05-03-2016 07:59 PM
I have configured a remote access vpn on an ASA5510 to be used with an ipsec vpn client. During testing, i found the remote client connection established. However, i cannot reach any resource in the internal network using ping, telnet, tracert etc. I will appreciate any input into this.
Below is the full config
Juniper(LAN) Ex2200 ===> ASA5510 ===> Cisco3750 ===> Lightpath WAN
ciscoasa(config)# show run | ex unass
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password x.x.x.x. encrypted
passwd x.x.x.x.x encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.36.128.254 255.255.254.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address [public IP address]
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list 101 extended permit tcp any any
access-list 101 extended permit udp any any
access-list 101 extended permit icmp any any
access-list Split_Tunnel_List remark The corporate network behind the ASA
access-list Split_Tunnel_List remark The corporate network behind the ASA
access-list Split_Tunnel_List standard permit 10.36.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.46.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.80.0.0 255.255.0.0
access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.36.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip 10.46.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip 10.80.0.0 255.255.0.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.1.1-172.16.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list NONAT
nat (inside) 10 10.0.0.0 255.0.0.0
access-group 101 in interface inside
access-group 101 out interface inside
access-group 101 in interface outside
access-group 101 out interface outside
!
router ospf 1
router-id 10.36.128.254
network 10.0.0.0 255.0.0.0 area 0
log-adj-changes
redistribute static
default-information originate
!
route outside 0.0.0.0 0.0.0.0 [public IP Address] 1
route inside 10.0.0.0 255.0.0.0 10.36.128.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
no ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy testvpn internal
group-policy testvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value test.com
username testvoip password x.x.x.x.
username test password x.x.x.x.x encrypted privilege 15
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool vpnpool
default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
pre-shared-key x.x.x.x
!
class-map inspection_default
!
!
policy-map global_policy
!
: end
======Ipconfig output======
C:\Users\x.x.x.x.x>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : x.x.x.x
Primary Dns Suffix . . . . . . . : test.edu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . :
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . : test.edu
Description . . . . . . . . . . . : Cisco Systems
Physical Address. . . . . . . . . : 00-05-9A-3C-78
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : x.x.x.x.x.x
IPv4 Address. . . . . . . . . . . : 172.16.1.1(Pre
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
===== Output of tracert ======
C:\Users\x.x.x.x>tracert 10.46.160.1
Tracing route to 10.46.160.1 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
=======output of ping =========
C:\Users\x.x.x.x>ping 10.36.128.1
Pinging 10.36.128.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.36.128.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
=====output of telnet ======
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\mjawara>telnet 10.36.128.1
Connecting To 10.36.128.1...
05-03-2016 08:08 PM
Hi,
Please share the output of sh cry
Use
Regards,
Aditya
Please rate helpful posts.
05-03-2016 08:34 PM
When i ping the lan interface on the ASA, i see the following:
==============Debug icmp trace output====
ciscoasa# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa#
ciscoasa# ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14329 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14330 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14331 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14332 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14333 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1
when i ping any other interface in the LAN, i see no activity as follows:
ciscoasa# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa#
=====bellow is the show crpto ipsec sa <> output===
ciscoasa# show crypto ipsec sa peer <25.x.x.x>
peer address: <25.x.x.x>
Crypto map tag: outside_dyn_map, seq num: 10, local addr: 48.X.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
current_peer: <25.x.x.x>, username: testvoip
dynamic allocated peer ip: 172.16.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 48.x.x.x, remote crypto endpt.: <25.x.x.x>
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9290E3E3
current inbound spi : BF82D2CB
inbound esp sas:
spi: 0xBF82D2CB (3213021899)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 217088, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 287587
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000007F
outbound esp sas:
spi: 0x9290E3E3 (2458969059)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 217088, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 287587
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
05-03-2016 08:40 PM
Hi,
That is expected.
You need to add the following command to ping the inside interface:
management-access inside
But not sure why the pings do not reach the ASA when you ping any other LAN IP.
Could you check the
Use cap asp | in <LAN IP> to check if the ASA is dropping the traffic or not.
Use no cap
Regards,
Aditya
Please rate helpful posts.
05-03-2016 08:51 PM
Adding management-access inside definitely allows me to ping the lan ip address of 10.36.128.254. However, i still cant ping other LAN ip addresses.
05-03-2016 08:56 PM
Hi,
Please use the
What does packet tracer say ?
Is it allowing the traffic ?
Regards,
Aditya
05-03-2016 09:15 PM
The cap asp doesnt produce any output if i ping LAN device.
ciscoasa# capture asp-drop type asp-drop all
ciscoasa# cap
Packet tracer output is below.
ciscoasa# packet-tracer input inside tcp 10.36.128.254 1024 ? A.B.C.D Enter the destination ipv4 address ciscoasa# packet-tracer input inside tcp 10.36.128.254 1024 172.16.1.1 23 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 3 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 172.16.1.1 255.255.255.255 outside Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
05-03-2016 09:21 PM
Hi,
It shows your access-list is dropping the traffic.
But in the access-list everything is permitted.
Could you share the output of show run all
Also are you able to ping 10.36.128.1 ?
Regards,
Aditya
Regards,
Aditya
05-04-2016 08:44 AM
I still cant ping 10.36.128.1.
See the output below.
ciscoasa# show run all
ciscoasa# show run all sys
ciscoasa# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
05-04-2016 09:00 AM
Hi,
Please use captures on the ASA's inside interface to see if the traffic reaches the ASA.
As you told when we use debug
Check in the captures that whether we see any hits on the ASA.
Also what do the
Regards,
Aditya
05-04-2016 09:50 AM
The capture on the inside interface doesnt say anything when i ping devices inside the interface. Also syslog only shows my logging information. The problem seems to be related to either natting or routing between the remote pool and the LAN network.
05-04-2016 11:17 AM
I found a solution for this courtesy of http://www.packetu.com/.../defining-the-need-for-nat.../. It was a nat order issue.
I removed nat(inside) 10 10.0.0.0 255.0.0.0, configured access-list nat_excemption, nat(inside) 0 access-list nat_excemption, then added the original nat statement of nat(inside) 10 10.0.0.0 255.0.0.0 . I can now reach all LAN resources using icmp, telent, etc. Thank you Aditya Ganjoo. Your input was valuable.
MJ
05-04-2016 04:54 PM
Hi MJ,
Glad to assist.
Regards,
Aditya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide