cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
829
Views
0
Helpful
7
Replies

Broken VPN/Pool not NATed

Daniel Davidson
Level 1
Level 1

I have done something to my vpn to break it and I cannot figure out what it was.  I am using a design similar to:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

so I followed it closely.  But now I can connect to the VPN, but I cannot access public addresses from there.  My configuration follows below.  Any suggestions?  I am out of things to try.

Dan

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password
passwd
names
!
interface Ethernet0/0
nameif igbpublic
security-level 0
ip address a.b.c.42 255.255.252.0
!
interface Ethernet0/1
nameif igbprivate
security-level 100
ip address 172.16.16.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface

access-list 101 extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu igbpublic 1500
mtu igbprivate 1500
ip local pool IGBVPNPOOL 172.16.17.20-172.16.17.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply igbpublic
icmp permit any echo igbpublic
icmp permit any time-exceeded igbpublic
icmp permit any unreachable igbpublic
icmp permit any igbpublic
icmp permit any echo-reply igbprivate
icmp permit any echo igbprivate
icmp permit any time-exceeded igbprivate
icmp permit any unreachable igbprivate
no asdm history enable
arp timeout 14400
nat-control
global (igbpublic) 1 interface
nat (igbpublic) 1 172.16.17.0 255.255.255.0

nat (igbprivate) 0 access-list 101
nat (igbprivate) 1 0.0.0.0 0.0.0.0
route igbpublic 0.0.0.0 0.0.0.0 a.b.c.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server IGBRADIUS protocol radius
aaa-server IGBRADIUS (igbpublic) host 128.174.124.107
key igbvpn
authentication-port 1812
accounting-port 1813
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GENVPNTRANS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RMT-DYNA-MAP-1 10 set transform-set GENVPNTRANS
crypto map RMT-USER-MAP-1 10 ipsec-isakmp dynamic RMT-DYNA-MAP-1
crypto map RMT-USER-MAP-1 interface igbpublic
crypto isakmp enable igbpublic
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns a.b.c.16 a.b.c.17
dhcpd domain bob.edu
dhcpd option 3 ip 172.16.16.1
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 172.16.16.2-172.16.16.254 igbprivate
dhcpd enable igbprivate
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy (IGBVPN) internal
group-policy (IGBVPN) attributes
dns-server value a.b.c.16 a.b.c.17
vpn-idle-timeout 600
split-tunnel-policy tunnelall
default-domain value igb.illinois.edu
tunnel-group (IGBVPN) type remote-access
tunnel-group (IGBVPN) general-attributes
address-pool IGBVPNPOOL
authentication-server-group IGBRADIUS
default-group-policy (IGBVPN)
tunnel-group (IGBVPN) ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 10
!
class-map inpection_default
class-map instpection_defalut
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7d73f803f9d9f1c5dcccb79091db8c97
: end

7 Replies 7

Daniel,

If I understand, you're trying to connect to the ASA via VPN client and get out to the Internet via the tunnel correct?
If so, all you need is check the tunnel establishes correctly ''sh cry isa sa''
Also, check that packets are going through the tunnel ''sh cry ips sa''

To reroute traffic back out to the Internet you need:
same-security-traffic permit intra-interface
nat (outside) 1 VPN_pool
global (outside) 1 interface

It seems that all of the above is working so my question is:


Do you see traffic being encrypted/decrypted when sending packets through the tunnel? ''sh cry ips sa''
Do you see the translation being build for the VPN pool IP of your client when going to the Internet? ''sh xlate''

Federico.

Yes, that is correct, I am connecting to the asa via a vpn client the allowing users to connect to the internet through the tunnel.

ciscoasa# sh cry ips sa

......

local crypto endpt.: a.b.c.42, remote crypto endpt.: 75.205.12.128

........

Looks like the tunnel is established

The only problem about sending traffic through the tunnel is that right now, I have no targets to send it to.  But:

ciscoasa# sh cry ips sa
interface: igbpublic
    Crypto map tag: RMT-DYNA-MAP-1, seq num: 10, local addr: a.b.c.42

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.17.20/255.255.255.255/0/0)
      current_peer: 75.205.12.128, username: danield
      dynamic allocated peer ip: 172.16.17.20

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: a.b.c.42, remote crypto endpt.: 75.205.12.128

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 3B6592FC

    inbound esp sas:
      spi: 0x43720D5D (1131547997)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 98304, crypto-map: RMT-DYNA-MAP-1
         sa timing: remaining key lifetime (sec): 23910
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x3B6592FC (996512508)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 98304, crypto-map: RMT-DYNA-MAP-1
         sa timing: remaining key lifetime (sec): 23910
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Well... this is kind of weird because it seems the ASA is sending traffic through the tunnel back to you, but you're not replying to the ASA.

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.17.20/255.255.255.255/0/0)
      current_peer: 75.205.12.128, username: danield
      dynamic allocated peer ip: 172.16.17.20

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

I would suggest the following...

1. Clear the tunnel:

clear cry isa sa

clear cry ips sa

2. Bring up the tunnel again by sending traffic through the Internet.

You should see the tunnel established and please post the output from ''sh cry ips sa'' once again.

Federico.

Hmm, doesnt look too much different.

ciscoasa# clear cry isa sa
ciscoasa# clear ips sa
ciscoasa# sh cry ips sa
interface: igbpublic
    Crypto map tag: RMT-DYNA-MAP-1, seq num: 10, local addr: a.b.c.42

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.17.20/255.255.255.255/0/0)
      current_peer: 75.205.12.128, username: danield
      dynamic allocated peer ip: 172.16.17.20

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: a.b.c.42, remote crypto endpt.: 75.205.12.128

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 78D584E2

    inbound esp sas:
      spi: 0xCBB9B456 (3417945174)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 102400, crypto-map: RMT-DYNA-MAP-1
         sa timing: remaining key lifetime (sec): 28783
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x78D584E2 (2027259106)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 102400, crypto-map: RMT-DYNA-MAP-1
         sa timing: remaining key lifetime (sec): 28783
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Im still trying to get this working.  Once thing I noticed today is that I can still ping the public interface once i start my connection.  My routes are below

If I do a packet trace on the adsm, it shows the traffic being dropped at NAT by rule.

ciscoasa# show route    

Gateway of last resort is a.b.c.1 to network 0.0.0.0

C    172.16.16.0 255.255.255.0 is directly connected, igbprivate
S    172.16.17.20 255.255.255.255 [1/0] via 128.174.124.1, igbpublic
C    a.b.c.0 255.255.252.0 is directly connected, igbpublic
C    192.168.1.0 255.255.255.0 is directly connected, management
S*   0.0.0.0 0.0.0.0 [1/0] via a.b.c.1, igbpublic

Hello,

Please configure the following access-list line:

access-list 101 extended permit ip any 172.16.17.0 255.255.255.0

That should fix the issue.

Regards,

NT

That still does not have me working.  On the end system receives its dns servers, ip address and everything.  It detects its gateway as 172.16.17.1, which doesnt exist anywhere.  Is that correct?

Dan