Re: Help with VPN

jmike.miller · ‎11-16-2010

I am fairly new to VPN's so I'm having a bit of difficulty configuring a VPN. I have a router outside of an ASA. The router is doing the NATting as well as the VPN server. I'm able to connect to the VPN, but cannot talk to subnets inside of the local LAN once I'm connected. I think I'm missing something on the firewall itself. Is there any examples of this type of configuration out here on the net? I can't find anything. Can somebody please help me out?

Any firewall statements that would allow this traffic in would be very helpful. Thanks guys!

Mike

Federico Coto Fajardo · ‎11-16-2010

Hi Mike,

You have a router terminating the VPN and behind an ASA correct?

If so.... the ASA should allow all ports/IPs that you need to access.

The router itself should include the local LAN as part of the VPN traffic, have NAT-T enabled and not be blocking any traffic.

Also the router should be exempting from NAT the local LAN subnet.

The ASA should allow the ports needed because as far as the ASA is aware, there's no VPN.

Federico.

jmike.miller · ‎11-16-2010

Thanks for the reply. I get what you are saying, but would you have an example of the config statements? I thought NAT-T was enabled by default on newer IOS's. I have a 2921 router connected to an ASA 5510.

Router --------- ASA ---------- LAN

Outside router interface 66.110.x.x

Inside router interface 192.168.100.1

Outside ASA interface 192.168.100.2

Inside ASA interface 10.255.0.1

Layer 3 Switch

Layer three connectivity to ASA 10.255.0.2

Multiple VLANS.

apothula · ‎11-17-2010

Hi Mike,

First things first, we need routes on the ASA and the router to send VPN traffic across without any blocks.

Consider the following scenario,

X---ASA -- Y -- Router 1 --- VPN Tunnel -- Router/ASA --- Z

X is the network/subnet behind the ASA.

Y is network connecting the ASA and the Router

Z is the remote network at the end of the tunnel.

Now, we need a route on the ASA pointing traffic to the network Z to Router 1.

You need proper NAT statements if any, and also the firewall rules, ACL's and other stuff properly set up on the ASA to provide connectivity.

If you could provide us a sanitised copy of the configuration on the ASA and the 2921 we shall review it and see if we are missing anything.

Hope this helps.

Cheers,

Nash.

jmike.miller · ‎11-17-2010

Thanks again. Attached are the configs of both the router and ASA. I'm not sure how to implement the NAT-T. I thought it was enabled by default on newer routers and IOS's. Also, not sure if I should exclude the router internal IP from NAT in the ACL. I'm so confused right now.

jmike.miller · ‎11-18-2010

So, I think I got it to work. At least for the first connection. I can see the packets encrypt and decrypt, I can access other machines on other internal subnets, but after I disconnect from the VPN and reestablish a new VPN on the same machine. I get a new conn-id with a new IP address (172.25.1.2 instead of 172.25.1.1), but I am not able to ping any machines on the internal subnets anymore. From the client it show the packets being encrypted, but not decrypted. It only happens after I disconnect from that very first connection after I rebuild the VPN server. To make it work again I have to completely remove the VPN server and rebuild it.

any insight? It’s gotta be something simple.

Vikas Saxena · ‎11-18-2010

If I get this topology correct it is :

VPNClient--------internet--------router(doing nat)---------ASA-----------Local Lan

You are able to connect to the router but can not ping the local lan. Let me know if my understanding of this problem is wrong.

I checked your configuration of the router and it seems you do not have nat bypass configured for the local pool:

Your present nat configuration:

ip nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 remark *** Permit only Inside Subnets ***

access-list 1 permit 172.20.0.0 0.0.255.255

access-list 1 permit 10.4.4.0 0.0.0.255

Your local pool

ip local pool SDM_POOL_1 10.10.100.1 10.10.100.254

Since you have 'ip nat inside' the packet coming from the outside will not get natted and will be sent to the destination PC (if the ASA has the route for the destination and if security policy allows it), the destination PC replies and reply and ASA will forward it to the router (if ASA has the route for 10.10.x.x and if security policy allows it) the router will nat the traffic because the reply is coming to the interface which has 'ip nat inside' and the route to reach the destination (10.10.x.x) follows the default gateway which has 'ip nat outside' configured. Since the traffic source ip address has changed because of nat, it does not match the interesting traffic to be natted hence no decrypts on the VPN client because there are no encrypts on the router.

Nat Bypass: (you need a downtime of around 5 min.)

create an extended access list

access-li 120 deny ip 172.20.0.0 0.0.255.255 10.10.100.0 0.0.0.255

access-li 120 deny ip 10.4.4.0 0.0.0.255 10.10.100.0 0.0.0.255

access-li 120 permit ip 172.20.0.0 0.0.255.255 any

access-li 120 permit ip 10.4.4.0 0.0.0.255 any

clear ip nat trans *

interface GigabitEthernet0/1.100

no ip nat inside <<<<<<<>>>>>>>>>>>

no ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source list 120 interface GigabitEthernet0/0 overload

interface GigabitEthernet0/1.100

ip nat inside

BTW: I could not understand what do you mean by:

" From the client it show the packets being encrypted, but not decrypted. It only happens after I disconnect from that very first connection after I rebuild the VPN server. ====To make it work again I have to completely remove the VPN server and rebuild it.===="

jmike.miller · ‎11-20-2010

Thanks Vikas,

I've added the commands, and thanks for explaining it to me. It's still not working though.

What I meant at the end was that. When I build the VPN Server for the first time; the very first VPN client connects fine and can access the internal subnets. It works as advertised, but... any subsequent connections do not work. When I pull up the statistics on the VPN client software it shows the pings being enrypted, but not decrypted, see attachment.

Vikas Saxena · ‎11-20-2010

Hey Mike,

If I get this correctly, you are trying to connect from a remote site to this router, you can get only one client working then if you run another client (while the previous client is still connected and working) you are able to connect but can not reach the remote lan?

Can you post show crypto ipsec sa from the router while both the clients are connected.

Can you post show ip inter brief when both the clients are connect?

jmike.miller · ‎11-20-2010

Not quite. I am connecting Remote users using VPN client software to a router set up as the VPN server. I can only connect with the very first client after the server is built. After that very first client disconnects from the VPN, any subsequent clients who connects to the VPN cannot access internal LANs.

Vikas Saxena · ‎11-21-2010

Hey Mike,

This needs thorough checking and repros, I suggest to open up a ticket with Cisco TAC.

Can you change the configuration style from DVTI to dynamic crypto maps?

Vikas Saxena · ‎11-21-2010

Hey Mike,

I think I found the reason, because this configuration style is DVTI, as soon as one client is getting connected the DVTI is pushing a default route in the ip routing table (normal behavior) because you do not have split tunnel configured. Please see :

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html

Q. Why a default route is pushed down to the Cisco Easy VPN Remote after the VPN tunnel is up?

A. With no split tunneling, all the traffic needs to be encrypted and sent over the tunnel. Since VTI uses routing to decide which traffic needs to be encrypted, a default route needs to be installed in the case of no-split tunneling. Cisco Easy VPN installs a default route that has a metric value of 1. Any configured default route on the Easy VPN Remote needs to have a metric value greater than 1, so the default route installed by the Cisco Easy VPN Server has precedence over the configured one.

Understanding & Configuring DVTI:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

Try configuring a split tunnel, or change the configuration to classic dynamic crypto maps.