEMPT, it says its still trying to NAT through a static. The only thing i can think of to put a nat exempt rule for the subnet on the outside interface...

Please advise. Thanks.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group MANAGEMENT-IN in interface MANAGEMENT
access-list MANAGEMENT-IN extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip MANAGEMENT 10.10.10.0 255.255.255.0 OUTSIDE 172.18.0.32 255.255.255.240
NAT exempt
translate_hits = 3, untranslate_hits = 33
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
static (MANAGEMENT,OUTSIDE) 203.23.23.75 10.10.10.10 netmask 255.255.255.255
match ip MANAGEMENT host 10.10.10.10 OUTSIDE any
static translation to 203.23.176.75
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (MANAGEMENT,OUTSIDE) 203.23.23.75 10.10.10.10 netmask 255.255.255.255
match ip MANAGEMENT host 10.10.10.10 OUTSIDE any
static translation to 203.23.23.75
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: MANAGEMENT
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

------------SNIPPET FROM CONFIG------------------

access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240
access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0

ip local pool CorpVPN 172.18.0.33-172.18.0.46 mask 255.255.255.240

access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.11 eq ssh
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.10 eq ssh
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.13 eq 3389

access-list 101 extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240

nat (MANAGEMENT) 0 access-list NO-NAT-FROM-MGMT
access-list NO-NAT-FROM-MGMT extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240

access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240
access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 any

group-policy CorpVPN internal
group-policy CorpVPN attributes
dns-server value 203.23.23.23
vpn-simultaneous-logins 8
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CorpVPN
address-pools value CorpVPN

tunnel-group CorpVPN type remote-access
tunnel-group CorpVPN general-attributes
address-pool CorpVPN
default-group-policy CorpVPN
tunnel-group CorpVPN ipsec-attributes
pre-shared-key

Jennifer Halim · ‎12-22-2010

Firstly, there is overlapping crypto ACL with the static L2L VPN:

crypto map ASA1MAP 10 match address 101

access-list 101 extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240
access-list 101 extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0

I would remove the 2 lines of ACL 101 above as it is incorrect.

Secondly, from the output of "show cry ipsec sa", you seem to be getting ip address from "jdv1.australis.net.au" pool, not "CorpVPN" pool. Therefore, the NO NAT ACL on Management interface is incorrect. I would just add a broader range for the NO NAT statement so it covers all your ip pool:

access-list NO-NAT-FROM-MGMT extended permit ip 10.10.10.0 255.255.255.0 172.18.0.0 255.255.255.0

Thirdly, same with your dynamic crypto map ACL "OUTSIDE_cryptomap_65535.65535", it only covers 172.18.0.32/28, so I would just add a broader range since it seems that you get ip address from different pool:

access-list OUTSIDE_cryptomap_65535.65535 extended permit ip any 172.18.0.0 255.255.255.0

Then, I would disable the following access-group for testing purposes first:

no access-group MANAGEMENT-OUT out interface MANAGEMENT

Lastly, please clear all the SA on your ASA and xlate, then reconnect to your vpn client and test it again:

clear cry ipsec sa

clear cry isa sa

clear xlate

Please let us know how it goes after the changes. If it still doesn't work, please kindly re-send the latest configuration, and also send the output of the following:

show cry isa sa

show cry ipsec sa

and a screenshot of the statistics page on your vpn client. Thanks.

View solution in original post

Jennifer Halim · ‎12-21-2010

Split tunnel ACL needs to be standard ACL instead of extended ACL.

Currently you have the following:

access-list CorpVPN extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240
access-list CorpVPN extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0

Please kindly change it to:

access-list CorpVPN standard permit 10.10.10.0 255.255.255.0

plus any other internal networks that you would like to access from the vpn client.

Can you also advise if the MANAGEMENT interface has "management-only" configuration line? if you do, then please kindly remove it as you wouldn't be able to pass traffic from vpn client towards servers connected to the MANAGEMENT interface if it's configured with "management-only".

Hope that helps.

stever4321 · ‎12-21-2010

Hi Jen,

I think i've fixed it with:

same-security-traffic permit intra-interface

oops probably should of checked that.

I have setup other vpn group policy split tunnel with extended acls with success. What is the reasoning for standard acl if I may ask.

Thanks again.

Jennifer Halim · ‎12-21-2010

Not too sure how "same-security-traffic permit intra-interface" will fix your issue. That command is only for traffic coming

in and out of the same interface. In your case, you are coming into the Outside interface and leaving the MANAGEMENT interface, so that command shouldn't really fix anything.

Split tunnel ACL only supports standard ACL, not extended ACL. It used to support extended ACL back in PIX version 6.x and below. However, from ASA version 7.x and above, it has changed to standard ACL. Eventhough it might work, it is not officially supported and if it breaks, you know what it is

Here is the configuration guide that states only standard ACL is allowed:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1053494

Hope that answers your question.

stever4321 · ‎12-22-2010

OK so same-security ..... did not fix it.

I changed the extended acl to a standard acl but it still does not work.

Im seeing this in the logs when I enable logging monitor:

IKE Initiator unable to find policy: Intf OUTSIDE, Src: 10.10.10.10, Dst: 172.18.0.33

Also I just noticed this:

interface GigabitEthernet0/1.10
description - MANAGEMENT NETWORK , IPS INTERFACES
vlan 10
nameif MANAGEMENT
security-level 100
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2

Its not the physical management0/0 interface but a user created one.

Jennifer Halim · ‎12-22-2010

Can you please share the interface configuration of your management interface?

stever4321 · ‎12-22-2010

Im seeing this in the logs when I enable logging monitor:

IKE Initiator unable to find policy: Intf OUTSIDE, Src: 10.10.10.10, Dst: 172.18.0.33

Also I just noticed this:

interface GigabitEthernet0/1.10
description - MANAGEMENT NETWORK , IPS INTERFACES
vlan 10
nameif MANAGEMENT
security-level 100
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2

Its not the physical management0/0 interface but a user created one

Jennifer Halim · ‎12-22-2010

Can you please add the following:

management-access MANAGEMENT

Then try to see if you can ping 10.10.10.1 from the vpn client.

stever4321 · ‎12-22-2010

That doesn't seem to do anything.

This should be working...:)

Jennifer Halim · ‎12-22-2010

Mmmm...

Do you mind posting the full config to double confirm, please.

stever4321 · ‎12-22-2010

It doesn't appear to be NAT EXMPT even though the rule is there. I am correct here? Am I also correct is seeing it is trying to perform a static nat on return?

Although I have run a tcpdump on 10.10.10.10 and dont see anything hit it...

ASAPRIMARY(config)# sh run | i 172.18.0
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.11 eq ssh
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.10 eq ssh
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.13 eq 3389
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.10
access-list 101 extended permit ip 10.10.10.0 255.255.255.0 172.18.0.32 255.255.255.240
access-list 101 extended permit ip 172.18.0.32 255.255.255.240 10.10.10.0 255.255.255.0
access-list NO-NAT-FROM-MGMT extended permit ip 10.10.0.0 255.255.0.0 172.18.0.32 255.255.255.240

nat (MANAGEMENT) 0 access-list NO-NAT-FROM-MGMT

ASAPRIMARY(config)# packet-tracer input ouTSIDE tcp 172.18.0.34 22 10.10.10.10 22

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 MANAGEMENT

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE-IN in interface OUTSIDE
access-list OUTSIDE-IN extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group MANAGEMENT-OUT out interface MANAGEMENT
access-list MANAGEMENT-OUT extended permit tcp 172.18.0.32 255.255.255.240 host 10.10.10.10 eq ssh
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (MANAGEMENT,OUTSIDE) 203.23.23.75 10.10.10.10 netmask 255.255.255.255
match ip MANAGEMENT host 10.10.10.10 OUTSIDE any
    static translation to 203.23.176.75
    translate_hits = 260, untranslate_hits = 18
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (MANAGEMENT,OUTSIDE) 203.23.23.75 10.10.10.10 netmask 255.255.255.255
match ip MANAGEMENT host 10.10.10.10 OUTSIDE any
static translation to 203.23.23.75
translate_hits = 260, untranslate_hits = 18
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jennifer Halim · ‎12-22-2010

To use the packet tracer, you would need to be connected to your vpn client.

If there is no existing VPN session, the packet tracer will say it drops due to VPN. Can you please test with vpn client itself and see if that works?

Also please share the output of the following after you connect with vpn client and test connectivity:

show cry isa sa

show cry ipsec sa

Plus can you also check if NAT-T is enabled?

stever4321 · ‎12-22-2010

I have the VPN client connected. it autheticates fine but can't pass traffic. I have set up other Group-policys fine connecting to other VLANS which work.

Is it possible to email you the config, it's rather large and from a security point of view im concerned about posting it. ?

I have enabled nat-t with:

crypto isakmp nat-traversal

This is is disabled but doesnt make a difference:

no sysopt connection permit-vpn

sh crypto ...:

4   IKE Peer: 123.243.25.100
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

interface: OUTSIDE
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 203.23.23.23

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.0.3/255.255.255.255/0/0)
      current_peer: 123.243.25.100, username: kimk
      dynamic allocated peer ip: 172.18.0.3

      #pkts encaps: 2074, #pkts encrypt: 2074, #pkts digest: 2074
      #pkts decaps: 1513, #pkts decrypt: 1513, #pkts verify: 1513
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2074, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 203.23.23.71/4500, remote crypto endpt.: 123.243.25.100/59815
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 600ADC4E

    inbound esp sas:
      spi: 0x34335B07 (875780871)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 27764
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x600ADC4E (1611324494)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 27764
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Jennifer Halim · ‎12-22-2010

You will need to enable: "sysopt connection permit-vpn"

Otherwise, you won't be able to pass any traffic unless you specifically configure ACL on the outside interface to allow it.

and yes, I was going to suggest you to email me the config

stever4321 · ‎12-22-2010

Sorry im not sure of your email address, or do i send it through "send private message"

Thanks