Solved: Have problems with IPSec VPN Client and multiple target networks

ken.mackesy · ‎09-10-2012

I am using an ASA 5520 running 8.2(4).

My objective is to get a VPN client to access more than one network on the inside of the network, i.e., I need to VPN in with an IPSec client and be able to establish tcp connections to servers at 192.168.210.x and 10.21.9.x and 10.21.3.x

I believe I am close to having this resolved, but seem to have a routing issue. What I believe to be relevant follows:

net1: 192.168.210.0/32

net2: 10.21.0.0/16

net2 has multiple VLAN subnets defined:

DeviceManagement (vlan91): 10.21.9.0/32

Servers (vlan31): 10.21.3.0/32

# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is x.x.x.x to network 0.0.0.0

C 192.168.210.0 255.255.255.0 is directly connected, inside

C 216.185.85.92 255.255.255.252 is directly connected, outside

C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement

C 10.21.3.0 255.255.255.0 is directly connected, Servers

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

I can communicate freely between all networks from inside.

interface GigabitEthernet0/0

description **INTERNAL NETWORK**

speed 1000

duplex full

nameif inside

security-level 100

ip address 192.168.210.1 255.255.255.0

ospf hello-interval 2

ospf dead-interval 7

!

interface Redundant1.31

vlan 31

nameif Servers

security-level 100

ip address 10.21.3.1 255.255.255.0

!

interface Redundant1.91

vlan 91

nameif DeviceManagement

security-level 100

ip address 10.21.9.1 255.255.255.0

same-security-traffic permit inter-interface

access-list NO_NAT extended permit ip any 172.31.255.0 255.255.255.0

ip local pool vpnpool 172.31.255.1-172.31.255.254 mask 255.255.255.0

global (outside) 101 interface

nat (inside) 0 access-list NO_NAT

nat (inside) 101 192.168.210.0 255.255.255.0

nat (Servers) 101 10.21.3.0 255.255.255.0

nat (DeviceManagement) 101 10.21.9.0 255.255.255.0

static (inside,DeviceManagement) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (inside,Servers) 192.168.210.0 192.168.210.0 netmask 255.255.255.0

static (Servers,inside) 10.21.3.0 10.21.3.0 netmask 255.255.255.0

static (DeviceManagement,inside) 10.21.9.0 10.21.9.0 netmask 255.255.255.0

access-list LAN-IN extended permit tcp 192.168.210.0 255.255.255.0 any

access-list LAN-IN extended permit udp 192.168.210.0 255.255.255.0 any

access-list LAN-IN extended permit ip 192.168.210.0 255.255.255.0 any

access-list LAN-IN extended permit icmp 192.168.210.0 255.255.255.0 any

access-list LAN-IN extended permit tcp 10.21.0.0 255.255.0.0 any

access-list LAN-IN extended permit udp 10.21.0.0 255.255.0.0 any

access-list LAN-IN extended permit ip 10.21.0.0 255.255.0.0 any

access-list LAN-IN extended permit icmp 10.21.0.0 255.255.0.0 any

access-list SPLIT-TUNNEL standard permit 192.168.210.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 10.21.0.0 255.255.0.0

access-group LAN-IN in interface inside

group-policy VPNUSERS internal

group-policy VPNUSERS attributes

dns-server value 216.185.64.6

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

default-domain value internal-network.com

tunnel-group VPNUSERS type remote-access

tunnel-group VPNUSERS general-attributes

address-pool vpnpool

default-group-policy VPNUSERS

tunnel-group VPNUSERS ipsec-attributes

pre-shared-key *****

When a user initiates a VPN connection, their local routing tables have routes through the tunnel for both 10.21.0.0/16 and 192.168.210.0/32.

They are only able to communicate with the 192.168.210.0/32 network, though.

I have tried adding the following, but it doesn't help:

router ospf 1000

router-id 192.168.210.1

network 10.21.0.0 255.255.0.0 area 1

network 192.168.210.0 255.255.255.252 area 0

area 1

Can anybody please help me with this problem? There could be a lot of extraneous stuff in here, and if you could show me that, too, I'd greatly appreciate it. If you need any more information about the config, I'll be happy to provide it.

Julio Carvajal · ‎09-13-2012

Hello Kenneth,

Based on the routing table of your device I can see the following

C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement

C 10.21.3.0 255.255.255.0 is directly connected, Servers

C 192.168.210.0 255.255.255.0 is directly connected, inside

And you are trying to connect to the 3 of them.

The Split tunnel policy is fine, the VPN setup is fine

The problem is here

access-list NO_NAT extended permit ip any 172.31.255.0 255.255.255.0

nat (inside) 0 access-list NO_NAT

Dude you are pointing to just the inside interface and the other 2 subnets are on the Device managment interface and the servers interface... That is the issue

Now how to solve it

access-list NO_NAT permit ip 192.168.210.0 255.255.255.0 172.31.255.0 255.255.255.0

no access-list NO_NAT extended permit ip any 172.31.255.0 255.255.255.0

Access-list NO_NAT_SERVERS permit ip 10.21.3.0 255.255.255.0 172.31.255.0 255.255.255.0

NAT ( SERVERS) 0 ACCESS-LIST NO_NAT_SERVERS

Access-list NO-NAT_DEVICEMANAGMENT permit ip 10.21.9.0 255.255.255.0 172.31.255.0 255.255.255.0

NAT (deviceManagment) 0 access-list NO-NAT_DEVICEMANAGMENT

Any other question..Sure... Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Javier Portuguez · ‎09-10-2012

Dear Kenneth,

Please do the following:

access-l LOCAL_REDISTRIBUTE_OUT permit 172.31.255.0 255.255.255.0

!

route-map LOCAL_REDISTRIBUTE_OUT

match ip address LOCAL_REDISTRIBUTE_OUT

!

router ospf 1000

redistribute static subnets route-map LOCAL_REDISTRIBUTE_OUT

!

crypto dynamic-map your-dynamic-map your-sequence-number set reverse-route

If it still does not work:

capture capin interface DeviceManagement match ip 172.31.255.0 255.255.255.0 10.21.0.0 255.255.0.0

Try to ping a host within the 10.21.0.0/16 network from the VPN client and do a "show capture capin", post the output.

Also, can you ping the 10.21.0.0/16 network from the ASA?

Thanks.

Portu.

Please rate any post you find useful.

ken.mackesy · ‎09-10-2012

Hi Javier...

Thanks for helping out, though I didn't see any change after applying the configs you suggested.

The changed config contains the following:

access-list local_redistribute_out standard permit 172.31.255.0 255.255.255.0

!

route-map local_redistribute_out permit 10

match ip address local_redistribute_out

!

router ospf 1000

router-id 192.168.210.1

network 10.21.0.0 255.255.0.0 area 1

network 192.168.210.0 255.255.255.252 area 0

area 1

log-adj-changes

redistribute static subnets route-map local_redistribute_out

!

crypto dynamic-map VPN_SOFTWARE_CLIENT 10 set transform-set ESP-AES-256-SHA

crypto dynamic-map VPN_SOFTWARE_CLIENT 10 set security-association lifetime seconds 288000

crypto dynamic-map VPN_SOFTWARE_CLIENT 10 set reverse-route

crypto map EXTERNAL_MAP 1 ipsec-isakmp dynamic VPN_SOFTWARE_CLIENT

I can confirm the following:

ASA# ping 10.21.9.42

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.21.9.42, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

After doing the capture, the show capture capin indicated 0 packets captured, 0 packets shown.

My pertinent local routing table entries contain:

$ netstat -rn |grep utun0

default utun0 UCSI 2 0 utun0

10.21/16 172.31.255.7 UGSc 0 13 utun0

172.31.255.7 172.31.255.7 UH 3 0 utun0

172.31.255.255 utun0 UHW3Ii 0 56 utun0 12

192.168.210 172.31.255.7 UGSc 1 11 utun0

216.185.64.6 utun0 UHW3Ii 0 586 utun0 140

I hope you see something in here that can help.

Thanks.

Ken.

ken.mackesy · ‎09-13-2012

I'm replying to my original post since it hasn't been resolved and looks to be lost.

What I would like to know is how a vpnpool has access to the network that the ASA is on. I don't believe I make any other exceptions for the vpnpool in my config.

If the vpnpool has somehow magical access to the network ASA is defined on, then maybe I need to do something like the nat(x,y) that I needed to do for the networks up top?

How is the vpnpool granted access to any network resources? I don't see it. Is it understood? Should I need to nat that network over to the others, like I needed to in the rest of the pairs?

Thanks.

Julio Carvajal · ‎09-13-2012

Hello Kenneth,

Based on the routing table of your device I can see the following

C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement

C 10.21.3.0 255.255.255.0 is directly connected, Servers

C 192.168.210.0 255.255.255.0 is directly connected, inside

And you are trying to connect to the 3 of them.

The Split tunnel policy is fine, the VPN setup is fine

The problem is here

access-list NO_NAT extended permit ip any 172.31.255.0 255.255.255.0

nat (inside) 0 access-list NO_NAT

Dude you are pointing to just the inside interface and the other 2 subnets are on the Device managment interface and the servers interface... That is the issue

Now how to solve it

access-list NO_NAT permit ip 192.168.210.0 255.255.255.0 172.31.255.0 255.255.255.0

no access-list NO_NAT extended permit ip any 172.31.255.0 255.255.255.0

Access-list NO_NAT_SERVERS permit ip 10.21.3.0 255.255.255.0 172.31.255.0 255.255.255.0

NAT ( SERVERS) 0 ACCESS-LIST NO_NAT_SERVERS

Access-list NO-NAT_DEVICEMANAGMENT permit ip 10.21.9.0 255.255.255.0 172.31.255.0 255.255.255.0

NAT (deviceManagment) 0 access-list NO-NAT_DEVICEMANAGMENT

Any other question..Sure... Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ken.mackesy · ‎09-14-2012

Thank you very much for your help.