04-30-2012 11:36 AM
I am trying to configure a VPN for use with the Cisco VPN Client. I currently have the VPN operational but I am having trouble allowing access to multiple subnets that are connected to the ASA. My current VPN DHCP pool is 10.0.0.0/24. I want VPN users to be able to talk to one of my other vlans (172.16.20.0/24). This is what I can't figure out. If I change my VPN DHCP pool to something like 172.16.20.100-110 then I can talk to everything on that subnet fine. But as soon as I change the DHCP pool back to the other subnet then I can't. Any suggestions??
Here is my config:
nysyr-sbo-asa(config)# sh run
: Saved
:
ASA Version 8.4(1)
!
<REMOVED>
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
description Connection to Primary ISP (FiOS)
nameif primaryisp
security-level 0
ip address <removed>
!
interface Vlan3
description Connection to Secondary ISP (Time Warner)
nameif backupisp
security-level 0
ip address <removed>
!
interface Vlan5
description Connection to internal internet access subnet (192.168.5.0/24)
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan20
description Connection to internal management network (172.16.20.0/24)
nameif insidemgmt
security-level 100
ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 5
!
interface Ethernet0/3
switchport access vlan 20
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network inside-network
subnet 192.168.5.0 255.255.255.0
object network asp-wss-1-tw
host 192.168.5.11
object network asp-wss-1-vz
host 192.168.5.11
object network vpn-ip-pool
subnet 10.0.0.0 255.255.255.0
access-list outside_access_in_1 remark Access list to allow outside traffic in
access-list outside_access_in_1 extended permit tcp any object asp-wss-1-vz eq www
access-list outside_access_in_1 extended permit tcp any object asp-wss-1-vz eq https
access-list outside_access_in_1 extended permit tcp any object asp-wss-1-tw eq www
access-list outside_access_in_1 extended permit tcp any object asp-wss-1-tw eq https
access-list SBOnet_VPN_Tunnel_splitTunnelAcl standard permit 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu primaryisp 1500
mtu backupisp 1500
mtu inside 1500
mtu insidemgmt 1500
ip local pool vpn-ip-pool 10.0.0.10-10.0.0.250 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,primaryisp) source dynamic any interface
nat (inside,backupisp) source dynamic any interface
!
object network asp-wss-1-tw
nat (inside,backupisp) static <removed>
object network asp-wss-1-vz
nat (inside,primaryisp) static <removed>
access-group outside_access_in_1 in interface primaryisp
access-group outside_access_in_1 in interface backupisp
route primaryisp 0.0.0.0 0.0.0.0 <removed> 1 track 1
route backupisp 0.0.0.0 0.0.0.0 <removed> 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 primaryisp
http 0.0.0.0 0.0.0.0 backupisp
http 0.0.0.0 0.0.0.0 insidemgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface primaryisp
threshold 3000
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map primaryisp_map interface primaryisp
crypto map backupisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map backupisp_map interface backupisp
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=<removed>
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable primaryisp
crypto ikev2 enable backupisp
crypto ikev1 enable primaryisp
crypto ikev1 enable backupisp
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 primaryisp
ssh 0.0.0.0 0.0.0.0 backupisp
ssh 0.0.0.0 0.0.0.0 insidemgmt
ssh timeout 20
console timeout 20
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy SBOnet_VPN_Tunnel internal
group-policy SBOnet_VPN_Tunnel attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelall
split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl
group-policy DfltGrpPolicy attributes
split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl
tunnel-group DefaultRAGroup general-attributes
address-pool (primaryisp) vpn-ip-pool
address-pool vpn-ip-pool
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SBOnet_VPN_Tunnel type remote-access
tunnel-group SBOnet_VPN_Tunnel general-attributes
address-pool vpn-ip-pool
default-group-policy SBOnet_VPN_Tunnel
tunnel-group SBOnet_VPN_Tunnel ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7a817a8679e586dc829c06582c60811d
: end
Solved! Go to Solution.
05-01-2012 11:47 AM
keep thos lines removed, you do not need those lines for your Remote Access VPN.
Please tell me, what is the default-gateway assigned on those hosts sitting on mgmt network segment?
04-30-2012 12:07 PM
Try this and let me know.
object network vpn-ip-pool
subnet 10.0.0.0 255.255.255.0
object network my-mgmt
subnet 172.16.20.0 255.255.255.0
nat (insidemgmt,primaryisp) source static vpn-ip-pool vpn-ip-pool destination static my-mgmt my-mgmt unidirectional
If you have L3 switch on my-mgmt network please make sure, you have a static-route in place on that switch as well, like shown below.
ip route 10.0.0.0 255.255.255.0 172.16.20.1
Please let me know, if this helps.
thanks
Rizwan Rafeek
04-30-2012 12:20 PM
Thanks for the quick response. I tried those commands and it didn't appear to help. My 172.16.20.x network is connected to an unmanged switch so there is not config to do there. I still can't ping anything on the 172.16.20.x subnet nor can I rdp to any other those machines.
Here is what I added:
object network vpn-ip-pool
subnet 10.0.0.0 255.255.255.0
object network my-mgmt
subnet 172.16.20.0 255.255.255.0
nat (insidemgmt,backupisp) source static vpn-ip-pool vpn-ip-pool destination static my-mgmt my-mgmt unidirectional
I changed primaryisp to backupisp because that it currently my outside interface that I'm VPNing into. I do see the following log entry when I try to RDP to 172.16.20.10 from 10.0.0.10:
6 | Apr 30 2012 | 15:16:49 | 10.0.0.10 | 49880 | 172.16.20.10 | 3389 | Built inbound TCP connection 2405 for backupisp:10.0.0.10/49880 (10.0.0.10/49880) to insidemgmt:172.16.20.10/3389 (172.16.20.10/3389) (matt) |
Here is an output from show route:
nysyr-sbo-asa(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 208.125.237.113 to network 0.0.0.0
C 172.16.20.0 255.255.255.0 is directly connected, insidemgmt
S 10.0.0.10 255.255.255.255 [1/0] via 208.125.237.113, backupisp
C 208.125.237.112 255.255.255.248 is directly connected, backupisp
S* 0.0.0.0 0.0.0.0 [10/0] via 208.125.237.113, backupisp
And here is a show nat:
nysyr-sbo-asa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (primaryisp) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (inside) to (backupisp) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
3 (insidemgmt) to (primaryisp) source static vpn-ip-pool vpn-ip-pool destination static my-mgmt my-mgmt unidirectional
translate_hits = 0, untranslate_hits = 0
4 (insidemgmt) to (backupisp) source static vpn-ip-pool vpn-ip-pool destination static my-mgmt my-mgmt unidirectional
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (backupisp) source static asp-wss-1-tw 208.125.237.114
translate_hits = 0, untranslate_hits = 23
2 (inside) to (primaryisp) source static asp-wss-1-vz 24.97.182.141
translate_hits = 0, untranslate_hits = 0
Anything else I should try?
04-30-2012 06:55 PM
Please add this hightlighted line below as well, one shown below.
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
when done, please try it and let me know.
what is the default gateway address on the hosts connected to your unmanaged L2 switch ?
Please post the output from below command.
packet-tracer input backupisp icmp 10.0.0.2 8 0 172.16.20.10
thanks
Look forward to hear from you.
05-01-2012 05:59 AM
I tried to add that command and got an error....
nysyr-sbo-asa(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set $
ERROR: Crypto map associated with multiple interfaces. Cannot enable rri
The default gateway for the 172.16.20.0/24 network is 172.16.20.1.
Here is the packet trace....
nysyr-sbo-asa(config)# packet-tracer input backupisp icmp 10.0.0.2 8 0 172.16.$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.20.0 255.255.255.0 insidemgmt
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: backupisp
input-status: up
input-line-status: up
output-interface: insidemgmt
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
05-01-2012 08:07 AM
So might be on to something here.... I tried to use the packet trace command with port 3389 (RDP) and the log shows:
4 | May 01 2012 | 11:02:18 | 10.0.0.10 | 3389 | 172.16.20.10 | 3389 | Deny tcp src backupisp:10.0.0.10/3389 dst insidemgmt:172.16.20.10/3389 by access-group "outside_access_in_1" [0x0, 0x0] |
So it looks like my access-list on that interface is denying it? So I add a rule to allow 3389 from tcp any to object my-mgmt eq 3389 and I see this:
6 | May 01 2012 | 11:04:45 | 10.0.0.12 | 3389 | 172.16.20.10 | 3389 | Teardown TCP connection 3663 for backupisp:10.0.0.12/3389 to insidemgmt:172.16.20.10/3389 duration 0:00:00 bytes 0 Free the flow created as result of packet injection |
6 | May 01 2012 | 11:04:45 | 10.0.0.12 | 3389 | 172.16.20.10 | 3389 | Built inbound TCP connection 3663 for backupisp:10.0.0.12/3389 (10.0.0.12/3389) to insidemgmt:172.16.20.10/3389 (172.16.20.10/3389) |
Looks like it allows it now but I still can't get RDP to connect. It times out...
04-30-2012 04:05 PM
Anyone else have any ideas??
Sent from Cisco Technical Support iPad App
05-01-2012 10:09 AM
Hello Matt,
The correct NAT statement should be:
nat (insidemgmt,backupisp) source static my-mgmt my-mgmt destination static vpn-ip-pool vpn-ip-pool
Give it a try and let me know.
Also provide sh run all sysopt.
Regards
Julio
05-01-2012 10:32 AM
Thanks for the response! I tried that NAT rule but it's still not working. I'm not able to RDP from a VPN connection (10.0.0.x/24) to the management network (172.16.20.x/24).
Here is my sh run all sysopt:
nysyr-sbo-asa(config)# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp primaryisp
no sysopt noproxyarp backupisp
no sysopt noproxyarp inside
no sysopt noproxyarp insidemgmt
Here are my NAT rules:
nat (insidemgmt,backupisp) source static my-mgmt my-mgmt destination static vpn-ip-pool vpn-ip-pool
nat (inside,primaryisp) source dynamic any interface
nat (inside,backupisp) source dynamic any interface
Here is a packet trace...
nysyr-sbo-asa(config)# packet-tracer input backupisp tcp 10.0.0.2 3389 172.16.$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (insidemgmt,backupisp) source static my-mgmt my-mgmt destination static vpn-ip-pool vpn-ip-pool
Additional Information:
NAT divert to egress interface insidemgmt
Untranslate 172.16.20.10/3389 to 172.16.20.10/3389
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface backupisp
access-list outside_access_in_1 extended permit tcp any object my-mgmt eq 3389
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (insidemgmt,backupisp) source static my-mgmt my-mgmt destination static vpn-ip-pool vpn-ip-pool
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4451, packet dispatched to next module
Result:
input-interface: backupisp
input-status: up
input-line-status: up
output-interface: insidemgmt
output-status: up
output-line-status: up
Action: allow
Any other suggestions for me?? If I read the packet trace correctly, it looks like it's working fine....
05-01-2012 11:28 AM
Hi Matt,
Can you please remote these lines below and try it.
group-policy DfltGrpPolicy attributes
split-tunnel-network-list value SBOnet_VPN_Tunnel_splitTunnelAcl
tunnel-group DefaultRAGroup general-attributes
address-pool (primaryisp) vpn-ip-pool
address-pool vpn-ip-pool
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
Let me know, how this coming along.
thanks
05-01-2012 11:44 AM
I removed those lines and I'm getting the same results as above.
05-01-2012 11:47 AM
keep thos lines removed, you do not need those lines for your Remote Access VPN.
Please tell me, what is the default-gateway assigned on those hosts sitting on mgmt network segment?
05-01-2012 12:38 PM
The default gateway was the issue. The servers I'm connecting to are dual IP'd and were configured incorrectly. I changed the gateway to 172.16.20.1 and I can connect fine now. Thanks for all the help!
Now whenever I want to access a new subnet, I just need to add the following, correct?
nat (
destination static vpn-ip-pool vpn-ip-pool
05-01-2012 12:43 PM
"nat (
destination static vpn-ip-pool vpn-ip-pool"
You got it.
05-01-2012 12:46 PM
So I may have jumped the gun a bit.... I forgot that I also changed the split tunnel policy before I changed the default gateway. I changed "split-tunnel-policy tunnelspecified" to "split-tunnel-policy tunnelall". Obviously that isn't what I want because then I can get to anything else on the internet or other local networks. So there still appears to be an issue, more specifically an issue with split tunnel. Any ideas on anything I can check?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide