Hi JP,

the Software Version is 9.1.(7)9.

Thank you!

Hi roesch4alc,

So you should have a NAT like this (considering you are not really natting your internal network):

nat (inside,outside) source static <object_internalips> <object_internalips> destination static <VPNpoolips> <VPNpoolips> no-proxy-arp route-lookup

If you already have something like that you can test having a user connecting and doing a packet tracer like this:

packet-tracer input inside icmp <internalhost> 8 0 <VPNpoolip> detail

And share the output.

Hope this info helps!!

Rate if helps you!! 

-JP-

Hi,

I took a look at the configuration and a we have a nat configuration active, pretty similar to your example, the only difference is the interface nat (inside,any)  Is this nat exemption rule also covering the traffic, initiated from the vpn client going to the central network? the main purpose of this vpn is to be able to connect from outside to inside.

I also executed the packet trace and it looks good. See the attachment.

But I still see errors in the ipsec sa, something is still wrong:

customerfw1# sh crypto ipsec sa peer 1.2.3.4
peer address: 1.2.3.4
Crypto map tag: internet_dyn_map, seq num: 40, local addr: 5.6.7.8

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.3/255.255.255.255/0/0)
current_peer: 1.2.3.4, username: user
dynamic allocated peer ip: 10.20.20.3
dynamic allocated peer ip(ipv6): 0.0.0.0

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 21, #recv errors: 0

Hi

your VPN nat has to be the first rule and should looks like:

nat (outside,inside) source static VPN_POOL_SUBNET VPN_POOL_SUBNET destination static LOCAL_SUBNET LOCAL_SUBNET

in order to see if there is another issue, could you share your configuration?

thanks

Hi roesch4alc,

The NAT configuration looks fine, the any is not recommended but that does not means is not going to work.

The problem you have here is with the crypto map that this traffic is hitting, if you take a look to the sh crypto ipsec sa output you can see this traffic hitting a dynamic crypto map instead of taking the static one crypto map, this seems to be a problem with the crypto map this traffic is using, can you share the configuration of the tunnel this traffic is supposed to be using?

Hope this info helps!!

Rate if helps you!! 

-JP-

Hi,

I am also thinking about a problem with the crypto map. How can I debug that more in depth?

you can see this traffic hitting a dynamic crypto map instead of taking the static one crypto map, this seems to be a problem with the crypto map this traffic is using,

This is something where I can´t follow you. The output above shows it is matching the dynamic entry Crypto map tag: internet_dyn_map, seq num: 40, and I think this is ok, because it´s a roadwarrior on the other side, the ip address is unknown. Or why do you think, a static entry should be matched?

This is the dynamic-map part:

crypto dynamic-map internet_dyn_map 20 match address internet_cryptomap_dyn_20
crypto dynamic-map internet_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map internet_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA

It´s bound to "crypto map internet_map" in this way:

crypto map internet_map 65535 ipsec-isakmp dynamic internet_dyn_map
crypto map internet_map interface internet

In the moment I don´t understand the "crypto dynamic-map internet_dyn_map xx match address" command.... How does the match address restriction work? Could it be, that crypto dynamic-map internet_dyn_map 20 causes some problems in my case? Why doesn´t the client vpn match the "crypto dynamic-map internet_dyn_map 20" ???

The access-list therefore contains the client ip pool 10.20.20.0/24:

access-list internet_cryptomap_dyn_20 extended permit ip 172.17.0.0 255.255.0.0 10.20.20.0 255.255.255.0
access-list internet_cryptomap_dyn_20 extended permit ip 172.18.0.0 255.255.0.0 10.20.20.0 255.255.255.0
access-list internet_cryptomap_dyn_20 extended permit ip 172.18.0.0 255.255.0.0 10.20.30.0 255.255.255.0

I attached the sanitized config. I hope you can read it, because I removed a lot....

Thanks a lot for your time,

Best Regards

Sebastian

Hi

I see your crypto, acl, acl split-tunnel and everything seems fine.

What I don't see if all your nat. Could you share that information as the order is important.

Thanks

Ok,

here it is ;) I think many of the rules are not necessary, but currently Im reviewing them... They are from a 8.0.5 to 9.1.7 migration process...

BR

Sebastian

Hi

I don't see anything bad. The dynamic nat for internet access is under object network that's done after static nat or static twice nat in the ASA Nat order.

Just for test, could you change your nat any keyword by the right interface name? It should be:

nat (customer,internet) source static customer-network customer-network destination static obj-10.20.20.0 obj-10.20.20.0 no-proxy-arp route-lookup

The any keyword is automatically set when you're migration old ASA version to new version.

Thanks

Let us know.

I'm through my iphone and I will review it carefully this evening from my laptop in case I missed something bad.

Hi,

I already testet this change, but again, no change in behaviour! In the statistics I see 0 packets encrypted or decrypted.... Whats wrong?

We already created a complete new vpn client access with the wizard. But there is no change in behaviour!

Thanks

Sebastian

Hi

did you do some capture on ASA to see if packets are coming and what asa is dropping?

Hi,

not so far, but thats a good idea. Will do that and see, if that brings any further information....

Hi all,

for your information: I created a tac ticket. The cisco Support was not able to solve the problem aswell. The configuration is fine, but there are no packets encrypted/decrypted on the firewall.... A packetcapture even didn´t show any packets. He advised us to use anyconnect... Very strange. Nevertheless, very much thanks for your useful help here!

BR

Sebastian