ASA 5505 VPN Woes

FulcherAnthony · ‎08-18-2015

Been attempting this for 3 days now and cannot figure out what's wrong. Network structure: WAN modem (Motorola) hands DHCP-provided IP to ---> ASA5505 ---> LAN. ASA is only firewall and acts as DHCP server.

PROBLEM: Trying to access LAN resources using Cisco VPN Client v.5.xxxx and IPsec. I'm able to get a valid ISAKMP SA and IPsec SA tunnel but cannot ping anything on my internal LAN (the LAN BEHIND the ASA) - nor ping from internal LAN to external LAN. I'm using a split-tunnel and my VPN Client route shows protected traffic for subnet 192.168.1.0 (my internal LAN behind the ASA) AND I'm able to hit the internet once connected - just not anything on my LAN.

I recently read a post stating to change ip local pool to be on same LAN subnet. I tried this too and still no access to LAN behind ASA.

ASA Version 7.2(4)
!
hostname FulchasASA
enable password xxxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface Vlan1
description Out to ISP
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
interface Vlan50
description DMZ
no forward interface Vlan100
nameif DMZ
security-level 50
ip address 10.20.20.254 255.255.255.0
!
interface Vlan100
description Inside to Fulcha LAN
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0
description Port 0 to OUTSIDE ISP
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
speed 100
duplex full
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
description Port 6 to DMZ
switchport access vlan 50
!
interface Ethernet0/7
description Port 7 to INSIDE
switchport access vlan 100
!
banner motd
banner motd +......................-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +......................-+
banner motd
ftp mode passive
clock timezone CDT -6
clock summer-time CDT recurring
!
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_outside extended permit icmp any any unreachable
access-list acl_outside extended permit icmp any any echo-reply
access-list nonat remark ACL for NAT bypass
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list tunnel remark Identifies tunnel traffic bt remote client and home LAN
access-list split_tunnel remark The Fulcha LAN behind ASA
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
!
pager lines 24
logging enable
logging monitor debugging
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
!
ip local pool vpnpool 192.168.2.1-192.168.2.10
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (OUTSIDE) 10 interface
nat (DMZ) 10 10.20.20.0 255.255.255.0
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 10 192.168.1.0 255.255.255.0
route INSIDE 192.169.2.0 255.255.255.0 192.168.1.254 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 14400
crypto dynamic-map DYNMAP 10 set transform-set myset
crypto map FULCHA 65535 ipsec-isakmp dynamic DYNMAP
crypto map FULCHA interface OUTSIDE
crypto isakmp identity address
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 14400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 14400
crypto isakmp policy 30
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 14400
crypto isakmp policy 40
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 14400
crypto isakmp policy 50
authentication pre-share
encryption aes-192
hash md5
group 1
lifetime 14400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 14400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 14400
crypto isakmp nat-traversal 20
!
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 INSIDE
ssh timeout 30
ssh version 2
console timeout 0
!
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 691200
dhcpd ping_timeout 750
!
dhcpd address 10.20.20.1-10.20.20.2 DMZ
dhcpd enable DMZ
!
dhcpd address 192.168.1.60-192.168.1.250 INSIDE
dhcpd enable INSIDE
!
group-policy FULCHA_IPSEC internal
group-policy FULCHA_IPSEC attributes
vpn-idle-timeout 15
vpn-tunnel-protocol IPSec
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
username test password 4ppf9Q1AsNTbNign encrypted privilege 15
username tony password 08E6Ndr157TDDXK3 encrypted privilege 15
tunnel-group FULCHA-VPN type ipsec-ra
tunnel-group FULCHA-VPN general-attributes
address-pool vpnpool
default-group-policy FULCHA_IPSEC
tunnel-group FULCHA-VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
.......OMITTED

pjain2 · ‎09-10-2015

please connect an ipsec vpn client user to the ASA and capture the below packet-tracer output:

packet input outside icmp <vpn client assigned pool ip> 8 0 192.168.1.100 detailed

Richard Bradfield · ‎09-10-2015

Hi,

I don't see a " route outside " statement for a route to the Internet.

also with the VPN client go to status when connected to make sure it has an IP address.

HTH

Richard

Richard Burts · ‎09-13-2015

At first I thought that it might be a routing problem. But then I noticed this in the config

ip address dhcp setroute

and I believe that takes care of the default route for traffic going outside. I did notice this route and wonder about it

route INSIDE 192.169.2.0 255.255.255.0 192.168.1.254 1

I assume that you added it as part of trying to solve the issue with the VPN client. You do not need this route on the ASA (it already knows that 192.168.2.0 is the VPN address pool and knows how to reach it. I do wonder about the possibility that there is routing confusion on the LAN about how to access 192.168.2.0. From a PC on the LAN could you post the output of ipconf and of route print

HTH

Rick

HTH

Rick

FulcherAnthony · ‎09-15-2015

Ok. I've removed that route and totally agree with you. Also, I'm attempting to get the latest update from Cisco so I can retry everything. Post 8.4 will have some differences in nat and acl. I hope to have something new for you by end of day.

Richard Burts · ‎09-15-2015

I understand wanting to get to more current code. And certainly at 8.3 there is a significantly different way of doing access list filtering and doing NAT. In your config they should be relatively easy to deal with. I do not believe that the version of code on the ASA has any bearing on this issue.

Let us know when you do have more information for us to try to understand your problem.

HTH

Rick

HTH

Rick