cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1922
Views
0
Helpful
7
Replies

ASA 5505 VPN IPsec to iPhone 5 with iOS 8 or 9

tswinfo01
Level 1
Level 1

Hello,

it is running ASA 9.1(5) on my 5505 and I can connect a VPN with my iPhone/iOS 9 over IPSec. Since iOS 8 it shows a connection on both sites but I can´t access to my network-components in my home-network. Does it need a new setting since Apple iOS8?

These are my settings:

____________________

object network NETWORK_OBJ_10.10.10.0_29
  subnet 10.10.10.0 255.255.255.248
username a11 password WDQ2sa2IVt6AlpMm encrypted privilege 0
username a11 attributes
  vpn-group-policy g1
exit
group-policy g1 internal
group-policy g1 attributes
  vpn-tunnel-protocol ikev1
exit
tunnel-group g1 type remote-access
tunnel-group g1 general-attributes
  default-group-policy g1
  address-pool  vpnpool1
tunnel-group g1 ipsec-attributes
  ikev1 pre-shared-key **********
nat (inside,outside) 2 source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup

______________________________________________

 

Regards

Jürgen

7 Replies 7

Fabian Ortega
Level 1
Level 1

Hello Jürgen,

 

Can you please attach the following outputs:

1. show run nat

2. show ip

3. show run ip local pool

 

Let me know if you are using AnyConnect or the Built-int VPN Client on your iPhone.

 

Regards,

Hello Fabian,

thanks for your reply. I use the Built-in VPN Client on my iPhone.

Syslog of connection prcess is attached.

Here are the results:

Result of the command: "show run nat"

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface

Result of the command: "show ip"

System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 170.180.1.1     255.255.255.0   CONFIG
Vlan2                    outside                46.223.140.113  255.255.254.0   DHCP  
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 170.180.1.1     255.255.255.0   CONFIG
Vlan2                    outside                46.223.140.113  255.255.254.0   DHCP  

Result of the command: "show run ip local pool"

ip local pool vp1 10.10.10.1-10.10.10.5 mask 255.255.255.0

 

Regards

 

Hello Jürgen,

Ok, it does not seem you have issues connecting to the ASA but issues getting traffic to work. Let me ask you a question. Is there any layer 3 device behind the ASA inside interface? if so, please make sure there is a route back to the VPN client's pool pointing to the inside interface of the firewall. for example:

ip route 10.10.10.0 0.0.0.255 170.180.1.1

 

I would suggest to place a packet capture on the inside interface to see if the traffic is flowing correctly and getting back to the ASA.

Hello Fabian,

yes there some different layer 3 devices behind the inside interface such as NAS, PC´s, webcam...

Now I take the ASA Version 9.2(4) with the ASDM 7.4(3) and I reset the whole system. Then I started the IPsec VPN Wizard. With this I can built a VPN-connection and there is a little bit of traffic when I look the Monitoring. But I can´t access my network devices. In the logging I saw this:

______________

IPAA: DHCP configured, no viable servers found for tunnel-group 'g1'

Group = g1, Username = a11, IP = 80.187.102.233, Received unsupported transaction mode attribute: 5

______________

I this an error?

When I try to access a device I see this:

10.10.10.1       51045  170.180.1.100 80        Built inbound TCP connection 60655 for outside:10.10.10.1/51045 (10.10.10.1/51045)(LOCAL\a11) to inside:170.180.1.100/80 (170.180.1.100/80) (a11)

This seems ok but there is no reaktion on the Iphone.

As you suggestet I set a static route like this:

route outside 10.10.10.0 255.255.255.0 170.180.1.0

But after that there is no effect.

Additional I give you my setting as an attachment.

Regards

 

 

 

 

 

 

 

 

 

 

Hello Jürgen,

Let me make my question more specific. Is there any layer 3 device behind the inside interface of the ASA performing routing? (Router, L3 Core Switch)?

Hello Fabian,

there is no Router - I use the ASA as a Router. I have a Cisco EPC 3212 from my provider and there behind is the ASA 5505. Behind the ASA are two switches from Netgear (GS108E and GS108PE) - I think they are not L3 devices. The VPN with iPhone/ipsec worked with this structure very well for three years. I think there is a problem since Apple iOS 8, but I´m not sure because I don´t use the VPN every day.

(Is this correct: route outside 10.10.10.0 255.255.255.0 170.180.1.100 ?? the 170.180.1.100 is the device I want to see/control with my iPhone)

New Idea:

The firewall dashboard has a window at the right lower position of ASDM and it displays Top 10 protected servers under SYN attack. Refer to the attached picture. In this scenario my internal device the server IP 170.180.1.100 seems to be getting SYN attacks from my iPhone with the IP 10.10.10.1 through the VPN.

Is this the reason why the traffic is blocked?

How can I place a packet capture on the inside interface to see the traffic?

Regards

Hello Fabian,

I found the packed-tracer. It seems packets are dropped because of ACL-rules - look at these results for outside and inside interface:

___________________________

Result of the command: "packet-tracer input outside icmp 20.20.20.1 8 0 170.180.1.71 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc323bf8, priority=1, domain=permit, deny=false
    hits=22875563, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0100.0000.0000
    input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   170.180.1.0     255.255.255.0   inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_20.20.20.0_29 NETWORK_OBJ_20.20.20.0_29 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 170.180.1.71/0 to 170.180.1.71/0

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_20.20.20.0_29 NETWORK_OBJ_20.20.20.0_29 no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcca63cc0, priority=6, domain=nat, deny=false
    hits=33, user_data=0xcca63208, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=20.20.20.0, mask=255.255.255.248, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=inside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcbc8cfe0, priority=0, domain=nat-per-session, deny=true
    hits=152793, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 6
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc324898, priority=0, domain=permit, deny=true
    hits=54755, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

___________________________

Result of the command: "packet-tracer input inside icmp 170.180.1.71 8 0 20.20.20.1 detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   20.20.20.1      255.255.255.255 via 130.140.10.1, outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_20.20.20.0_29 NETWORK_OBJ_20.20.20.0_29 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 20.20.20.1/0 to 20.20.20.1/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_20.20.20.0_29 NETWORK_OBJ_20.20.20.0_29 no-proxy-arp route-lookup
Additional Information:
Static translate 170.180.1.71/0 to 170.180.1.71/0
 Forward Flow based lookup yields rule:
 in  id=0xcca639e0, priority=6, domain=nat, deny=false
    hits=17, user_data=0xcca63150, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=20.20.20.0, mask=255.255.255.248, port=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcbc8cfe0, priority=0, domain=nat-per-session, deny=true
    hits=152777, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc2fe380, priority=0, domain=inspect-ip-options, deny=true
    hits=288712, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc2fde20, priority=66, domain=inspect-icmp-error, deny=false
    hits=922, user_data=0xcc2fd430, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
    src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=any

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcbdcf398, priority=0, domain=host-limit, deny=false
    hits=84, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xccacbd80, priority=70, domain=encrypt, deny=false
    hits=1, user_data=0x13b62c, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=20.20.20.1, mask=255.255.255.255, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=outside

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static NETWORK_OBJ_20.20.20.0_29 NETWORK_OBJ_20.20.20.0_29 no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcca641f0, priority=6, domain=nat-reverse, deny=false
    hits=13, user_data=0xcca63208, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=20.20.20.0, mask=255.255.255.248, port=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=outside

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 279868, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow