cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
10082
Views
0
Helpful
24
Replies
klombard
Beginner

IPSEC VPN Setup on ASA 5510

I know I'm missing something really simple here, but I'm a relative newbie to Cisco, so bear with me.

We're in the process of setting up an ASA 5510 as our main VPN appliance.

The Outside interface of the 5510 faces our DMZ, the Inside interface sits on our main network.  The 5510 uses radius for authentication going to a server on the same subnet for the authentication.  That works fine.  VPN client can connect to the 5510 and successfully authenticate.  Routes are pass through to the VPN client, no problem.  PC with VPN client can access internet (which is by design, it should use it's own internet connection), but cannot ping/access/trace over the tunnel at all.

My hunch is that this is a nat issue - but I am confused as to how the NAT should be configured - I've tried several configurations with no luck.

The VPN client is set to pull an ip address from the pool - 192.168.56.10 - 100.  The 5510 is sitting on a separate subnet (50.x/22).  This seems to work on the Cisco 1700 that it will be replacing just fine.  I mirrored routes and ACLs as well onto the new 5510.  No luck.  Client connects, authenticates, pulls an IP address and routes, but can't see anything on the inside of the 5510. 

Any thoughts would be appreciated. 

Thanks!

24 REPLIES 24

please run the capture on Inside interface first to confirm that the packet is received when you ping from a internal host to client.

ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.56.10   255.255.255.255 Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7b0000, priority=111, domain=permit, deny=true

        hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

------------
ASAVPN# packet input inside tcp 192.168.56.10 http 192.168.49.29 http detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.48.0    255.255.252.0   Inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7f6650, priority=111, domain=permit, deny=true
        hits=9, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
------------------------------
ASAVPN# packet input inside tcp 192.168.49.29 http 192.168.56.10 http detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.56.10   255.255.255.255 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac019928, priority=12, domain=permit, deny=false
        hits=3, user_data=0xa89f6e40, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true
        hits=191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
  match ip Inside 192.168.48.0 255.255.252.0 Outside 192.168.56.0 255.255.255.0
    NAT exempt
    translate_hits = 4, untranslate_hits = 29
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabfaa238, priority=6, domain=nat-exempt, deny=false
        hits=3, user_data=0xabd9c480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.48.0, mask=255.255.252.0, port=0
        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac01aba8, priority=0, domain=nat, deny=false
        hits=3, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabd9bb98, priority=0, domain=host, deny=false
        hits=137, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac00e338, priority=70, domain=encrypt, deny=false
        hits=2, user_data=0x2f37c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xabf0ba20, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=2, user_data=0x31afc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.56.10, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true
        hits=449, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 577, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
---------------
ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.56.0    255.255.255.0   Outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7b0000, priority=111, domain=permit, deny=true
        hits=2, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Not sure how to do the capture, but when I do a ping from internal to the client, the client receives encrypted packets.

Please use

packet input inside tcp 192.168.49.29 http 192.168.56.10 http detaile

We are troubleshoot the direction from internal host to vpn client.

accesss-list cap permit ip host 192.168.56.0 255.255.255.0

accesss-list cap permit ip 192.168.56.0 255.255.255.0 host

capture in access-list cap interface Inside

Then issue the ping from internal host to vpn client.

show capture in    << < will list the packet captured.

0 packet captured

0 packet shown

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac00ec78, priority=12, domain=capture, deny=false

        hits=4099, user_data=0xabf59c30, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f5c10, priority=1, domain=permit, deny=false

        hits=42154, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.56.10   255.255.255.255 Outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true

        hits=332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabfaa3a8, priority=12, domain=capture, deny=false

        hits=1, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

        src ip=192.168.49.29, mask=255.255.255.255, port=0

        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

  match ip Inside 192.168.48.0 255.255.240.0 Outside 192.168.56.0 255.255.255.0

    NAT exempt

    translate_hits = 2, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabdab5a8, priority=6, domain=nat-exempt, deny=false

        hits=1, user_data=0xac019ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=192.168.48.0, mask=255.255.240.0, port=0

        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip Inside any Outside any

    no translation group, implicit deny

    policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac01aba8, priority=0, domain=nat, deny=false

        hits=8, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip Inside any Outside any

    no translation group, implicit deny

    policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabd9bb98, priority=0, domain=host, deny=false

        hits=277, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xabfa9e58, priority=70, domain=encrypt, deny=false

        hits=1, user_data=0x32634, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xabfa9940, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=1, user_data=0x34354, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=192.168.56.10, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true

        hits=534, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xac0197f8, priority=12, domain=capture, deny=false

        hits=0, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

        src ip=192.168.56.0, mask=255.255.255.0, port=0

        dst ip=192.168.49.29, mask=255.255.255.255, port=0, dscp=0x0

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 800, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

1 packet captured

   1: 11:12:44.525455 192.168.49.29.80 > 192.168.56.10.80: S 1864813813:1864813813(0) win 8192

1 packet shown

Captured packet showed up after I ran the packet trace.

Ok, so the problem is that the packet did not reach ASA inside interface when internal host sent the traffic to vpn client.

You need check your internal network hop by hop to see why the packet is not forwarded to ASA.

Ok,

I added a route on another router and now I can ping between the vpn client and the internal network - but nothing else.   Can't view intranet, browse file shares, etc.

Ok. at lease we made some progress.

If the server is pingable, vpn client does have the ip connectivity. You might need to check if DNS works o not.

From your configuration, you configured "default-group-policy ourpolicy" but I did not see any group-policy in the configuration with "ourpolicy".

After vpn client is UP, you can try if you can reach the internal server via DNS name.