cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1769
Views
0
Helpful
17
Replies

IPsec remote VPN's got an IP and doesnt work

hanwucisco
Level 1
Level 1

I am setting up a simple remote IPsec VPN with a ASA 8.4. All I want to do is the remote user can VPN into the ASA, from there, he can
browse the outside Web pages in the internet. and we'd like not to use split-tunneling.

the outside infterface is 192.168.1.155/24, which is inside our network and this subnet works fine to outside.
the pool for vpn is 192.168.0.0./24(please pay attention to the 3r octet)


I configured and the remote user can vpn in and get an IP from the pool. but it seems that he cannot do anything. he cannot ping anything.
I suspected the NATTing that i use.

Can you tell me what is configured wrong? I guess i am having confusion as what traffice need to be natted and what need not.

thanks,
Han


======
:
ASA Version 8.4(2)
!

!
interface GigabitEthernet0
description VPN interface
nameif outside
security-level 0
ip address 192.168.1.156 255.255.255.0
!
interface GigabitEthernet1
description VPN interface
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0

!
ftp mode passive
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.1.155
host 192.168.1.155
access-list EXTERNAL extended permit ip any any
access-list EXTERNAL extended permit icmp any any
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.0.10-192.168.0.15
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
!
object network obj-192.168.0.0
nat (inside,outside) dynamic interface
access-group EXTERNAL in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.155 1

dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *
!
!

2 Accepted Solutions

Accepted Solutions

Well, your inside interface of the ASA is "shutdown", that's why you can't connect to it.

Plus you would also need to configure: management-access inside, to be able to ping the inside interface of the ASA, and the interface needs to be UP before you can ping it.

View solution in original post

Thanks Han....

OK, let's go through the rest of the issue.

So now, the only issue that you have is not being able to access the Internet without split tunnel config when connected through VPN, right?

Can you pls try with packet tracer to see where it's failing?

Also, if the NAT doesn't work, can you configure NAT on the upstream router for the VPN Pool (192.168.200.0/24), then also route that subnet to point towards the ASA outside interface IP (192.168.1.156) on the router.

View solution in original post

17 Replies 17

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure the following:

same-security-traffic permit intra-interface

object network obj-192.168.0.0-vpn

    subnet 192.168.0.0 255.255.255.0

    nat (outside,outside) dynamic interface

Since your vpn pool is connected on the outside interface of the ASA because that's how the VPN is connected, the NAT statement needs to be "(outside,outside)", not "(inside,outside)".

Then "clear xlate" after the above changes.

thanks Jen,

Before i change this, can i please understand what this exactly do? and why?

Jen, I added this, but it still not working. symptoms remain the same.

since your outside ip is private IP, do you have NATing on the upstream device?

Are you able to ping 4.2.2.2 from the remote client?

Where is it failing?

can you pls share the output of:

show cry isa sa

show cry ipsec sa

once connected and try to ping 4.2.2.2

Plus full config from the ASA and the upstream device would help.

BTW, from the ASA itself, are you able to reach the internet?

Also, does the VPN Client have the correct DNS server that resolves public fqdn?

Jen, for you questions,

since your outside ip is private IP, do you have NATing on the upstream device? Yes

Are you able to ping 4.2.2.2 from the remote client? No.

Now I am connecting the vpn through a device in 192.168.1.0/24 subnet.

Where is it failing? that's what i am figuring out.

BTW, from the ASA itself, are you able to reach the internet? Yes, the user from the internet can vpn in the device as well with same symptoms.

Also, does the VPN Client have the correct DNS server that resolves public fqdn? I use google's free one for trial, the vpn client cannot ping it. but the ASA can ping it.

thanks,

Han

this is the show output, thanks

ciscoasa# show cry isa sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.1.103
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

There are no IKEv2 SAs
ciscoasa# show cry ipse sa
interface: outside
    Crypto map tag: dyn1, seq num: 1, local addr: 192.168.1.156

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.10/255.255.255.255/0/0)
      current_peer: 192.168.1.103, username: werrewre
      dynamic allocated peer ip: 192.168.0.10

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 388, #pkts decrypt: 194, #pkts verify: 388
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 194

      local crypto endpt.: 192.168.1.156/0, remote crypto endpt.: 192.168.1.103/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 09E9FF5A
      current inbound spi : A8A0A2AC

    inbound esp sas:
      spi: 0xA8A0A2AC (2829099692)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: dyn1
         sa timing: remaining key lifetime (sec): 28641
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x09E9FF5A (166330202)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: dyn1
         sa timing: remaining key lifetime (sec): 28641
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

ciscoasa#

the following is the full ASA config. I am testing it right now from a device right in the same subnet as the ASA's outside interface.

Also, I saw on the ipconfig from the client, the vpn gateway is 192.168.0.1, which i have never configued. i seem not be able to control this.

ASA Version 8.4(2)

!

hostname ciscoasa

enable password  encrypted

passwd encrypted

names

!

interface GigabitEthernet0

description VPN interface

nameif outside

security-level 0

ip address 192.168.1.156 255.255.255.0

!

interface GigabitEthernet1

description VPN interface

shutdown

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network obj-192.168.0.0-vpn

subnet 192.168.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool testpool 192.168.0.10-192.168.0.15

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj-192.168.0.0-vpn

nat (outside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 192.168.1.155 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

address-pool testpool

tunnel-group testgroup ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Hmm, ok, so you are connecting from a device in the same subnet as the ASA outside.

Can you change the pool address so it's not in the same subnet as the inside interface. Pls kindly change it to a unique subnet, eg: 192.168.200.0/24

Then change the NAT statement:

object network obj-192.168.200.0-vpn

   subnet 192.168.200.0 255.255.255.0

   nat (outside,outside) dynamic interface

What is the upstream device? and how is the NAT configured?

I tried with 200 subnet. It is still the same. I did show command and found many recv errors.

By the way, the gateway the clinet is assgned from the ASA is of no real use, is it?

and also, if I ping the inside inferface from the client, the ASA received the ping, but not send it back.

ciscoasa(config)#  sh cry ipsec sa
interface: outside
    Crypto map tag: dyn1, seq num: 1, local addr: 192.168.1.156

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.200.11/255.255.255.255/0/0)
      current_peer: 192.168.1.103, username: ewerwer
      dynamic allocated peer ip: 192.168.200.11

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 476, #pkts decrypt: 238, #pkts verify: 476
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 238

and also, if I ping the inside inferface from the client, the ASA received the ping, but not send it back.

ciscoasa# ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=124 len=32

ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=125 len=32

ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=126 len=32

ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=127 len=32 ciscoasa# ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=124 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=125 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=126 len=32
ICMP echo request from 192.168.200.10 to 192.168.0.1 ID=1 seq=127 len=32

The ping from the ASA to the client is OK.

ciscoasa# ping 192.168.200.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.200.10, timeout is 2 seconds:

ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72

!ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72

ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72

!ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72

ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72

ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72

!ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72

!ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72

ICMP echo request from 192.168.1.156 to 192.168.200.10 ID=23955 seq=33410 len=72

ICMP echo reply from 192.168.200.10 to 192.168.1.156 ID=23955 seq=33410 len=72

!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms

Well, your inside interface of the ASA is "shutdown", that's why you can't connect to it.

Plus you would also need to configure: management-access inside, to be able to ping the inside interface of the ASA, and the interface needs to be UP before you can ping it.

You are right about the inside interface, i added the command it worked for ping to the inside interface, but other are the same. thanks,

Jen,

Although, the problem is not solved yet, but you directed me into right path. Not rating you is not fair.

thanks,

han

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: