05-13-2011 09:24 AM - edited 02-21-2020 05:20 PM
I know I'm missing something really simple here, but I'm a relative newbie to Cisco, so bear with me.
We're in the process of setting up an ASA 5510 as our main VPN appliance.
The Outside interface of the 5510 faces our DMZ, the Inside interface sits on our main network. The 5510 uses radius for authentication going to a server on the same subnet for the authentication. That works fine. VPN client can connect to the 5510 and successfully authenticate. Routes are pass through to the VPN client, no problem. PC with VPN client can access internet (which is by design, it should use it's own internet connection), but cannot ping/access/trace over the tunnel at all.
My hunch is that this is a nat issue - but I am confused as to how the NAT should be configured - I've tried several configurations with no luck.
The VPN client is set to pull an ip address from the pool - 192.168.56.10 - 100. The 5510 is sitting on a separate subnet (50.x/22). This seems to work on the Cisco 1700 that it will be replacing just fine. I mirrored routes and ACLs as well onto the new 5510. No luck. Client connects, authenticates, pulls an IP address and routes, but can't see anything on the inside of the 5510.
Any thoughts would be appreciated.
Thanks!
05-13-2011 11:46 AM
please run the capture on Inside interface first to confirm that the packet is received when you ping from a internal host to client.
05-13-2011 11:51 AM
ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.56.10 255.255.255.255 Outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7b0000, priority=111, domain=permit, deny=true
hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
05-13-2011 11:53 AM
Not sure how to do the capture, but when I do a ping from internal to the client, the client receives encrypted packets.
05-13-2011 11:57 AM
Please use
packet input inside tcp 192.168.49.29 http 192.168.56.10 http detaile
We are troubleshoot the direction from internal host to vpn client.
accesss-list cap permit ip host
accesss-list cap permit ip 192.168.56.0 255.255.255.0 host
capture in access-list cap interface Inside
Then issue the ping from internal host to vpn client.
show capture in << < will list the packet captured.
05-13-2011 12:14 PM
0 packet captured
0 packet shown
05-13-2011 12:17 PM
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac00ec78, priority=12, domain=capture, deny=false
hits=4099, user_data=0xabf59c30, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7f5c10, priority=1, domain=permit, deny=false
hits=42154, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.56.10 255.255.255.255 Outside
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true
hits=332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabfaa3a8, priority=12, domain=capture, deny=false
hits=1, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0
src ip=192.168.49.29, mask=255.255.255.255, port=0
dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip Inside 192.168.48.0 255.255.240.0 Outside 192.168.56.0 255.255.255.0
NAT exempt
translate_hits = 2, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabdab5a8, priority=6, domain=nat-exempt, deny=false
hits=1, user_data=0xac019ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.48.0, mask=255.255.240.0, port=0
dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
match ip Inside any Outside any
no translation group, implicit deny
policy_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac01aba8, priority=0, domain=nat, deny=false
hits=8, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
match ip Inside any Outside any
no translation group, implicit deny
policy_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabd9bb98, priority=0, domain=host, deny=false
hits=277, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xabfa9e58, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x32634, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0
Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xabfa9940, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x34354, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.56.10, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true
hits=534, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 13
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xac0197f8, priority=12, domain=capture, deny=false
hits=0, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0
src ip=192.168.56.0, mask=255.255.255.0, port=0
dst ip=192.168.49.29, mask=255.255.255.255, port=0, dscp=0x0
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 800, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
05-13-2011 12:19 PM
1 packet captured
1: 11:12:44.525455 192.168.49.29.80 > 192.168.56.10.80: S 1864813813:1864813813(0) win 8192
1 packet shown
05-13-2011 12:24 PM
Ok, so the problem is that the packet did not reach ASA inside interface when internal host sent the traffic to vpn client.
You need check your internal network hop by hop to see why the packet is not forwarded to ASA.
05-13-2011 12:49 PM
Ok,
I added a route on another router and now I can ping between the vpn client and the internal network - but nothing else. Can't view intranet, browse file shares, etc.
05-13-2011 02:50 PM
Ok. at lease we made some progress.
If the server is pingable, vpn client does have the ip connectivity. You might need to check if DNS works o not.
From your configuration, you configured "default-group-policy ourpolicy" but I did not see any group-policy in the configuration with "ourpolicy".
After vpn client is UP, you can try if you can reach the internal server via DNS name.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide