08-25-2010 12:32 PM
I have done something to my vpn to break it and I cannot figure out what it was. I am using a design similar to:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
so I followed it closely. But now I can connect to the VPN, but I cannot access public addresses from there. My configuration follows below. Any suggestions? I am out of things to try.
Dan
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password
passwd
names
!
interface Ethernet0/0
nameif igbpublic
security-level 0
ip address a.b.c.42 255.255.252.0
!
interface Ethernet0/1
nameif igbprivate
security-level 100
ip address 172.16.16.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 101 extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu igbpublic 1500
mtu igbprivate 1500
ip local pool IGBVPNPOOL 172.16.17.20-172.16.17.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply igbpublic
icmp permit any echo igbpublic
icmp permit any time-exceeded igbpublic
icmp permit any unreachable igbpublic
icmp permit any igbpublic
icmp permit any echo-reply igbprivate
icmp permit any echo igbprivate
icmp permit any time-exceeded igbprivate
icmp permit any unreachable igbprivate
no asdm history enable
arp timeout 14400
nat-control
global (igbpublic) 1 interface
nat (igbpublic) 1 172.16.17.0 255.255.255.0
nat (igbprivate) 0 access-list 101
nat (igbprivate) 1 0.0.0.0 0.0.0.0
route igbpublic 0.0.0.0 0.0.0.0 a.b.c.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server IGBRADIUS protocol radius
aaa-server IGBRADIUS (igbpublic) host 128.174.124.107
key igbvpn
authentication-port 1812
accounting-port 1813
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GENVPNTRANS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RMT-DYNA-MAP-1 10 set transform-set GENVPNTRANS
crypto map RMT-USER-MAP-1 10 ipsec-isakmp dynamic RMT-DYNA-MAP-1
crypto map RMT-USER-MAP-1 interface igbpublic
crypto isakmp enable igbpublic
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns a.b.c.16 a.b.c.17
dhcpd domain bob.edu
dhcpd option 3 ip 172.16.16.1
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 172.16.16.2-172.16.16.254 igbprivate
dhcpd enable igbprivate
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy (IGBVPN) internal
group-policy (IGBVPN) attributes
dns-server value a.b.c.16 a.b.c.17
vpn-idle-timeout 600
split-tunnel-policy tunnelall
default-domain value igb.illinois.edu
tunnel-group (IGBVPN) type remote-access
tunnel-group (IGBVPN) general-attributes
address-pool IGBVPNPOOL
authentication-server-group IGBRADIUS
default-group-policy (IGBVPN)
tunnel-group (IGBVPN) ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 10
!
class-map inpection_default
class-map instpection_defalut
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7d73f803f9d9f1c5dcccb79091db8c97
: end
08-25-2010 01:32 PM
Daniel,
If I understand, you're trying to connect to the ASA via VPN client and get out to the Internet via the tunnel correct?
If so, all you need is check the tunnel establishes correctly ''sh cry isa sa''
Also, check that packets are going through the tunnel ''sh cry ips sa''
To reroute traffic back out to the Internet you need:
same-security-traffic permit intra-interface
nat (outside) 1 VPN_pool
global (outside) 1 interface
It seems that all of the above is working so my question is:
Do you see traffic being encrypted/decrypted when sending packets through the tunnel? ''sh cry ips sa''
Do you see the translation being build for the VPN pool IP of your client when going to the Internet? ''sh xlate''
Federico.
08-25-2010 01:54 PM
Yes, that is correct, I am connecting to the asa via a vpn client the allowing users to connect to the internet through the tunnel.
ciscoasa# sh cry ips sa
......
local crypto endpt.: a.b.c.42, remote crypto endpt.: 75.205.12.128
........
Looks like the tunnel is established
The only problem about sending traffic through the tunnel is that right now, I have no targets to send it to. But:
ciscoasa# sh cry ips sa
interface: igbpublic
Crypto map tag: RMT-DYNA-MAP-1, seq num: 10, local addr: a.b.c.42
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.17.20/255.255.255.255/0/0)
current_peer: 75.205.12.128, username: danield
dynamic allocated peer ip: 172.16.17.20
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: a.b.c.42, remote crypto endpt.: 75.205.12.128
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3B6592FC
inbound esp sas:
spi: 0x43720D5D (1131547997)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 98304, crypto-map: RMT-DYNA-MAP-1
sa timing: remaining key lifetime (sec): 23910
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x3B6592FC (996512508)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 98304, crypto-map: RMT-DYNA-MAP-1
sa timing: remaining key lifetime (sec): 23910
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
08-25-2010 02:03 PM
Well... this is kind of weird because it seems the ASA is sending traffic through the tunnel back to you, but you're not replying to the ASA.
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.17.20/255.255.255.255/0/0)
current_peer: 75.205.12.128, username: danield
dynamic allocated peer ip: 172.16.17.20
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
I would suggest the following...
1. Clear the tunnel:
clear cry isa sa
clear cry ips sa
2. Bring up the tunnel again by sending traffic through the Internet.
You should see the tunnel established and please post the output from ''sh cry ips sa'' once again.
Federico.
08-25-2010 02:46 PM
Hmm, doesnt look too much different.
ciscoasa# clear cry isa sa
ciscoasa# clear ips sa
ciscoasa# sh cry ips sa
interface: igbpublic
Crypto map tag: RMT-DYNA-MAP-1, seq num: 10, local addr: a.b.c.42
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.17.20/255.255.255.255/0/0)
current_peer: 75.205.12.128, username: danield
dynamic allocated peer ip: 172.16.17.20
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: a.b.c.42, remote crypto endpt.: 75.205.12.128
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 78D584E2
inbound esp sas:
spi: 0xCBB9B456 (3417945174)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 102400, crypto-map: RMT-DYNA-MAP-1
sa timing: remaining key lifetime (sec): 28783
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x78D584E2 (2027259106)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 102400, crypto-map: RMT-DYNA-MAP-1
sa timing: remaining key lifetime (sec): 28783
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
08-26-2010 09:03 AM
Im still trying to get this working. Once thing I noticed today is that I can still ping the public interface once i start my connection. My routes are below
If I do a packet trace on the adsm, it shows the traffic being dropped at NAT by rule.
ciscoasa# show route
Gateway of last resort is a.b.c.1 to network 0.0.0.0
C 172.16.16.0 255.255.255.0 is directly connected, igbprivate
S 172.16.17.20 255.255.255.255 [1/0] via 128.174.124.1, igbpublic
C a.b.c.0 255.255.252.0 is directly connected, igbpublic
C 192.168.1.0 255.255.255.0 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via a.b.c.1, igbpublic
08-26-2010 11:00 AM
Hello,
Please configure the following access-list line:
access-list 101 extended permit ip any 172.16.17.0 255.255.255.0
That should fix the issue.
Regards,
NT
08-26-2010 12:15 PM
That still does not have me working. On the end system receives its dns servers, ip address and everything. It detects its gateway as 172.16.17.1, which doesnt exist anywhere. Is that correct?
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide