Re: IPSEC VPN Setup on ASA 5510 - Page 2

klombard · ‎05-13-2011

I know I'm missing something really simple here, but I'm a relative newbie to Cisco, so bear with me.

We're in the process of setting up an ASA 5510 as our main VPN appliance.

The Outside interface of the 5510 faces our DMZ, the Inside interface sits on our main network. The 5510 uses radius for authentication going to a server on the same subnet for the authentication. That works fine. VPN client can connect to the 5510 and successfully authenticate. Routes are pass through to the VPN client, no problem. PC with VPN client can access internet (which is by design, it should use it's own internet connection), but cannot ping/access/trace over the tunnel at all.

My hunch is that this is a nat issue - but I am confused as to how the NAT should be configured - I've tried several configurations with no luck.

The VPN client is set to pull an ip address from the pool - 192.168.56.10 - 100. The 5510 is sitting on a separate subnet (50.x/22). This seems to work on the Cisco 1700 that it will be replacing just fine. I mirrored routes and ACLs as well onto the new 5510. No luck. Client connects, authenticates, pulls an IP address and routes, but can't see anything on the inside of the 5510.

Any thoughts would be appreciated.

Thanks!

Yudong Wu · ‎05-13-2011

please run the capture on Inside interface first to confirm that the packet is received when you ping from a internal host to client.

klombard · ‎05-13-2011

ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.56.10 255.255.255.255 Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7b0000, priority=111, domain=permit, deny=true

hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

------------

ASAVPN# packet input inside tcp 192.168.56.10 http 192.168.49.29 http detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.48.0 255.255.252.0 Inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7f6650, priority=111, domain=permit, deny=true

hits=9, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

------------------------------

ASAVPN# packet input inside tcp 192.168.49.29 http 192.168.56.10 http detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.56.10 255.255.255.255 Outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Inside_access_in in interface Inside

access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object udp

protocol-object tcp

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac019928, priority=12, domain=permit, deny=false

hits=3, user_data=0xa89f6e40, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true

hits=191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

match ip Inside 192.168.48.0 255.255.252.0 Outside 192.168.56.0 255.255.255.0

NAT exempt

translate_hits = 4, untranslate_hits = 29

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabfaa238, priority=6, domain=nat-exempt, deny=false

hits=3, user_data=0xabd9c480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=192.168.48.0, mask=255.255.252.0, port=0

dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

no translation group, implicit deny

policy_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac01aba8, priority=0, domain=nat, deny=false

hits=3, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

no translation group, implicit deny

policy_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabd9bb98, priority=0, domain=host, deny=false

hits=137, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac00e338, priority=70, domain=encrypt, deny=false

hits=2, user_data=0x2f37c, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xabf0ba20, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=2, user_data=0x31afc, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.56.10, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true

hits=449, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 577, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

---------------

ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.56.0 255.255.255.0 Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7b0000, priority=111, domain=permit, deny=true

hits=2, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

klombard · ‎05-13-2011

Not sure how to do the capture, but when I do a ping from internal to the client, the client receives encrypted packets.

Yudong Wu · ‎05-13-2011

Please use

packet input inside tcp 192.168.49.29 http 192.168.56.10 http detaile

We are troubleshoot the direction from internal host to vpn client.

accesss-list cap permit ip host 192.168.56.0 255.255.255.0

accesss-list cap permit ip 192.168.56.0 255.255.255.0 host

capture in access-list cap interface Inside

Then issue the ping from internal host to vpn client.

show capture in << < will list the packet captured.

klombard · ‎05-13-2011

0 packet captured

0 packet shown

klombard · ‎05-13-2011

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac00ec78, priority=12, domain=capture, deny=false

hits=4099, user_data=0xabf59c30, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7f5c10, priority=1, domain=permit, deny=false

hits=42154, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.56.10 255.255.255.255 Outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true

hits=332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabfaa3a8, priority=12, domain=capture, deny=false

hits=1, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

src ip=192.168.49.29, mask=255.255.255.255, port=0

dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

match ip Inside 192.168.48.0 255.255.240.0 Outside 192.168.56.0 255.255.255.0

NAT exempt

translate_hits = 2, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabdab5a8, priority=6, domain=nat-exempt, deny=false

hits=1, user_data=0xac019ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=192.168.48.0, mask=255.255.240.0, port=0

dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

no translation group, implicit deny

policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac01aba8, priority=0, domain=nat, deny=false

hits=8, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

no translation group, implicit deny

policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabd9bb98, priority=0, domain=host, deny=false

hits=277, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xabfa9e58, priority=70, domain=encrypt, deny=false

hits=1, user_data=0x32634, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xabfa9940, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=1, user_data=0x34354, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.56.10, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true

hits=534, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xac0197f8, priority=12, domain=capture, deny=false

hits=0, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

src ip=192.168.56.0, mask=255.255.255.0, port=0

dst ip=192.168.49.29, mask=255.255.255.255, port=0, dscp=0x0

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 800, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

klombard · ‎05-13-2011

1 packet captured

1: 11:12:44.525455 192.168.49.29.80 > 192.168.56.10.80: S 1864813813:1864813813(0) win 8192

1 packet shown

Captured packet showed up after I ran the packet trace.

Yudong Wu · ‎05-13-2011

Ok, so the problem is that the packet did not reach ASA inside interface when internal host sent the traffic to vpn client.

You need check your internal network hop by hop to see why the packet is not forwarded to ASA.

klombard · ‎05-13-2011

Ok,

I added a route on another router and now I can ping between the vpn client and the internal network - but nothing else. Can't view intranet, browse file shares, etc.

Yudong Wu · ‎05-13-2011

Ok. at lease we made some progress.

If the server is pingable, vpn client does have the ip connectivity. You might need to check if DNS works o not.

From your configuration, you configured "default-group-policy ourpolicy" but I did not see any group-policy in the configuration with "ourpolicy".

After vpn client is UP, you can try if you can reach the internal server via DNS name.