I can establish a VPN tunnel but cannot access LAN

gihansvn24 · ‎03-23-2016

Hi,

I have setup a Cisco ASA 5506 firewall. I wanted to test the VPN access. So I assigned an IP address to my laptop which is on the same subnet as firewall outside interface. I used cisco VPN client and established a connection successfully and received an IP from VPN pool. However, I cannot access the internal interface of the firewall or cannot ping anything in LAN. I can't think of what I did wrong. I really appreciate if someone can give me some suggestions.

ASA Version 8.2(5)
!
hostname CISCOASA
domain-name oned.com
enable password MrDiBNp3M6uReve6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 100
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan2
nameif outside
security-level 0
ip address 142.145.97.227 255.255.255.0
!
interface Vlan100
nameif inside
security-level 100
ip address 10.10.100.1 255.255.255.0
!
banner exec
banner exec ******************************************************************** ****
banner exec * This is a Private Network and for authorized use ONLY
banner exec ******************************************************************** ****
banner exec
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 8.8.8.8
domain-name oned.com
access-list SPLIT_ACCESS standard permit 10.10.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.20.0 255.255.255.1 28
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL 10.10.20.50-10.10.20.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.10.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 142.145.97.228 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.10.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128 -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256 -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy SecureNet internal
group-policy SecureNet attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_ACCESS
default-domain value oned.com
username se_admin password 9bJcIe6qUNSb//Ft encrypted
tunnel-group SecureNet type remote-access
tunnel-group SecureNet general-attributes
address-pool VPN-POOL
default-group-policy SecureNet
tunnel-group SecureNet ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:97c4b7515884fe8149b864a113362c22
: end

sachintambat · ‎03-23-2016

Hi,

Add inspect Icmp as below and check.

config t

policy-map global_policy
class inspection_default

inspect icmp

gihansvn24 · ‎03-23-2016

I have tried what you suggested but still no luck

William Quintero Zuniga · ‎03-24-2016

Hi,

Looking at the packet tracer output, if this was done in the command order mentioned by Dinesh

"packet-tracer input inside icmp <internal lan IP> 8 0 <vpn client pool IP> detailed"

it seems be getting dropped by the internal IP access-group, weird though cause I did not see one in your config.

try doing "sh run access-group" to see if you have an ACL on your inside interface blocking this traffic. if there isn't can you post the command you did for the packet tracer again along with the outputs.

Dinesh Moudgil · ‎03-23-2016

Nat exempt, the usual culprit, looks good.

Run "management-access inside" on ASA and try pinging client IP from ASA
ping inside <vpn client pool ip>

Though it is recommended that you use a different pool IP , you can try using the following captures to see if the ASA is dropping the packets:

Run the pings from the client and then check the following:

cap asp type asp-drop all
show cap asp | in <vpn client pool ip>

also share the output of "show run all sysopt"

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

gihansvn24 · ‎03-23-2016

still cannot ping the inside interface from vpn client

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside

Dinesh Moudgil · ‎03-23-2016

Did you see any packet drops on asp capture ?

"no sysopt noproxyarp inside" shows proxy is enabled so ASA will proxy for that IP which is clients pool IP.

Try using a differnet pool IP and let us know how it fares.

Regards,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

gihansvn24 · ‎03-23-2016

Hi

I did not see any packet drop. I don't understand why I have to use a different pool ? the vpn pool is 10.10.20.x which is different from 10.10.100.X

Dinesh Moudgil · ‎03-23-2016

Can you please share the output of

packet-tracer input inside icmp <internal lan IP> 8 0 <vpn client pool IP> detailed

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

gihansvn24 · ‎03-23-2016

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.20.50 255.255.255.255 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Dinesh Moudgil · ‎03-23-2016

This seems to be a generic error.

Please share the output of the following commands

show asp table classify crypto
show asp table vpn-context detail
show cry ipsec sa peer <client public IP>

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

gihansvn24 · ‎03-23-2016

I am not sure this is happening because I am not coming through a public IP address(via inernet). My laptop is directly connected to the outside interface of the FW and given an IP 142.145.97.230

in id=0xc9f0a148, priority=70, domain=decrypt, deny=false
        hits=0, user_data=0x11243c, cs_id=0x0, reverse, flags=0x0, protocol=17
        src ip=142.145.97.230, mask=255.255.255.255, port=53971
        dst ip=142.145.97.227, mask=255.255.255.255, port=4500, dscp=0x0
in id=0xc9254f70, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=4, user_data=0x11243c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.10.20.50, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
in id=0xc9d9de38, priority=12, domain=ipsec-natt, deny=false
        hits=16, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=17
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=142.145.97.227, mask=255.255.255.255, port=4500, dscp=0x0
in id=0xc6b93418, priority=12, domain=ipsec-tunnel-flow, deny=true
        hits=20, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
in id=0xc6b935c8, priority=12, domain=ipsec-tunnel-flow, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=::/0, port=0
        dst ip=::/0, port=0
out id=0xc95f9578, priority=70, domain=encrypt, deny=false
        hits=4, user_data=0xef9bc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.10.20.50, mask=255.255.255.255, port=0, dscp=0x0

Interface _internal_loopback:

Interface identity:

Last clearing of hits counters: Never

VPN CTX = 0x0011243C

Peer IP = 10.10.20.50
Pointer = 0xC6DC15B8
State    = UP
Flags    = DECR+ESP+NATT
SA       = 0x003A9DE9
SPI      = 0x7ABE0DFB
Group    = 0
Pkts     = 50
Bad Pkts = 0
Bad SPI = 0
Spoof    = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x000EF9BC

Peer IP = 10.10.20.50
Pointer = 0xC95F9470
State    = UP
Flags    = ENCR+ESP+NATT
SA       = 0x00406A6F
SPI      = 0xE941E2C9
Group    = 0
Pkts     = 50
Bad Pkts = 0
Bad SPI = 0
Spoof    = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

There are no ipsec sas for peer 10.10.20.50

Dinesh Moudgil · ‎03-23-2016

We will need output of

show crypto ipsec sa peer 142.145.97.230

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

gihansvn24 · ‎03-23-2016

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 141.1 55.98.227

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.20.50/255.255.255.255/0/0)
      current_peer: 142.145.97.230, username: se_admin
      dynamic allocated peer ip: 10.10.20.50

      #pkts encaps: 148, #pkts encrypt: 148, #pkts digest: 148
      #pkts decaps: 148, #pkts decrypt: 148, #pkts verify: 148
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 148, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 142.145.97.227/4500, remote crypto endpt.: 141.155.98                                                                                        .230/53971
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: E941E2C9
      current inbound spi : 7ABE0DFB

    inbound esp sas:
      spi: 0x7ABE0DFB (2059275771)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28033
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE941E2C9 (3913409225)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28033
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Dinesh Moudgil · ‎03-23-2016

Looks like
#pkts encaps: 148, #pkts encrypt: 148, #pkts digest: 148
#pkts decaps: 148, #pkts decrypt: 148, #pkts verify: 148
Packets are getting encrypted and decrypted as well.

Try clearing out the counters with
clear crypto ipsec sa counters

Run the pings again, and check if the encaps and decaps are incrementing.,

Is the firewall enabled on the client ? Can you temporarily disable windows firewall and/or antivirus and test ?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/