03-07-2012 05:43 PM
Hi guys,
I'm trying to setup VPN client access for ASA5505. It's almost done, but I'm confused with new NAT rules from v8.3.
VPN Client is able to connect, but no traffic after it.
Client IP: 192.168.2.1-192.168.2.5
Local net: 192.168.17.0/24
Remote VPN Site-to-Site network: 192.168.10.0/24 - I'd like to have access after VPN client connect
There is current config:
: Saved
:
ASA Version 8.4(3)
!
hostname host
domain-name domain
enable password password encrypted
passwd password encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description INTERNET
mac-address 1234.5678.0001
nameif WAN
security-level 0
ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0102
nameif OLD-Private
security-level 100
ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0106
nameif Management
security-level 100
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
ospf cost 10
!
interface Vlan100
description LAN Failover Interface
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00
dns domain-lookup WAN
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 156.154.70.1
domain-name domain
same-security-traffic permit intra-interface
object network obj-192.168.17.0
subnet 192.168.17.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.33.0
subnet 192.168.33.0 255.255.255.0
object network obj-192.168.44.0
subnet 192.168.44.0 255.255.255.0
object network obj_any
object network obj_any-01
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.17.0_24
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_29
subnet 192.168.2.0 255.255.255.248
object network CiscoVPNClient_nat
subnet 192.168.17.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
object-group network OFFICE_ALL_VLANS
network-object 192.168.11.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.33.0 255.255.255.0
network-object 192.168.44.0 255.255.255.0
network-object 192.168.55.0 255.255.255.0
network-object 192.168.22.0 255.255.255.0
object-group network subnet-17
network-object 192.168.17.0 255.255.255.0
object-group network subnet-2
network-object 192.168.2.0 255.255.255.0
object-group network subnet-9
network-object 192.168.9.0 255.255.255.0
object-group network subnet-10
network-object 192.168.10.0 255.255.255.0
access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-17 object-group subnet-2
access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-2 object-group subnet-2
access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-2 object-group subnet-17
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list WAN_access_in extended permit icmp a3.a3.a3.a3 255.255.255.248 192.168.10.0 255.255.255.0
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit icmp any object-group OFFICE_ALL_VLANS
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.44.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan100
failover polltime interface 15 holdtime 75
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (OLD-Private,WAN) source static subnet-17 subnet-17 destination static OFFICE_ALL_VLANS OFFICE_ALL_VLANS no-proxy-arp
nat (OLD-Private,WAN) source static obj-192.168.17.0 obj-192.168.17.0 destination static obj-192.168.2.0 obj-192.168.2.0
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 a2.a2.a2.a2 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http a.a.a.a 255.255.255.255 WAN
http 0.0.0.0 0.0.0.0 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Office 2 match address WAN_1_cryptomap
crypto map Office 2 set peer b.b.b.b
crypto map Office 2 set ikev1 transform-set OFFICE
crypto map Office 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Office interface WAN
crypto ikev1 enable WAN
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
management-access OLD-Private
dhcpd auto_config OLD-Private
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
group-policy GroupPolicy_b.b.b.b internal
group-policy GroupPolicy_b.b.b.b attributes
vpn-tunnel-protocol ikev1
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
wins-server value 192.168.17.80 192.168.10.10
dns-server value 208.67.222.222 156.154.70.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value domain
username admin password XHrDm53Lyz1aEtAN encrypted privilege 15
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
address-pool vpnclient
default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group b.b.b.b type ipsec-l2l
tunnel-group b.b.b.b general-attributes
default-group-policy GroupPolicy_b.b.b.b
tunnel-group b.b.b.b ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
------------------------------------------------------------------------------------------------------------------------------------------------------------
Result of the command: "show crypto ipsec sa"
interface: WAN
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: a.a.a.a
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
current_peer: c.c.c.c, username: admin
dynamic allocated peer ip: 192.168.2.1
#pkts encaps: 751, #pkts encrypt: 751, #pkts digest: 751
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 751, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: a.a.a.a/0, remote crypto endpt.: c.c.c.c/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5D3CD2FC
current inbound spi : 85561A07
inbound esp sas:
spi: 0x85561A07 (2237012487)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1044480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 25045
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x5D3CD2FC (1564267260)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1044480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 25045
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Thanks,
Nick
03-07-2012 07:13 PM
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object-group network subnet-17
network-object 192.168.17.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (OLD-Private,WAN) source static subnet-17 subnet-17 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (WAN,WAN) source static obj-192.168.2.0 obj-192.168.2.0 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
nat (WAN,WAN) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
Hope this helps.
Let me know, how this coming along.
Thanks
Rizwan Rafeek
03-07-2012 08:25 PM
Hi Rizwan,
nat (OLD-Private,WAN) source static subnet-17 subnet-17 destination static OFFICE_ALL_VLANS OFFICE_ALL_VLANS no-proxy-arp
nat (WAN,WAN) source static obj-192.168.2.0 obj-192.168.2.0 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
nat (WAN,WAN) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (OLD-Private,WAN) source static subnet-17 subnet-17 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
Still no access neither to 192.168.17.0 and 192.168.10.0
host# show crypto ipsec sa entry
peer address: c.c.c.c
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: a.a.a.a
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
current_peer: c.c.c.c, username: admin
dynamic allocated peer ip: 192.168.2.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: a.a.a.a/0, remote crypto endpt.: c.c.c.c/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 4D5A2ED2
current inbound spi : 3FCCD1D0
inbound esp sas:
spi: 0x3FCCD1D0 (1070387664)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1056768, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28440
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x4D5A2ED2 (1297755858)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1056768, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28437
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
03-07-2012 08:33 PM
If you have a L3 switch inside the network please make sure that have in place a static route to push VPN-pool segment to FW's inside address as shown below.
ip route 192.168.2.0 255.255.255.0 192.168.17.2
Please let me know.
thanks
Rizwan Rafeek
03-07-2012 08:39 PM
No any network changes have been made since VPN client has been setup and works properly. Only ASA IOS is new. So I think all ok with network environment.
03-07-2012 08:43 PM
Can you access to remote-lan segment while vpn-in?
03-07-2012 08:56 PM
No, I'm unable to access to any network while connected via VPN client.
03-07-2012 09:12 PM
the only difference I see from you objects creation is that when you create object you have used key work "network-object 192.168.17.0 255.255.255.0" but on my ASA I always use "subnet 192.168.0.0 255.255.255.0" when creating object for nat.
I normally create object as subnet as shown below.
mine.
object network obj-192.168
subnet 192.168.0.0 255.255.255.0
Whereas you have a created object as "network-object" as shown below, this is the only difference from my setup on ASA and compare to yours but actual nat statement identical and it works fine on my ASA.
yours
object-group network subnet-17
network-object 192.168.17.0 255.255.255.0
Unless you want to use objects created as "subnet" in the nat and give it try again. I think you have already those object as subnet.
So you may want to delete the privious nat that one I showed you and add them again with object that with "subnet" key in them.
03-08-2012 12:56 PM
Hi Rizwan,
Still no luck. 0 bytes sent\ 0 received, All packets discarded
I've added
object network obj-192.168
subnet 192.168.0.0 255.255.0.0
My new nat definitions:
nat (OLD-Private,WAN) source static subnet-17 subnet-17 destination static OFFICE_ALL_VLANS OFFICE_ALL_VLANS no-proxy-arp
nat (WAN,WAN) source static obj-192.168.2.0 obj-192.168.2.0 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
nat (WAN,WAN) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup
nat (OLD-Private,WAN) source static obj-192.168 obj-192.168 destination static obj-192.168 obj-192.168 no-proxy-arp route-lookup
03-08-2012 06:06 PM
Can you please add this line.
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
Please let me know, how that coming along.
thanks
03-08-2012 06:54 PM
Added, but no results.
03-08-2012 07:03 PM
Just sake of diagnostic please add this route on your internal switch and try, it won't hurt.
ip route 192.168.2.0 255.255.255.0 192.168.17.2
Please let me know.
thanks
Rizwan Rafeek
03-08-2012 07:14 PM
I don't have Layer3 switch. It's Dell PowerConnect 2848
03-08-2012 07:27 PM
Ok, understood. You do have a default-gatway on the Dell 2848 and is pointing to 192.168.17.2, please confirm ?
I assume this IP on the Dell2848 "192.168.17.1", if so can you initiate a packet-trace as shown below on ASA and please post the output.
packet-tracer input WAN icmp 192.168.2.1 8 0 192.168.17.1
thanks
03-08-2012 07:43 PM
packet-tracer input WAN icmp 192.168.2.1 8 0 192.168.17.1
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.17.0 255.255.255.0 OLD-Private
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (OLD-Private,WAN) source static obj-192.168 obj-192.168 destination static obj-192.168 obj-192.168 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OLD-Private
Untranslate 192.168.17.1/0 to 192.168.17.1/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip any any log debugging
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (OLD-Private,WAN) source static obj-192.168 obj-192.168 destination static obj-192.168 obj-192.168 no-proxy-arp route-lookup
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2919956, packet dispatched to next module
Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: OLD-Private
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide