- Cisco Community
- Technology and Support
- Security
- VPN
- ASA VPN routes missing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2014 04:07 AM
Hi and thanks for reading.
I'm in the process of setting up IPSec VPN on the ASA. The initial phase was successful - I applied the certificate, anyconnect images, etc and as a result can connect to the gateway. The problem I'm facing is that I can neither reach any of the internal VLANs, nor can I go outside... Any hints are much appreciated, as I'm running out of ideas.
The configuration of the ASA is as following:
ASA Version 9.1(2)
!
hostname ASA
enable password ******* encrypted
names
ip local pool VPN_POOL 10.194.0.10-10.194.0.100 mask 255.255.254.0
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.44.120.22 255.255.255.248 standby 123.44.120.21
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.90
vlan 90
nameif bn_management
security-level 100
ip address 10.192.0.1 255.255.255.0 standby 10.192.0.2
!
interface GigabitEthernet0/1.100
vlan 100
nameif main
security-level 60
ip address 123.45.139.254 255.255.252.0 standby 123.45.139.253
!
interface GigabitEthernet0/1.110
vlan 110
nameif vpn
security-level 60
ip address 10.194.0.1 255.255.254.0 standby 10.194.0.2
!
interface GigabitEthernet0/1.120
vlan 120
nameif v120
security-level 70
ip address 10.194.2.1 255.255.254.0 standby 10.194.2.2
!
interface GigabitEthernet0/1.130
vlan 130
nameif v130
security-level 70
ip address 10.194.4.1 255.255.254.0 standby 10.194.4.2
!
interface GigabitEthernet0/1.200
vlan 200
nameif v200
security-level 40
ip address 10.196.0.1 255.255.252.0 standby 10.196.0.2
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN Failover Interface
!
interface Management0/0
management-only
nameif management
security-level 95
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
object network management_private
subnet 10.192.0.0 255.255.255.0
object network v200_public
host 123.44.120.19
object network v200_private
subnet 10.196.0.0 255.255.252.0
object network management_services_public
host 123.44.120.20
object service WWW_PORTS
service tcp destination eq https
object network v120_private
subnet 10.194.2.0 255.255.254.0
object network v130_private
subnet 10.194.4.0 255.255.254.0
object network vpn_pool
subnet 10.194.0.0 255.255.254.0
object network vpn_public
host 123.44.120.18
object-group network WEBSERVERS
network-object host 123.45.136.200
network-object host 123.45.136.202
object-group network UW_SOURCE
network-object host 109.74.242.9
network-object host 109.74.242.11
object-group network UW_DESTINATION
network-object host 123.45.139.208
object-group network DOMAIN_CONTROLLER
network-object host 123.45.139.205
object-group service VPN_PORTS tcp-udp
port-object eq 1701
port-object eq 1723
port-object eq 500
port-object eq 443
port-object eq 50
port-object eq 4500
port-object eq 47
object-group network INTERNAL_SUBNETS
description Object-group for internal subnets
network-object 10.192.0.0 255.255.255.0
network-object 10.196.0.0 255.255.252.0
network-object 10.194.2.0 255.255.254.0
network-object 10.194.4.0 255.255.254.0
object-group network SUPERUSERS
network-object host 123.45.136.76
network-object host 123.45.136.80
object-group network v120_VLAN
network-object 10.194.2.0 255.255.254.0
object-group network v120_SOURCES
network-object host 123.45.136.24
object-group network v130_VLAN
network-object 10.194.4.0 255.255.254.0
object-group network v130_SOURCES
network-object host 123.45.136.76
network-object host 123.45.139.125
network-object host 123.45.136.129
network-object host 123.45.136.83
network-object host 123.45.136.10
access-list MAIN_IN extended permit icmp object-group SUPERUSERS object-group INTERNAL_SUBNETS
access-list MAIN_IN extended permit ip object-group SUPERUSERS object-group INTERNAL_SUBNETS
access-list MAIN_IN extended permit ip object-group v130_SOURCES object-group v130_VLAN
access-list MAIN_IN extended permit ip object-group v120_SOURCES object-group v120_VLAN
access-list MAIN_IN extended deny ip any object-group INTERNAL_SUBNETS
access-list MAIN_IN extended permit ip any any
access-list v200_IN remark v200 TRAFFIC
access-list v200_IN extended permit icmp any any
access-list v200_IN extended permit tcp any object-group WEBSERVERS eq www
access-list v200_IN extended permit tcp any object-group WEBSERVERS eq https
access-list v200_IN extended permit ip any any
access-list NETFLOW_HOSTS extended permit ip any any
access-list DATA_IN remark PERMITTED INCOMING TRAFFIC
access-list DATA_IN extended permit icmp any object-group WEBSERVERS
access-list DATA_IN extended permit tcp any object-group WEBSERVERS eq www
access-list DATA_IN extended permit tcp any object-group WEBSERVERS eq https
access-list DATA_IN extended permit tcp any object-group DOMAIN_CONTROLLER object-group VPN_PORTS
access-list DATA_IN extended permit udp any object-group DOMAIN_CONTROLLER object-group VPN_PORTS
access-list DATA_IN extended permit tcp object-group UW_SOURCE object-group UW_DESTINATION eq 5000
access-list DATA_IN extended permit udp object-group UW_SOURCE object-group UW_DESTINATION eq 5000
access-list v130_IN extended permit ip any any
access-list v120_IN extended permit ip any any
access-list VPN_IN remark traffic permitted from vpn
access-list VPN_IN extended permit ip any interface outside
access-list VPN_IN extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging console informational
logging asdm informational
logging queue 0
logging host main 123.45.136.30
logging debug-trace
logging message 313001 level debugging
logging message 713130 level informational
logging message 713257 level informational
logging message 713228 level notifications
logging message 713184 level notifications
flow-export destination main 123.45.136.30 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu outside 1500
mtu bn_management 1500
mtu main 1500
mtu vpn 1500
mtu v120 1500
mtu v130 1500
mtu v200 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface FAILOVER_LINK GigabitEthernet0/7
failover interface ip FAILOVER_LINK 172.16.0.1 255.255.255.0 standby 172.16.0.2
monitor-interface bn_management
monitor-interface main
monitor-interface vpn
monitor-interface v120
monitor-interface v130
monitor-interface v200
icmp unreachable rate-limit 1 burst-size 1
icmp permit any vpn
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (bn_management,outside) source dynamic management_private management_services_public
nat (v200,outside) source dynamic v200_private v200_public
nat (v120,outside) source dynamic v120_private management_services_public
nat (v130,outside) source dynamic v130_private management_services_public
nat (vpn,outside) source dynamic vpn_pool vpn_public
access-group DATA_IN in interface outside
access-group MAIN_IN in interface main
access-group VPN_IN in interface vpn
access-group v120_IN in interface v120
access-group v130_IN in interface v130
access-group v200_IN in interface v200
route outside 0.0.0.0 0.0.0.0 123.44.120.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask enable default svc
aaa-server BN_AAA protocol ldap
aaa-server BN_AAA (main) host 123.45.139.201
timeout 5
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.192.0.0 255.255.255.0 bn_management
snmp-server host main 123.45.136.30 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint TRENDMICRO
enrollment terminal
fqdn vpn.asa-gw.co
subject-name CN=vpn.asa-gw.co, OU=some, O=some, L=some, ST=some, C=GB
keypair VPN_SERVICE
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=10.192.0.1,CN=ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain TRENDMICRO
certificate 34cc4cb00ae501b8
308204cd......
quit
certificate ca 5b469990ec759d34
30820478......
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 272b67229745d2438bf9774186aebd
3082069c......
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 00bb401c43f55e4fb0
308205ba......
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 590c2254
308202ea......
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint TRENDMICRO
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 123.45.138.202 255.255.255.255 bn_management
ssh 10.192.0.0 255.255.255.0 bn_management
ssh 123.45.136.0 255.255.252.0 main
ssh 123.45.138.202 255.255.255.255 main
ssh 123.45.138.202 255.255.255.255 management
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access bn_management
dhcpd dns 123.45.1.180 123.44.2.1
!
dhcpd address 10.192.0.200-10.192.0.230 bn_management
dhcpd enable bn_management
!
dhcpd address 10.194.3.200-10.194.3.230 v120
dhcpd enable v120
!
dhcpd address 10.196.0.32-10.196.1.31 v200
!
dhcpd address 192.168.1.3-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 123.45.1.160
ntp server 123.44.2.160
ntp server 123.45.1.164
ntp server 123.44.2.164
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 bn_management vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 bn_management
ssl trust-point TRENDMICRO outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05182-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05182-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-3.1.05182-k9.pkg 3
anyconnect profiles BN_VPN_client_profile disk0:/BN_VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_BN_VPN internal
group-policy GroupPolicy_BN_VPN attributes
wins-server none
dns-server value 123.45.1.1 123.44.2.1
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
default-domain value asa-gw.co
webvpn
anyconnect profiles value BN_VPN_client_profile type user
username admin password EoGC0ChIqyj0NIb5 encrypted privilege 15
username rzachlod password LnL.KcibQZ1OMF/d encrypted
tunnel-group BN_VPN type remote-access
tunnel-group BN_VPN general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_BN_VPN
tunnel-group BN_VPN webvpn-attributes
group-alias BN_VPN enable
!
class-map CX
match any
class-map inspection_default
match default-inspection-traffic
class-map NetFlow-traffic
match access-list NETFLOW_HOSTS
class-map ins
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
class NetFlow-traffic
flow-export event-type flow-create destination 123.45.136.30
flow-export event-type all destination 123.45.136.30
class CX
cxsc fail-open
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6be83997815380c8523971f8e7925de8
: end
The mention of VPN in ACLs refers to L2TP run on a Windows server - I intend to replace this existing solution with IPSec to the ASA.
The 'Route Details' on AnyConnect only shows the 0.0.0.0/0 route. Upon connecting to the ASA, I basically end up in a black hole. I though the problem is with NAT, but having tried to sort it out, I'm still stuck...
My plan is to get the VPN to work in first instance, and later on to create a group for superusers, permitting access to management VLANs etc. I hope it's something trivial that I overlooked, as I have set up VPN on ASA in the past and didn't encounter issues :/
As always, any tips are greatly appreciated!
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2014 01:44 PM
You can use a different IP for this traffic if you want. And you can combine the NAT-statements into one single statement. The config could look like the following:
object network PAT-OUTSIDE host a.b.c.23 nat (any,outside) after-auto source dynamic any PAT-OUTSIDE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2014 08:45 AM
It seems that you are missing the following:
1) the NAT-Exemption for your internal systems
2) a nat (outside,outside) and "same-security-traffic permit intra-interface" for accessing the internet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2014 01:31 PM
Hi Karsten and thanks for the suggestion!
I have exempted internal networks and can connect them via the VPN connection. I also got connectivity to the outside world with nat (outside,outside) and 'same-security-traffic permit intra-interface'.
A question remains though. At the moment, all traffic gets out of the network through the 'outside' interface IP (.22). I'd rather use a dedicated address from the /29 on GigabitEthernet0/0. Is this possible to achieve that? To put it differently, I'd like to NAT the VPN range onto an address that is not the 'outside' interface, like I did in this statement, for instance:
nat (v200,outside) source dynamic v200_private v200_public
My other question is, whether the single NAT statement [nat (outside,outside) dynamic interface] is sufficient for VPN traffic and whether the original statement can be removed [nat (vpn,outside) source dynamic vpn_pool vpn_public].
Thanks once again for the tips!
R.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-03-2014 01:44 PM
You can use a different IP for this traffic if you want. And you can combine the NAT-statements into one single statement. The config could look like the following:
object network PAT-OUTSIDE host a.b.c.23 nat (any,outside) after-auto source dynamic any PAT-OUTSIDE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2014 03:07 AM
Many thanks for the tip, Karsten!
I took me a while to respond, but your suggestion solved my problem.
Best,
R.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide