Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
0
Helpful
9
Replies

Help with Remote VPN

Ben Sebborn
Level 1
Level 1

‎11-21-2013 04:17 AM

Hi

We have a Remote IPSec VPN setup on our Cisco ASA 5505.

This allows a connection, however when we try and route traffic for our internal network, plus a set of external IPs, we get the traffic blocked for VPN users.

I am presuming this is either an ACL or NAT issue but I'm not sure exactly.

I have created the following:

access-list skiddlevpn_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list skiddlevpn_splitTunnelAcl standard permit 164.177.132.16 255.255.255.252 
access-list skiddlevpn_splitTunnelAcl standard permit 164.177.128.200 255.255.255.25

I have also noticed that the DHCP pool we use for VPN clients is overlapping with our internal network:

ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0

This has worked before, but perhaps I'm now missing something?

I have noticed a few errors such as this, which I'm not sure if they are connected:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.2.130/54762 dst inside:OfficeWindowsServer/53 denied due to NAT reverse path failure

Labels:
0 Helpful
9 Replies 9

Ben Sebborn
Level 1
Level 1

‎11-21-2013 05:54 AM

I have now reconfigured this so the VPN DHCP pool does not overlap

address-pools value RemoteVPNPool

ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0

However, still no joy. I wonder i there's an issue because we use a gateway on our outside interface (192.168.3.1) - do I need to set this up for the VPN traffic?

route publicinternet 0.0.0.0 0.0.0.0 192.168.3.1 1


0 Helpful

Peter Koltl
Level 7
Level 7
In response to Ben Sebborn

‎11-21-2013 02:08 PM

Are you sure this is the current config and it was in place when this log appeared?

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse  flows; Connection for udp src outside:192.168.2.130/54762 dst  inside:OfficeWindowsServer/53 denied due to NAT reverse path failure

In your config the interface names are

publicinternet and officenetwork

and  not inside and outside.

Do you still have such error messages with the above config?

Note: the pool is called 'VPN address pool' and not 'DHCP pool'. DHCP protocol is not used between VPN client and firewall.

0 Helpful

Ben Sebborn
Level 1
Level 1
In response to Peter Koltl

‎11-22-2013 02:57 AM

Hi Peter

I've just updated the running config in the first post with the current info.

I'm not sure if we're getting that exact error I will need to check. The last time I tested the VPN, we were able to connect to non-tunnelled networks (the internet, etc) fine, but anthing defined in the tunnel was timing out.

Many thanks

0 Helpful

Ben Sebborn
Level 1
Level 1
In response to Peter Koltl

‎11-25-2013 08:32 AM

Hi,

Can anyone help with the above?

Many thanks

0 Helpful

pcarco
Cisco Employee
Cisco Employee
In response to Ben Sebborn

‎11-25-2013 09:17 AM

Not sure I am 100% clear on the issue but would be worth trying to add a route.

route officenetwork 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx tunneled    (xxx.xxx..xxx.xxx = Next hop

0 Helpful

Ben Sebborn
Level 1
Level 1
In response to pcarco

‎11-25-2013 09:22 AM

Thanks,

If I try to add another route, I get the following:

Result of the command: "route officenetwork 0.0.0.0 0.0.0.0 192.168.3.1 tunneled"

ERROR: ERROR: Tunnel default gateway specified exists in route table.

ERROR: Cannot add route entry, possible conflict with existing routes

Result of the command: "show route"

Gateway of last resort is 192.168.3.1 to network 0.0.0.0

C    192.168.2.0 255.255.255.0 is directly connected, officenetwork

C    192.168.3.0 255.255.255.0 is directly connected, publicinternet

S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.3.1, publicinternet

0 Helpful

pcarco
Cisco Employee
Cisco Employee
In response to Ben Sebborn

‎11-25-2013 12:19 PM

Hello Ben,

If you use a address pool using a network tnat is not local to the ASA it makes the routing more difficult.  I understand you had an overlap but for testing edit the pool that worlked before

(ip local pool CiscoVPNDHCPPool 192.168.2.130-192.168.2.149 mask 255.255.255.0)   This network is local because the inside interface or in your case the officenetwork.

Does this 192.168.4.x  newtork exist downstream from your ASA ?

0 Helpful

Ben Sebborn
Level 1
Level 1
In response to pcarco

‎11-28-2013 06:00 AM

Hi

I have now changed the pool, as below:

ip local pool CiscoVPNDHCPPool 192.168.2.33-192.168.2.62 mask 255.255.255.224

group-policy skiddlevpn attributes

dns-server value 192.168.2.199

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value skiddlevpn_splitTunnelAcl

default-domain value skiddle.internal

split-dns value skiddle.internal

address-pools value CiscoVPNDHCPPool

We can now ping the ASA, however if we ping a device locally on the network:

5Nov 28 201313:57:44305013192.168.2.33
OfficeWindowsServer
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src publicinternet:192.168.2.33 dst officenetwork:OfficeWindowsServer (type 8, code 0)denied due to NAT reverse path failure

If we try to access an external server, which is included in our tunnel group:

6Nov 28 201313:56:24302014192.168.2.331401164.177.132.1980Teardown TCP connection 1562997 for publicinternet:192.168.2.33/1401 to publicinternet:164.177.132.19/80 duration 0:00:30 bytes 0SYN Timeout (username)
0 Helpful

Ben Sebborn
Level 1
Level 1
In response to Ben Sebborn

‎11-28-2013 08:43 AM

I'm going to close this post now and start a new as I've managed to progress.

Thanks

0 Helpful
Customers Also Viewed These Support Documents