cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1765
Views
0
Helpful
23
Replies

ASA5505 v8.4(3) cisco VPN client setup

Nick Sinyakov
Level 1
Level 1

Hi guys,

I'm trying to setup VPN client access for ASA5505. It's almost done, but I'm confused with new NAT rules from v8.3.

VPN Client is able to connect, but no traffic after it.

Client IP: 192.168.2.1-192.168.2.5

Local net: 192.168.17.0/24

Remote VPN Site-to-Site network: 192.168.10.0/24 - I'd like to have access after VPN client connect

There is current config:

: Saved

:

ASA Version 8.4(3)

!

hostname host

domain-name domain

enable password password encrypted

passwd password encrypted

names

!

interface Ethernet0/0

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport trunk allowed vlan 2,6

switchport mode trunk

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description INTERNET

mac-address 1234.5678.0001

nameif WAN

security-level 0

ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1

ospf cost 10

!

interface Vlan2

description OLD-PRIVATE

mac-address 1234.5678.0102

nameif OLD-Private

security-level 100

ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3

ospf cost 10

!

interface Vlan6

description MANAGEMENT

mac-address 1234.5678.0106

nameif Management

security-level 100

ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3

ospf cost 10

!

interface Vlan100

description LAN Failover Interface

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone NZST 12

clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00

dns domain-lookup WAN

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 156.154.70.1

domain-name domain

same-security-traffic permit intra-interface

object network obj-192.168.17.0

subnet 192.168.17.0 255.255.255.0

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-192.168.9.0

subnet 192.168.9.0 255.255.255.0

object network obj-192.168.33.0

subnet 192.168.33.0 255.255.255.0

object network obj-192.168.44.0

subnet 192.168.44.0 255.255.255.0

object network obj_any

object network obj_any-01

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_192.168.17.0_24

subnet 192.168.17.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.0_29

subnet 192.168.2.0 255.255.255.248

object network CiscoVPNClient_nat

subnet 192.168.17.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service RDP tcp

description RDP

port-object eq 3389

object-group network OFFICE_ALL_VLANS

network-object 192.168.11.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.33.0 255.255.255.0

network-object 192.168.44.0 255.255.255.0

network-object 192.168.55.0 255.255.255.0

network-object 192.168.22.0 255.255.255.0

object-group network subnet-17

network-object 192.168.17.0 255.255.255.0

object-group network subnet-2

network-object 192.168.2.0 255.255.255.0

object-group network subnet-9

network-object 192.168.9.0 255.255.255.0

object-group network subnet-10

network-object 192.168.10.0 255.255.255.0

access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-17 object-group subnet-2

access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-2 object-group subnet-2

access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-2 object-group subnet-17

access-list WAN_access_in extended permit ip any any log debugging

access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging

access-list WAN_access_in extended permit icmp a3.a3.a3.a3 255.255.255.248 192.168.10.0 255.255.255.0

access-list MANAGEMENT_access_in extended permit ip any any log debugging

access-list OLD-PRIVATE_access_in extended permit ip any any log debugging

access-list OLD-PRIVATE_access_in extended permit icmp any object-group OFFICE_ALL_VLANS

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.22.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.33.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.44.0 255.255.255.0

access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.55.0 255.255.255.0

access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu WAN 1500

mtu OLD-Private 1500

mtu Management 1500

ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0

ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface failover Vlan100

failover polltime interface 15 holdtime 75

failover key *****

failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (OLD-Private,WAN) source static subnet-17 subnet-17 destination static OFFICE_ALL_VLANS OFFICE_ALL_VLANS no-proxy-arp

nat (OLD-Private,WAN) source static obj-192.168.17.0 obj-192.168.17.0 destination static obj-192.168.2.0 obj-192.168.2.0

access-group WAN_access_in in interface WAN

access-group OLD-PRIVATE_access_in in interface OLD-Private

access-group MANAGEMENT_access_in in interface Management

route WAN 0.0.0.0 0.0.0.0 a2.a2.a2.a2 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa local authentication attempts max-fail 10

http server enable

http a.a.a.a 255.255.255.255 WAN

http 0.0.0.0 0.0.0.0 WAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Office 2 match address WAN_1_cryptomap

crypto map Office 2 set peer b.b.b.b

crypto map Office 2 set ikev1 transform-set OFFICE

crypto map Office 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Office interface WAN

crypto ikev1 enable WAN

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

management-access OLD-Private

dhcpd auto_config OLD-Private

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 129.6.15.28 source WAN prefer

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

group-policy GroupPolicy_b.b.b.b internal

group-policy GroupPolicy_b.b.b.b attributes

vpn-tunnel-protocol ikev1

group-policy CiscoVPNClient internal

group-policy CiscoVPNClient attributes

wins-server value 192.168.17.80 192.168.10.10

dns-server value 208.67.222.222 156.154.70.1

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list none

default-domain value domain

username admin password XHrDm53Lyz1aEtAN encrypted privilege 15

tunnel-group CiscoVPNClient type remote-access

tunnel-group CiscoVPNClient general-attributes

address-pool vpnclient

default-group-policy CiscoVPNClient

tunnel-group CiscoVPNClient ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group b.b.b.b type ipsec-l2l

tunnel-group b.b.b.b general-attributes

default-group-policy GroupPolicy_b.b.b.b

tunnel-group b.b.b.b ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

------------------------------------------------------------------------------------------------------------------------------------------------------------

Result of the command: "show crypto ipsec sa"

interface: WAN

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: a.a.a.a

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)

      current_peer: c.c.c.c, username: admin

      dynamic allocated peer ip: 192.168.2.1

      #pkts encaps: 751, #pkts encrypt: 751, #pkts digest: 751

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 751, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: a.a.a.a/0, remote crypto endpt.: c.c.c.c/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 5D3CD2FC

      current inbound spi : 85561A07

    inbound esp sas:

      spi: 0x85561A07 (2237012487)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 1044480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 25045

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x5D3CD2FC (1564267260)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 1044480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 25045

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Capture.JPG

Thanks,

Nick

23 Replies 23

it looks good packet-tracer output.

You do have a default-gatway on the Dell 2848 and is pointing to 192.168.17.2, please confirm ?

No, Dell switch connected to another router and has public IP.

If Dell2848 is connected to another router, where does ASA FW is connected to?  I assume it is to Dell2848.

So apparently, Dell2848 is connected to ASA FW and to another router, correct?  If then there must be default-gateway or default-route on Dell2848 pointing to somewhere?  what would be that IP address?

thanks

In my environment 2x ASA are spare channels for internet (for VLAN) and VPN gateway for remote management. Dell has as gateway another router.

I've tried to add route to remote PC:

route add 192.168.2.0 MASK 255.255.255.0 192.168.17.2 - no changes

route add 192.168.2.0 MASK 255.255.255.0 192.168.17.110 - no changes

You are avoiding answering my questions.

Does ASA is connected Dell2848, if so can you add a static route on Dell2848 as shown below.

ip route 192.168.2.0 255.255.255.0 192.168.17.2

FYI..I know nothing about Dell2848.

"I've tried to add route to remote PC:"

Well, by default PCs will send its all unknown traffic to its default-gateway. I believe PCs default gateway address is located on Dell2848 correct?

Issue is on routing, it is obvious from packet-trace output as it shows, it passes through every stages on ASA.

ASA connected to Dell. This Dell switch is simple Layer 2 switch. There is no way to add

ip route 192.168.2.0 255.255.255.0 192.168.17.2

PC has 2 LANs. One for public network, another for local. Local LAN has gateway 192.168.17.2

I'm agree that traffic can get from 192.168.2.1 to 192.168.17.110, but there is no reverse traffic. Any chance to trace packets for reverse traffic: from 192.168.17.110 to 192.168.2.1?

I understand you cannot address static-route on Layer2 switch.

"One for public network, another for local. Local LAN has gateway 192.168.17.2"

on the public network NIC what defautl-gateway address do you have ?

FYI...

You cannot have dual default-gateway on a PC, a Windows box will warning you, when you try to add dual defautl-gateway.

Either you remove default-gateway from "public network NIC" from PC and try it.

Or temporarily disable NIC on "public network" and test it, as this is the only way you can get this resolve.

"Any chance to trace packets for reverse traffic: from 192.168.17.110 to 192.168.2.1?"  Please try it, it should pass.

packet-tracer input OLD-PRIVATE icmp 192.168.17.110 8 0 192.168.2.1

thanks

Rizwan Rafeek

I didn't hear from you, so I hope you resolved the problem already.

thanks

Hi Rizwan,

Sorry for delay with response. I'm trying another way. IOS has been downgraded and old configuration restored. Only one problem left - another side, there is 2911 instead 877W. So first I have to complete site-to-site VPN.

Thanks,

Nick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: