Solved: ASA 5505, Site-to-site VPN Access Issue

Tarekeid1_2 · ‎02-21-2011

I’m relatively new to ASA & I would really appreciate your help with an issue I’m having with a site-to-site VPN connection between two ASA 5505.

I’ve configured the ASA with ASDM and we only need it for site-to-site VPN.

The issue is that the tunnel is up and both sites can ping and traceroute each other and I can access the internal web interface of the two ASA from both sites but other communication is failing like RDP (giving me 0x1104 protocol error) or any other form of network access such as network shares is failing… shouldn’t the tunnel allow all traffic to pass-through ?

So what possibly I’m doing wrong..., I know that this might be beyond the tunnel but what do you recommend me to do ?

the HQ has network 192.168.10.0 and Branch has network 192.168.11.0 and we have Win server 2003 and ISA 2004 on HQ site and traffic going to 192.168.11.0 from HQ is routed to ASA by the default gateway (Win 2k3 SBS) and both networks are configured as local on Server, but even after eliminating server and isa by making ASA the default gateway of the network I’m getting the same result…

Here’s the configuration at both sites:

HQ Configuration:

ASA Version 8.2(1)

!

hostname HQasa

domain-name xxxx.local

enable password /a.qZ3SvljKXrNn0 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.11.0 yy

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.111 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.248

!

interface Vlan5

no forward interface Vlan1

nameif dmz

security-level 50

ip address 10.10.10.10 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex half

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 5

!

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 0:00 last Sun Oct 0:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.10.1

name-server xx.xx.xx.xx

domain-name xxxx.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp-udp eq echo

service-object icmp echo-reply

service-object ip

service-object udp eq isakmp

service-object tcp eq telnet

service-object udp eq 4500

service-object tcp-udp eq 1723

service-object tcp-udp eq 3389

service-object tcp-udp eq 4125

service-object tcp-udp eq 443

service-object tcp-udp eq 444

service-object tcp-udp eq 993

service-object tcp-udp eq www

service-object tcp eq ftp

service-object tcp eq https

service-object tcp eq imap4

service-object tcp eq pop3

service-object tcp eq smtp

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object icmp echo-reply

service-object tcp-udp eq echo

service-object ip

service-object udp eq isakmp

service-object tcp eq telnet

service-object udp eq 4500

service-object tcp-udp eq 1723

service-object tcp-udp eq 3389

service-object tcp-udp eq 4125

service-object tcp-udp eq 443

service-object tcp-udp eq 444

service-object tcp-udp eq 993

service-object tcp-udp eq www

service-object tcp eq ftp

service-object tcp eq https

service-object tcp eq imap4

service-object tcp eq pop3

service-object tcp eq smtp

object-group service IMAPS tcp-udp

port-object eq 993

object-group service PPTP tcp-udp

port-object eq 1723

object-group service RDP tcp-udp

port-object eq 3389

object-group service RWW tcp-udp

port-object eq 4125

port-object eq 443

object-group service Window_SharePoint tcp-udp

description Allow access to intranet

port-object eq 444

object-group network DM_INLINE_NETWORK_1

network-object 192.168.10.0 255.255.255.0

object-group service Nat-t udp

port-object eq 4500

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 xx 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.10.160 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 xx 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.10.0 255.255.255.0 xx 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 xx 255.255.255.0

access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any any

access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any any

access-list RemoteVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list xxx_Remote_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool remote_access 192.168.10.160-192.168.10.170 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside control-plane

access-group inside_access_in_1 in interface inside

access-group outside_access_in in interface outside control-plane

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.10.0 255.255.255.0 inside

http 10.10.10.0 255.255.255.0 dmz

http 0.0.0.0 0.0.0.0 outside

http 172.16.11.0 255.255.255.0 inside

http 172.16.11.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 0

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer xx.xx.xx.xx

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 192.168.10.1 xx.xx.xx.xx

dhcpd auto_config outside

!

dhcpd dns xx.xx.xx.xx interface inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy xxx_Remote internal

group-policy xxx_Remote attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value xxx_Remote_splitTunnelAcl

username xxxx password C/qg2rs8LAQYDdxX encrypted privilege 15

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:67c4d75fc8dda1e789b426dae846d5a9

: end

---------------------------------------------------------------------------------------------------------------------------

Branch Configuration:

ASA Version 8.2(1)

!

hostname BranchASA

domain-name xxxx.local

enable password m7vkj4K9oUs.HV3l encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.10.0 HQ

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.11.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.xx 255.255.255.248

!

interface Vlan5

no forward interface Vlan1

nameif dmz

security-level 50

ip address 10.10.10.10 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex half

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

switchport access vlan 5

!

interface Ethernet0/4

switchport access vlan 5

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 5

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server xx.xx.xx.xx

domain-name xxxx.local

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object icmp echo-reply

service-object tcp-udp eq echo

service-object udp eq isakmp

service-object tcp eq https

service-object udp eq 4500

service-object tcp-udp eq 1723

service-object tcp-udp eq 3389

service-object tcp-udp eq 4125

service-object tcp-udp eq 443

service-object tcp-udp eq 444

service-object tcp-udp eq 993

service-object tcp-udp eq www

service-object tcp eq ftp

service-object tcp eq imap4

service-object tcp eq pop3

service-object tcp eq smtp

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object icmp

service-object icmp echo-reply

service-object tcp-udp eq echo

service-object udp eq isakmp

service-object tcp eq https

service-object udp eq 4500

service-object tcp-udp eq 1723

service-object tcp-udp eq 3389

service-object tcp-udp eq 4125

service-object tcp-udp eq 443

service-object tcp-udp eq 444

service-object tcp-udp eq 993

service-object tcp-udp eq www

service-object tcp eq ftp

service-object tcp eq imap4

service-object tcp eq pop3

service-object tcp eq smtp

object-group service traversal udp

port-object eq 4500

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any

access-list outside_1_cryptomap extended permit ip 192.168.11.0 255.255.255.0 HQ 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 HQ 255.255.255.0

access-list xx_splitTunnelAcl standard permit host 192.168.20.0

access-list outside_access_in_1 extended permit ip any any

access-list inside_access_in_1 extended permit ip any any

access-list outside_authentication extended permit tcp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool remotexx 192.168.20.5-192.168.20.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in_1 in interface inside control-plane

access-group inside_access_in in interface inside

access-group outside_access_in_1 in interface outside control-plane

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication match outside_authentication outside LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.10.10.0 255.255.255.0 dmz

http 172.16.11.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http HQ 255.255.255.0 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer xx.xx.xx.xx

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns xx.xx.xx.xx xx.xx.xx.xx

dhcpd auto_config outside

!

dhcpd address 192.168.11.2-192.168.11.30 inside

dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy xx internal

group-policy xx attributes

dns-server value 192.168.10.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value xx_splitTunnelAcl

default-domain value xxxx.local

username xxx password 0NvIwzxhjEdrwEe8 encrypted privilege 15

username xxx attributes

vpn-group-policy xx

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

pre-shared-key *

!

prompt hostname context

Cryptochecksum:f0d67740b46bb594912e14d9224efb48

: end

Federico Coto Fajardo · ‎02-23-2011

I will suggest that you check if packets are being encrypted when trying to reach the remote site:
sh cry ips sa
If they are, you can check if packets are being received (decrypted) on the remote end:
sh cry ips sa

It will give us an idea of the traffic flow through the tunnel (if you test initializing traffic
from both ends).

Not recommended to have the same network address on both ends, because routing can get confused
even if the host IPs are not overlapping.

Federico.

View solution in original post

Federico Coto Fajardo · ‎02-21-2011

Hi,

Can you PING between the exact IPs where the RDP communication is failing?

As a test please remove both inside ACLs:

no access-group inside_access_in_1 in interface inside
no access-group inside_access_in in interface inside

And try again.

Federico.

Tarekeid1_2 · ‎02-21-2011

yes I can ping the IPs I'm trying to access through RDP, I will remove the ACLs and try the connection tomorrow

Thanks for the reply

Tarekeid1_2 · ‎02-23-2011

Hey Federico, I still can't access the network over the tunnel other than by ping and traceroute is there a possibility that its an ASA configuration issue like can the tunnel be somehow dropping packets though I didn't do any advanced settings and I only used asdm ? I also tested the clients while disabling firewall and security software and made sure they are operational and can be accessed on-site...

And can I have site-to-site VPN tunnel with same network addresses on both sites but with non-overlapping host IP's ?

Best regards

Federico Coto Fajardo · ‎02-23-2011

I will suggest that you check if packets are being encrypted when trying to reach the remote site:
sh cry ips sa
If they are, you can check if packets are being received (decrypted) on the remote end:
sh cry ips sa

It will give us an idea of the traffic flow through the tunnel (if you test initializing traffic
from both ends).

Not recommended to have the same network address on both ends, because routing can get confused
even if the host IPs are not overlapping.

Federico.

manish arora · ‎02-23-2011

Hi,

can you try :-

1> on HQ ,

asa(config)#no sysopt connection tcpmss 0

#sysopt connection tcpmss 1380

#crypto ipsec df-bit clear-df OUTSIDE

2> On branch :-

asa(config)#crypto ipsec df-bit clear-df OUTSIDE

Then try it.

Manish

Tarekeid1_2 · ‎02-26-2011

Thank you for your help and suggestions ,the site-to-site VPN doesn't seem to be the issue since I was able to access ISA server, from Branch site and all communication is working between branch and ISA server now.

But I can't access other PCs in HQ other than by ping/tracert and I'm unable to access hosts on Branch site other than by ping/tracert, and I didn't have the chance to try changing the default gateway of an HQ pc to that of ASA to see if its an ISA issue since I'm working remotely,but I mainly suspect that.

Currently I have the HQ ASA connected to its own external internet connection while the network's default gateway for the HQ clients is that of the ISA which is routing traffic destined to Branch to the ASA , that is the ASA is located next to the ISA and connected to the network internally through a switch and outside interface to the internet.

To enable traffic from branch site to access ISA we configured the Branch network as an internal network on HQ's ISA so maybe when traffic is going through ISA its searching for the host internally which is causing the access issue though tracert and ping works

I've got to this conclusion since protocol error 0x1104 by remote desktop is caused by the host trying to access remote host while searching for it locally and this error didn't occur when I removed the branch network as a local one on ISA, I just got host unreachable error...

I know this might be off topic and a little confusing but If anyone had ran through a similar issue, I would appreciate your help

Regards

ALIAOF_ · ‎02-23-2011

Have you tried to monitor the traffic via ASDM logging option and see whats happening if you are getting any denys or resets etc?

Tarekeid1_2 · ‎03-01-2011

Hey guys, though I'm really surprized how I missed it before but after monitoring the logs I noticed that I've got this message "interface outside using tcp must authenticate before using this service" so It turned out to be a policy issue on the branch ASA... So I was able to RDP in no time, after removing the AAA policy

But the symtoms I was having matched a case common with the topology we were using http://http://technet.microsoft.com/en-us/library/cc302656.aspx#ClientConnectionsFromARemoteSubnetDenied but it turned out that ISA was not responsible for the issue afterall

Thank you for all your help