10-13-2012 04:27 PM - edited 02-21-2020 06:24 PM
I am setting up a simple remote IPsec VPN with a ASA 8.4. All I want to do is the remote user can VPN into the ASA, from there, he can
browse the outside Web pages in the internet. and we'd like not to use split-tunneling.
the outside infterface is 192.168.1.155/24, which is inside our network and this subnet works fine to outside.
the pool for vpn is 192.168.0.0./24(please pay attention to the 3r octet)
I configured and the remote user can vpn in and get an IP from the pool. but it seems that he cannot do anything. he cannot ping anything.
I suspected the NATTing that i use.
Can you tell me what is configured wrong? I guess i am having confusion as what traffice need to be natted and what need not.
thanks,
Han
======
:
ASA Version 8.4(2)
!
!
interface GigabitEthernet0
description VPN interface
nameif outside
security-level 0
ip address 192.168.1.156 255.255.255.0
!
interface GigabitEthernet1
description VPN interface
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
ftp mode passive
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.1.155
host 192.168.1.155
access-list EXTERNAL extended permit ip any any
access-list EXTERNAL extended permit icmp any any
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.0.10-192.168.0.15
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
!
object network obj-192.168.0.0
nat (inside,outside) dynamic interface
access-group EXTERNAL in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.155 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *
!
!
Solved! Go to Solution.
10-14-2012 01:31 PM
Well, your inside interface of the ASA is "shutdown", that's why you can't connect to it.
Plus you would also need to configure: management-access inside, to be able to ping the inside interface of the ASA, and the interface needs to be UP before you can ping it.
10-15-2012 07:36 PM
Thanks Han....
OK, let's go through the rest of the issue.
So now, the only issue that you have is not being able to access the Internet without split tunnel config when connected through VPN, right?
Can you pls try with packet tracer to see where it's failing?
Also, if the NAT doesn't work, can you configure NAT on the upstream router for the VPN Pool (192.168.200.0/24), then also route that subnet to point towards the ASA outside interface IP (192.168.1.156) on the router.
10-13-2012 04:49 PM
You would need to configure the following:
same-security-traffic permit intra-interface
object network obj-192.168.0.0-vpn
subnet 192.168.0.0 255.255.255.0
nat (outside,outside) dynamic interface
Since your vpn pool is connected on the outside interface of the ASA because that's how the VPN is connected, the NAT statement needs to be "(outside,outside)", not "(inside,outside)".
Then "clear xlate" after the above changes.
10-13-2012 04:59 PM
thanks Jen,
Before i change this, can i please understand what this exactly do? and why?
10-13-2012 06:05 PM
Jen, I added this, but it still not working. symptoms remain the same.
10-13-2012 06:11 PM
since your outside ip is private IP, do you have NATing on the upstream device?
Are you able to ping 4.2.2.2 from the remote client?
Where is it failing?
can you pls share the output of:
show cry isa sa
show cry ipsec sa
once connected and try to ping 4.2.2.2
Plus full config from the ASA and the upstream device would help.
10-13-2012 06:12 PM
BTW, from the ASA itself, are you able to reach the internet?
Also, does the VPN Client have the correct DNS server that resolves public fqdn?
10-13-2012 06:35 PM
Jen, for you questions,
since your outside ip is private IP, do you have NATing on the upstream device? Yes
Are you able to ping 4.2.2.2 from the remote client? No.
Now I am connecting the vpn through a device in 192.168.1.0/24 subnet.
Where is it failing? that's what i am figuring out.
BTW, from the ASA itself, are you able to reach the internet? Yes, the user from the internet can vpn in the device as well with same symptoms.
Also, does the VPN Client have the correct DNS server that resolves public fqdn? I use google's free one for trial, the vpn client cannot ping it. but the ASA can ping it.
thanks,
Han
10-13-2012 07:20 PM
this is the show output, thanks
ciscoasa# show cry isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.1.103
Type : user Role : responder
Rekey : no State : AM_ACTIVE
There are no IKEv2 SAs
ciscoasa# show cry ipse sa
interface: outside
Crypto map tag: dyn1, seq num: 1, local addr: 192.168.1.156
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.10/255.255.255.255/0/0)
current_peer: 192.168.1.103, username: werrewre
dynamic allocated peer ip: 192.168.0.10
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 388, #pkts decrypt: 194, #pkts verify: 388
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 194
local crypto endpt.: 192.168.1.156/0, remote crypto endpt.: 192.168.1.103/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 09E9FF5A
current inbound spi : A8A0A2AC
inbound esp sas:
spi: 0xA8A0A2AC (2829099692)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: dyn1
sa timing: remaining key lifetime (sec): 28641
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x09E9FF5A (166330202)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: dyn1
sa timing: remaining key lifetime (sec): 28641
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ciscoasa#
10-13-2012 07:25 PM
the following is the full ASA config. I am testing it right now from a device right in the same subnet as the ASA's outside interface.
Also, I saw on the ipconfig from the client, the vpn gateway is 192.168.0.1, which i have never configued. i seem not be able to control this.
ASA Version 8.4(2)
!
hostname ciscoasa
enable password encrypted
passwd encrypted
names
!
interface GigabitEthernet0
description VPN interface
nameif outside
security-level 0
ip address 192.168.1.156 255.255.255.0
!
interface GigabitEthernet1
description VPN interface
shutdown
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj-192.168.0.0-vpn
subnet 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.0.10-192.168.0.15
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj-192.168.0.0-vpn
nat (outside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.1.155 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
10-14-2012 02:51 AM
Hmm, ok, so you are connecting from a device in the same subnet as the ASA outside.
Can you change the pool address so it's not in the same subnet as the inside interface. Pls kindly change it to a unique subnet, eg: 192.168.200.0/24
Then change the NAT statement:
object network obj-192.168.200.0-vpn
subnet 192.168.200.0 255.255.255.0
nat (outside,outside) dynamic interface
What is the upstream device? and how is the NAT configured?
10-14-2012 09:44 AM
I tried with 200 subnet. It is still the same. I did show command and found many recv errors.
By the way, the gateway the clinet is assgned from the ASA is of no real use, is it?
and also, if I ping the inside inferface from the client, the ASA received the ping, but not send it back.
ciscoasa(config)# sh cry ipsec sa
interface: outside
Crypto map tag: dyn1, seq num: 1, local addr: 192.168.1.156
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.11/255.255.255.255/0/0)
current_peer: 192.168.1.103, username: ewerwer
dynamic allocated peer ip: 192.168.200.11
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 476, #pkts decrypt: 238, #pkts verify: 476
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 238
10-14-2012 09:54 AM
and also, if I ping the inside inferface from the client, the ASA received the ping, but not send it back.
ciscoasa# ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=124 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=125 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=126 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=127 len=32 ciscoasa# ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=124 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=125 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=126 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=127 len=32
The ping from the ASA to the client is OK.
ciscoasa# ping 192.168.200.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.10, timeout is 2 seconds:
ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72
!ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72
ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72
!ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72
ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72
ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72
!ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72
!ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72
ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72
ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
10-14-2012 01:31 PM
Well, your inside interface of the ASA is "shutdown", that's why you can't connect to it.
Plus you would also need to configure: management-access inside, to be able to ping the inside interface of the ASA, and the interface needs to be UP before you can ping it.
10-14-2012 02:44 PM
You are right about the inside interface, i added the command it worked for ping to the inside interface, but other are the same. thanks,
10-15-2012 10:52 AM
Jen,
Although, the problem is not solved yet, but you directed me into right path. Not rating you is not fair.
thanks,
han
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide