cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2997
Views
15
Helpful
19
Replies

ASA VPN client unable to reach host via IPSEC tunnel

Calin Cristea
Level 1
Level 1


Hello techs. I have the following scenario:

VPN Client >> ASA >>IPSEC TUNNEL >> Host. VPN client is unable to reach host from remote location via ipsec tunnel (10.10.10.1)
Local users connected to ASA are able to reach remote host via IPSEC TUNNEL (10.10.10.1)
Also VPN client is able to reach all hosts local connected to ASA . ASA Version 9.8.
Here is the scenario.


object-group network NO_NAT_LAN
network-object 1.1.0.0 255.255.0.0
network-object 2.2.0.0 255.255.0.0

object-group network NO_NAT_EXT
network-object 10.10.10.0 255.255.255.0

access-list ACL_VPN extended permit ip 1.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list ACL_VPN extended permit ip 2.2.0.0 255.255.0.0 10.10.10.0 255.255.255.0


same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

nat (inside,outside) source static NO_NAT_LAN NO_NAT_LAN destination static NO_NAT_EXT NO_NAT_EXT

 

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key ...

 

crypto map mymap 10 match address ACL_VPN
crypto map mymap 10 set pfs group5
crypto map mymap 10 set peer 3.3.3.3
crypto map mymap 10 set ikev1 transform-set ....


access-list OUT extended permit ip 10.10.10.0 255.255.255.0 1.1.0.0

19 Replies 19

Peter Koltl
Level 7
Level 7

You need to watch the ASA logs live while sending packets from the VPN client.

logging asdm debugging

or 

logging buffered debugging

then filter the logs for 1.1.1.80

 

Do not try to NAT the client. Especially not with

nat (outside,inside) 

your topologies is like this

 

anyconnect-client--------->ASA--------Site2Stitevpn-----Router-----10.10.10.0/24

                                               |

                                             LAN 2.x.x.x

 

LAN and Remote site have a full connectivilty bi-directional.

now the issue is your vpnclient (anyconnect) is not able to each the remote subnet 10.10.10.0/24 right?

now coud you confirm if your anyconnect client can reach the LAN resources? As i do not see a nat rule for your LAN to VPNClient. if ou require this than you need NAT rule.

 nat (inside,outside) souce static LAN LAN destin static ANYCONNECT-POOL ANYCONNECT-POOL

 

now your anyconnect client pool can not reach remtoe subnet on tunnel at router.

you need a nat satement.

 

 

nat (outside,inside) source dynamic ANYCONNECT-POOL interface

 

this above command say ANYCONNECT pool comming from outside translate it to inside interface address.

 

or

nat (outside,inside) source dynamic ANYCONNECT-POOL interface destin static REMOTE-VPN REMOTE-VPN

 

please do not forget to rate.

Calin Cristea
Level 1
Level 1

Hello,

I have tried the above settings, still not ok
I`ve notice this log:

Teardown ICMP connection for faddr 10.10.10.1/1(LOCAL\username) gaddr 1.1.1.10/0 laddr 1.1.1.10/0 (username) type 8 code 0

Faddr 1 = 1.1.1.10 (vpn client ip)
Gaddr = 10.10.10.1/0 (remote ip)

2.2.2.0 - Lan ip behind ASA - working

Packet tracer is ok.

#sh crypto ipsec sa detail from local subnet behind ASA (working)

access-list ACL_VPN extended permit ip 2.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: remote public IP


#pkts encaps: 2461, #pkts encrypt: 2461, #pkts digest: 2461
#pkts decaps: 2414, #pkts decrypt: 2414, #pkts verify: 2414
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2461, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: MYPUBLIC IP/0, remote crypto endpt.: remote public IP/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 241AA068
current inbound spi : 35D8D9CB


#sh crypto ipsec sa detail from VPN client ip


access-list ACL_VPN extended permit ip 1.1.1.0 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: REMOTE PUBLIC IP


#pkts encaps: 489, #pkts encrypt: 489, #pkts digest: 489
#pkts decaps: 494, #pkts decrypt: 494, #pkts verify: 494
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 489, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: OUR PUBLC IP/0, remote crypto endpt.: REMOTE PUBLIC IP/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A14540B6
current inbound spi : 4DB99912

Schema is like this:

anyconnect-client--------->ASA--------Site2Sitevpn----- Oracle Firewall-----10.10.10.0/24
|
LOCAL CISCO ROUTER
|
LAN 2.x.x.x


If i do a traceroute from ASA to remote ip 10.10.10.1, next hop is LOCAL CISCO ROUTER, than *
If i do a traceroute from LOCAL CISCO ROUTER to remote ip 10.10.10.1, next hop is LOCAL CISCO ROUTER itself, than nothing.

Lan users (2.x.x.x) reach remote 10.10.10.1 through CISCO ROUTER, then ASA.
Traceroute from local lan behind ASA is blocked , doesn`t show me something.
LOCAL CISCO ROUTER does not have a specific route to 10.10.10.0, only a default route towards ASA.
Can this be a routing problem?

ok I have test this in a lab and it worked. here is my setup.

 

Anyconnect-Client-----outsideInterface----ASA--------outsideInterface-------sidetositeVPNTunnel------Router----LAN

                                                                            |--Inside-LAN

                                                                            |

                                                                        192.168.x.x

 

1. you need to define a tunnel-group for Anyconnect-Client. In tunnel-group Anyconnect you will define a group-policy and here must define a standard access-list for the remote-vpn-lan network.

 

 

2. you need to have a NAT for your anyconnect-client example

nat (inside,outside) source static ASA-LOCAL-LAN ASA-LOCAL-LAN destin static ANYCONNECT-POOL ANYCONNECT-POOL no-proxy-arp

 

 

3. for site to site vpn for remote network you have to define your anyconnect-pool object name in nat statement.

nat (Inside,outside) source static ANYCONNECT-POOL ANYCONNECT-POOL destin static REOMTE-LAN REMOTE-LAN no-proxy-arp route lookup.

 

for point 3 make sure you access-list matches/mirror as same on your ASA and on your remote Router.

 

i had permit "same-security-traffic permit inter-interface|same-security-traffic permit intra-interface"

if still having the issues share your configuration.

please do not forget to rate.