cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1453
Views
9
Helpful
12
Replies

IPsec Remote access vpn can't access LAN

Mu Haxy
Level 1
Level 1

I have configured a remote access vpn on an ASA5510 to be used with an ipsec vpn client.   During testing, i found the remote client connection established.  However, i cannot reach any resource in the internal network using ping, telnet, tracert etc.   I will appreciate any input into this.  

 

Below is the full config


Juniper(LAN) Ex2200 ===> ASA5510 ===> Cisco3750 ===> Lightpath WAN



ciscoasa(config)# show run | ex unass
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password x.x.x.x. encrypted
passwd x.x.x.x.x encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.36.128.254 255.255.254.0
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address [public IP address]
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list 101 extended permit tcp any any
access-list 101 extended permit udp any any
access-list 101 extended permit icmp any any
access-list Split_Tunnel_List remark The corporate network behind the ASA
access-list Split_Tunnel_List remark The corporate network behind the ASA
access-list Split_Tunnel_List standard permit 10.36.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.46.0.0 255.255.0.0
access-list Split_Tunnel_List standard permit 10.80.0.0 255.255.0.0
access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0


access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.36.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip 10.46.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip 10.80.0.0 255.255.0.0 any


pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.1.1-172.16.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list NONAT
nat (inside) 10 10.0.0.0 255.0.0.0
access-group 101 in interface inside
access-group 101 out interface inside
access-group 101 in interface outside
access-group 101 out interface outside
!
router ospf 1
 router-id 10.36.128.254
 network 10.0.0.0 255.0.0.0 area 0
 log-adj-changes
 redistribute static
 default-information originate
!
route outside 0.0.0.0 0.0.0.0 [public IP Address] 1
route inside 10.0.0.0 255.0.0.0 10.36.128.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
no ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

group-policy testvpn internal
group-policy testvpn attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value test.com
username testvoip password x.x.x.x.
username test password x.x.x.x.x encrypted privilege 15
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
 address-pool vpnpool
 default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
 pre-shared-key x.x.x.x
!
class-map inspection_default
!
!
policy-map global_policy
!

: end


======Ipconfig output======


C:\Users\x.x.x.x.x>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : x.x.x.x
   Primary Dns Suffix  . . . . . . . : test.edu
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . :

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : test.edu
   Description . . . . . . . . . . . : Cisco Systems
   Physical Address. . . . . . . . . : 00-05-9A-3C-78
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : x.x.x.x.x.x
   IPv4 Address. . . . . . . . . . . : 172.16.1.1(Pre
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   



===== Output of tracert ======

C:\Users\x.x.x.x>tracert 10.46.160.1

Tracing route to 10.46.160.1 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 


=======output of ping =========

C:\Users\x.x.x.x>ping 10.36.128.1

Pinging 10.36.128.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.36.128.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),



=====output of telnet ======

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\mjawara>telnet 10.36.128.1
Connecting To 10.36.128.1...

12 Replies 12

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

Please share the output of sh cry ipsec sa peer <> ?

Also run debug icmp trace on the ASA and initiate a ping from the remote client to one of the internal IP and check if the pings make it to the ASA or not ?

Use undebug all to stop the debugs.

Regards,

Aditya

Please rate helpful posts.

When i ping the lan interface on the ASA, i see the following:

==============Debug icmp trace output====


ciscoasa# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa#
ciscoasa# ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14329 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14330 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14331 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14332 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1 seq=14333 len=32
ICMP echo request from 172.16.1.1 to 10.36.128.254 ID=1

     when i ping any other interface in the LAN, i see no activity as follows: 

ciscoasa# debug icmp trace
debug icmp trace enabled at level 1
ciscoasa#

=====bellow is the show crpto ipsec sa <> output===

ciscoasa# show crypto ipsec sa peer <25.x.x.x>
peer address: <25.x.x.x>
    Crypto map tag: outside_dyn_map, seq num: 10, local addr: 48.X.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
      current_peer: <25.x.x.x>, username: testvoip
      dynamic allocated peer ip: 172.16.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 48.x.x.x, remote crypto endpt.: <25.x.x.x>

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 9290E3E3
      current inbound spi : BF82D2CB

    inbound esp sas:
      spi: 0xBF82D2CB (3213021899)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 217088, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 287587
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000007F
    outbound esp sas:
      spi: 0x9290E3E3 (2458969059)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 217088, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 287587
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hi,

That is expected.

You need to add the following command to ping the inside interface:

management-access inside

But not sure why the pings do not reach the ASA when you ping any other LAN IP.

Could you check the syslogs on the ASA when you test the traffic ?

Also use cap asp type-asp drop all and test the ping.

Use cap asp | in <LAN IP> to check if the ASA is dropping the traffic or not.

Use no cap asp to disable the captures.

Regards,

Aditya

Please rate helpful posts.

Adding management-access inside definitely allows me to ping the lan ip address of 10.36.128.254.  However, i still cant ping other LAN ip addresses. 

Hi,

Please use the asp captures on the ASA.

What does packet tracer say ?

Is it allowing the traffic ?

Regards,

Aditya

The cap asp doesnt produce any output if i ping LAN device.  

ciscoasa# capture asp-drop type asp-drop all
ciscoasa# cap

Packet tracer output is below. 

ciscoasa# packet-tracer input inside tcp 10.36.128.254 1024 ? A.B.C.D Enter the destination ipv4 address ciscoasa# packet-tracer input inside tcp 10.36.128.254 1024 172.16.1.1 23 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 3 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 172.16.1.1 255.255.255.255 outside Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

It shows your access-list is dropping the traffic.

But in the access-list everything is permitted.

Could you share the output of show run all sysopt ?

Also are you able to ping 10.36.128.1 ?

Regards,

Aditya

Regards,

Aditya

I still cant ping 10.36.128.1.  

See the output below. 

ciscoasa# show run all
ciscoasa# show run all sys
ciscoasa# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside

Hi,

Please use captures on the ASA's inside interface to see if the traffic reaches the ASA.

As you told when we use debug icmp trace we do not see any ping hits on the ASA.

Check in the captures that whether we see any hits on the ASA.

Also what do the syslogs on the ASA say ?

Regards,

Aditya

The capture on the inside interface doesnt say anything when i ping devices inside the interface.  Also syslog only shows my logging information.   The problem seems to be related to either natting or routing between the remote pool and the LAN network.  

I found a solution for this courtesy of http://www.packetu.com/.../defining-the-need-for-nat.../. It was a nat order issue.

I removed nat(inside) 10 10.0.0.0 255.0.0.0, configured access-list nat_excemption, nat(inside) 0 access-list nat_excemption, then added the original nat statement of nat(inside) 10 10.0.0.0 255.0.0.0 . I can now reach all LAN resources using icmp, telent, etc. Thank you Aditya Ganjoo.  Your input was valuable. 

MJ

Hi MJ,

Glad to assist.

Regards,

Aditya