03-07-2012 05:43 PM
Hi guys,
I'm trying to setup VPN client access for ASA5505. It's almost done, but I'm confused with new NAT rules from v8.3.
VPN Client is able to connect, but no traffic after it.
Client IP: 192.168.2.1-192.168.2.5
Local net: 192.168.17.0/24
Remote VPN Site-to-Site network: 192.168.10.0/24 - I'd like to have access after VPN client connect
There is current config:
: Saved
:
ASA Version 8.4(3)
!
hostname host
domain-name domain
enable password password encrypted
passwd password encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description INTERNET
mac-address 1234.5678.0001
nameif WAN
security-level 0
ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 1234.5678.0102
nameif OLD-Private
security-level 100
ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 1234.5678.0106
nameif Management
security-level 100
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
ospf cost 10
!
interface Vlan100
description LAN Failover Interface
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00
dns domain-lookup WAN
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 156.154.70.1
domain-name domain
same-security-traffic permit intra-interface
object network obj-192.168.17.0
subnet 192.168.17.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.9.0
subnet 192.168.9.0 255.255.255.0
object network obj-192.168.33.0
subnet 192.168.33.0 255.255.255.0
object network obj-192.168.44.0
subnet 192.168.44.0 255.255.255.0
object network obj_any
object network obj_any-01
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.17.0_24
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_29
subnet 192.168.2.0 255.255.255.248
object network CiscoVPNClient_nat
subnet 192.168.17.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
object-group network OFFICE_ALL_VLANS
network-object 192.168.11.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.33.0 255.255.255.0
network-object 192.168.44.0 255.255.255.0
network-object 192.168.55.0 255.255.255.0
network-object 192.168.22.0 255.255.255.0
object-group network subnet-17
network-object 192.168.17.0 255.255.255.0
object-group network subnet-2
network-object 192.168.2.0 255.255.255.0
object-group network subnet-9
network-object 192.168.9.0 255.255.255.0
object-group network subnet-10
network-object 192.168.10.0 255.255.255.0
access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-17 object-group subnet-2
access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-2 object-group subnet-2
access-list CiscoVPNClient_splitTunnelAcl extended permit ip object-group subnet-2 object-group subnet-17
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list WAN_access_in extended permit icmp a3.a3.a3.a3 255.255.255.248 192.168.10.0 255.255.255.0
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit icmp any object-group OFFICE_ALL_VLANS
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.33.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.44.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan100
failover polltime interface 15 holdtime 75
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (OLD-Private,WAN) source static subnet-17 subnet-17 destination static OFFICE_ALL_VLANS OFFICE_ALL_VLANS no-proxy-arp
nat (OLD-Private,WAN) source static obj-192.168.17.0 obj-192.168.17.0 destination static obj-192.168.2.0 obj-192.168.2.0
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 a2.a2.a2.a2 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http a.a.a.a 255.255.255.255 WAN
http 0.0.0.0 0.0.0.0 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec ikev1 transform-set OFFICE esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Office 2 match address WAN_1_cryptomap
crypto map Office 2 set peer b.b.b.b
crypto map Office 2 set ikev1 transform-set OFFICE
crypto map Office 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Office interface WAN
crypto ikev1 enable WAN
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
management-access OLD-Private
dhcpd auto_config OLD-Private
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
group-policy GroupPolicy_b.b.b.b internal
group-policy GroupPolicy_b.b.b.b attributes
vpn-tunnel-protocol ikev1
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
wins-server value 192.168.17.80 192.168.10.10
dns-server value 208.67.222.222 156.154.70.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value domain
username admin password XHrDm53Lyz1aEtAN encrypted privilege 15
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
address-pool vpnclient
default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group b.b.b.b type ipsec-l2l
tunnel-group b.b.b.b general-attributes
default-group-policy GroupPolicy_b.b.b.b
tunnel-group b.b.b.b ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
------------------------------------------------------------------------------------------------------------------------------------------------------------
Result of the command: "show crypto ipsec sa"
interface: WAN
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: a.a.a.a
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
current_peer: c.c.c.c, username: admin
dynamic allocated peer ip: 192.168.2.1
#pkts encaps: 751, #pkts encrypt: 751, #pkts digest: 751
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 751, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: a.a.a.a/0, remote crypto endpt.: c.c.c.c/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5D3CD2FC
current inbound spi : 85561A07
inbound esp sas:
spi: 0x85561A07 (2237012487)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1044480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 25045
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x5D3CD2FC (1564267260)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1044480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 25045
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Thanks,
Nick
03-08-2012 07:56 PM
it looks good packet-tracer output.
You do have a default-gatway on the Dell 2848 and is pointing to 192.168.17.2, please confirm ?
03-08-2012 08:03 PM
No, Dell switch connected to another router and has public IP.
03-08-2012 08:14 PM
If Dell2848 is connected to another router, where does ASA FW is connected to? I assume it is to Dell2848.
So apparently, Dell2848 is connected to ASA FW and to another router, correct? If then there must be default-gateway or default-route on Dell2848 pointing to somewhere? what would be that IP address?
thanks
03-08-2012 08:33 PM
In my environment 2x ASA are spare channels for internet (for VLAN) and VPN gateway for remote management. Dell has as gateway another router.
I've tried to add route to remote PC:
route add 192.168.2.0 MASK 255.255.255.0 192.168.17.2 - no changes
route add 192.168.2.0 MASK 255.255.255.0 192.168.17.110 - no changes
03-08-2012 08:53 PM
You are avoiding answering my questions.
Does ASA is connected Dell2848, if so can you add a static route on Dell2848 as shown below.
ip route 192.168.2.0 255.255.255.0 192.168.17.2
FYI..I know nothing about Dell2848.
"I've tried to add route to remote PC:"
Well, by default PCs will send its all unknown traffic to its default-gateway. I believe PCs default gateway address is located on Dell2848 correct?
Issue is on routing, it is obvious from packet-trace output as it shows, it passes through every stages on ASA.
03-09-2012 12:19 AM
ASA connected to Dell. This Dell switch is simple Layer 2 switch. There is no way to add
ip route 192.168.2.0 255.255.255.0 192.168.17.2
PC has 2 LANs. One for public network, another for local. Local LAN has gateway 192.168.17.2
I'm agree that traffic can get from 192.168.2.1 to 192.168.17.110, but there is no reverse traffic. Any chance to trace packets for reverse traffic: from 192.168.17.110 to 192.168.2.1?
03-09-2012 01:57 AM
I understand you cannot address static-route on Layer2 switch.
"One for public network, another for local. Local LAN has gateway 192.168.17.2"
on the public network NIC what defautl-gateway address do you have ?
FYI...
You cannot have dual default-gateway on a PC, a Windows box will warning you, when you try to add dual defautl-gateway.
Either you remove default-gateway from "public network NIC" from PC and try it.
Or temporarily disable NIC on "public network" and test it, as this is the only way you can get this resolve.
"Any chance to trace packets for reverse traffic: from 192.168.17.110 to 192.168.2.1?" Please try it, it should pass.
packet-tracer input OLD-PRIVATE icmp 192.168.17.110 8 0 192.168.2.1
thanks
Rizwan Rafeek
03-12-2012 11:19 AM
I didn't hear from you, so I hope you resolved the problem already.
thanks
03-12-2012 03:06 PM
Hi Rizwan,
Sorry for delay with response. I'm trying another way. IOS has been downgraded and old configuration restored. Only one problem left - another side, there is 2911 instead 877W. So first I have to complete site-to-site VPN.
Thanks,
Nick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: