12-27-2011 04:13 PM
Hi
I have a problem with access from vpn client to inside private network across asa 5510.
I have asa 5510 with 8.2 boot loaded bin. I make classic configuration nat exemption for vpn server, but vpn client can’t ping and doesn’t see local file share.
Can any see configuration and debug log and help me, why nat exemption doesn’t working? May be it is a hardware problem?
I think doesn’t work nat exemption, but maybe I am mistaken
asa 5510 with remote vpn configuration
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.99.60 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside extended permit ip 192.168.99.0 255.255.255.0 any
access-list inside extended permit icmp 192.168.99.0 255.255.255.0 any
access-list remote_vpn extended permit ip 192.168.99.0 255.255.255.0 192.168.199.0 255.255.255.0
access-list remote_vpn extended permit ip 192.168.199.0 255.255.255.0 192.168.99.0 255.255.255.0
ip local pool vpnpool1 192.168.199.128-192.168.199.254 mask 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list remote_vpn
nat (inside) 1 192.168.99.0 255.255.255.0
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set vpn_dyn_map esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vpn_map 10 set pfs
crypto dynamic-map vpn_map 10 set transform-set vpn_dyn_map
crypto dynamic-map vpn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map vpn_map 10 set security-association lifetime kilobytes 4608000
crypto map VpnAccess 65535 ipsec-isakmp dynamic vpn_map
crypto map VpnAccess interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy BossVpnAcc internal
group-policy BossVpnAcc attributes
dns-server value 8.8.8.8
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_vpn
default-domain value greenteam.ua
address-pools value vpnpool1
username cisco password xxxx encrypted privilege 15
username cisco attributes
vpn-group-policy BossVpnAcc
vpn-framed-ip-address 192.168.199.250 255.255.255.0
service-type remote-access
tunnel-group BossVpnAcc type remote-access
tunnel-group BossVpnAcc general-attributes
address-pool vpnpool1
default-group-policy BossVpnAcc
tunnel-group BossVpnAcc ipsec-attributes
pre-shared-key *****
tunnel-group-map default-group BossVpnAcc
vpn client get access to the asa
VNPGate# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.2.2
Type : user Role : responder
Rekey : no State : AM_ACTIVE
VNPGate#
VNPGate#
VNPGate#
VNPGate# sh crypto ipsec sa
interface: outside
Crypto map tag: vpn_map, seq num: 10, local addr: 172.16.1.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.199.250/255.255.255.255/0/0)
current_peer: 172.16.2.2, username: cisco
dynamic allocated peer ip: 192.168.199.250
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2/4500, remote crypto endpt.: 172.16.2.2/11458
path mtu 1400, ipsec overhead 82, media mtu 1500
current outbound spi: B1991A16
current inbound spi : 2EAF644C
inbound esp sas:
spi: 0x2EAF644C (783246412)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: vpn_map
sa timing: remaining key lifetime (sec): 28332
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0001FFFF
outbound esp sas:
spi: 0xB1991A16 (2979600918)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: vpn_map
sa timing: remaining key lifetime (sec): 28332
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Vpn client ping office server:
c:\>ping 192.168.99.60 (ping 4 packet)
Обмен пакетами с 192.168.99.60 по 32 байт:
Превышен интервал ожидания для запроса.
Превышен интервал ожидания для запроса.
Превышен интервал ожидания для запроса.
Превышен интервал ожидания для запроса.
Статистика Ping для 192.168.99.60:
Пакетов: отправлено = 4, получено = 0, потеряно = 4 (100% потерь),
c:\>windump -i \Device\NPF_{4E2ACD58-EBD9-448A-94B9-BDE72400693E} -n
windump: listening on \Device\NPF_{4E2ACD58-EBD9-448A-94B9-BDE72400693E}
18:30:17.978851 arp who-has 192.168.99.60 tell 192.168.199.250
18:30:17.978906 arp reply 192.168.99.60 is-at 00:02:cf:a7:82:54
18:30:17.978915 IP 192.168.199.250 > 192.168.99.60: ICMP echo request, id 768, seq 1280, length 40
18:30:23.133749 IP 192.168.199.250 > 192.168.99.60: ICMP echo request, id 768, seq 1536, length 40
18:30:28.633687 IP 192.168.199.250 > 192.168.99.60: ICMP echo request, id 768, seq 1792, length 40
18:30:34.133618 IP 192.168.199.250 > 192.168.99.60: ICMP echo request, id 768, seq 2048, length 40
VNPGate# term mon
Dec 25 2011 18:30:17: %ASA-7-609001: Built local-host identity:192.168.99.60
Dec 25 2011 18:30:17: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)
ICMP echo request from 192.168.199.250 to 192.168.99.60 ID=768 seq=1280 len=32
Dec 25 2011 18:30:18: %ASA-7-609001: Built local-host outside:193.193.193.107
Dec 25 2011 18:30:19: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)
Dec 25 2011 18:30:19: %ASA-7-609002: Teardown local-host identity:192.168.99.60 duration 0:00:02
Dec 25 2011 18:30:22: %ASA-7-609001: Built local-host identity:192.168.99.60
Dec 25 2011 18:30:22: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)
ICMP echo request from 192.168.199.250 to 192.168.99.60 ID=768 seq=1536 len=32
Dec 25 2011 18:30:23: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=8bfe7cb2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 25 2011 18:30:23: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing hash payload
Dec 25 2011 18:30:23: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing notify payload
Dec 25 2011 18:30:23: %ASA-7-715075: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0xcaf9c72a)
Dec 25 2011 18:30:23: %ASA-7-715036: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xcaf9c72a)
Dec 25 2011 18:30:23: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing blank hash payload
Dec 25 2011 18:30:23: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing qm hash payload
Dec 25 2011 18:30:23: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=e3eda86f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 25 2011 18:30:24: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)
Dec 25 2011 18:30:24: %ASA-7-609002: Teardown local-host identity:192.168.99.60 duration 0:00:02
Dec 25 2011 18:30:28: %ASA-7-609001: Built local-host identity:192.168.99.60
Dec 25 2011 18:30:28: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)
ICMP echo request from 192.168.199.250 to 192.168.99.60 ID=768 seq=1792 len=32
Dec 25 2011 18:30:30: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)
Dec 25 2011 18:30:30: %ASA-7-609002: Teardown local-host identity:192.168.99.60 duration 0:00:02
Dec 25 2011 18:30:33: %ASA-7-609001: Built local-host identity:192.168.99.60
Dec 25 2011 18:30:33: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)
ICMP echo request from 192.168.199.250 to 192.168.99.60 ID=768 seq=2048 len=32
Dec 25 2011 18:30:34: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=4aff2d40) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 25 2011 18:30:34: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing hash payload
Dec 25 2011 18:30:34: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing notify payload
Dec 25 2011 18:30:34: %ASA-7-715075: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0xcaf9c72b)
Dec 25 2011 18:30:34: %ASA-7-715036: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xcaf9c72b)
Dec 25 2011 18:30:34: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing blank hash payload
Dec 25 2011 18:30:34: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing qm hash payload
Dec 25 2011 18:30:34: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=74063804) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 25 2011 18:30:35: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/768 gaddr 192.168.99.60/0 laddr 192.168.99.60/0 (cisco)
Dec 25 2011 18:30:35: %ASA-7-609002: Teardown local-host identity:192.168.99.60 duration 0:00:02
VNPGate# sh crypto ipsec sa
interface: outside
Crypto map tag: vpn_map, seq num: 10, local addr: 172.16.1.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.199.250/255.255.255.255/0/0)
current_peer: 172.16.2.2, username: cisco
dynamic allocated peer ip: 192.168.199.250
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2/4500, remote crypto endpt.: 172.16.2.2/11458
path mtu 1400, ipsec overhead 82, media mtu 1500
current outbound spi: B1991A16
current inbound spi : 2EAF644C
inbound esp sas:
spi: 0x2EAF644C (783246412)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: vpn_map
sa timing: remaining key lifetime (sec): 28210
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x001FFFFF
outbound esp sas:
spi: 0xB1991A16 (2979600918)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: vpn_map
sa timing: remaining key lifetime (sec): 28210
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
VNPGate# sh xlate
0 in use, 0 most used
We ping vnl client from server:
VNPGate# ping 192.168.199.250 (ping 5 packet)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.199.250, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
VNPGate#
VNPGate# term mon
Dec 25 2011 18:36:53: %ASA-5-111008: User 'enable_15' executed the 'terminal monitor' command.
Dec 25 2011 18:36:56: %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.199.250/0 gaddr 172.16.1.2/34614 laddr 172.16.1.2/34614
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
Dec 25 2011 18:36:58: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE RECEIVED Message (msgid=f982b1f6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 25 2011 18:36:58: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing hash payload
Dec 25 2011 18:36:58: %ASA-7-715047: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, processing notify payload
Dec 25 2011 18:36:58: %ASA-7-715075: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Received keep-alive of type DPD R-U-THERE (seq number 0xcaf9c74e)
Dec 25 2011 18:36:58: %ASA-7-715036: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xcaf9c74e)
Dec 25 2011 18:36:58: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing blank hash payload
Dec 25 2011 18:36:58: %ASA-7-715046: Group = BossVpnAcc, Username = cisco, IP = 172.16.2.2, constructing qm hash payload
Dec 25 2011 18:36:58: %ASA-7-713236: IP = 172.16.2.2, IKE_DECODE SENDING Message (msgid=ac5e02a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
ICMP echo request from 172.16.1.2 to 192.168.199.250 ID=34614 seq=41976 len=72
Dec 25 2011 18:37:06: %ASA-5-111008: User 'enable_15' executed the 'ping 192.168.199.250' command.
Dec 25 2011 18:37:06: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.199.250/0 gaddr 172.16.1.2/34614 laddr 172.16.1.2/34614
term no mon
VNPGate#
c:\>windump -i \Device\NPF_{4E2ACD58-EBD9-448A-94B9-BDE72400693E} -n
windump: listening on \Device\NPF_{4E2ACD58-EBD9-448A-94B9-BDE72400693E}
18:36:56.861181 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
18:36:58.857967 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
18:37:00.858261 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
18:37:02.857359 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
18:37:04.857490 IP 172.16.1.2 > 192.168.199.250: ICMP echo request, id 34614, seq 41976, length 80
VNPGate# sh crypto ipsec sa
interface: outside
Crypto map tag: vpn_map, seq num: 10, local addr: 172.16.1.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.199.250/255.255.255.255/0/0)
current_peer: 172.16.2.2, username: cisco
dynamic allocated peer ip: 192.168.199.250
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2/4500, remote crypto endpt.: 172.16.2.2/11458
path mtu 1400, ipsec overhead 82, media mtu 1500
current outbound spi: B1991A16
current inbound spi : 2EAF644C
inbound esp sas:
spi: 0x2EAF644C (783246412)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: vpn_map
sa timing: remaining key lifetime (sec): 27836
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x0000000F 0xFFFFFFFF
outbound esp sas:
spi: 0xB1991A16 (2979600918)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 16384, crypto-map: vpn_map
sa timing: remaining key lifetime (sec): 27836
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
VNPGate#
VNPGate# sh xlate
0 in use, 0 most used
VNPGate# sh route
S 192.168.199.250 255.255.255.255 [1/0] via 172.16.1.1, outside
C 192.168.99.0 255.255.255.0 is directly connected, inside
C 172.16.1.0 255.255.255.252 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.1.1, outside
What is wrong in my configuration?
PS:
While inside client want ping remote client, debug show:
ICMP echo request from 192.168.99.1 to 192.168.99.60 ID=1 seq=904 len=64
ICMP echo reply from 192.168.99.60 to 192.168.99.1 ID=1 seq=904 len=64
ICMP echo request from inside:192.168.99.1 to outside:192.168.199.1 ID=1 seq=907 len=64
ICMP echo request translating inside:192.168.99.1/1 to outside:172.16.1.2/25336
12-29-2011 05:52 AM
Post the output from the client when connected of:-
ipconfig/all
route print
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide