05-13-2011 09:24 AM - edited 02-21-2020 05:20 PM
I know I'm missing something really simple here, but I'm a relative newbie to Cisco, so bear with me.
We're in the process of setting up an ASA 5510 as our main VPN appliance.
The Outside interface of the 5510 faces our DMZ, the Inside interface sits on our main network. The 5510 uses radius for authentication going to a server on the same subnet for the authentication. That works fine. VPN client can connect to the 5510 and successfully authenticate. Routes are pass through to the VPN client, no problem. PC with VPN client can access internet (which is by design, it should use it's own internet connection), but cannot ping/access/trace over the tunnel at all.
My hunch is that this is a nat issue - but I am confused as to how the NAT should be configured - I've tried several configurations with no luck.
The VPN client is set to pull an ip address from the pool - 192.168.56.10 - 100. The 5510 is sitting on a separate subnet (50.x/22). This seems to work on the Cisco 1700 that it will be replacing just fine. I mirrored routes and ACLs as well onto the new 5510. No luck. Client connects, authenticates, pulls an IP address and routes, but can't see anything on the inside of the 5510.
Any thoughts would be appreciated.
Thanks!
05-13-2011 09:58 AM
1. In general, you need bypass NAT for the vpn traffic to the client.
On ASA, you need add something similar like the following.
access-list nonat permit ip 192.168.50.0 255.255.252.0 192.168.56.0 255.255.255.0
nat (inside) 0 access-list nonat
2. check the routing and make sure the internal network know to send the packet to ASA if they need to reach 192.168.56.0
05-13-2011 10:39 AM
Tried that with no luck. Still connecting, authenticating, pulling routes, but know traffic. Checked the client - it isn't receiving any packets. It's sending packets, showing some as encrypted, but most are bypassed. Here's the config:
ASA Version 8.2(1)
!
hostname ASAVPN
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.50.5 255.255.252.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list hpcovpn04_splitTunnelAcl standard permit 192.168.48.0 255.255.252.0
access-list hpcovpn04_splitTunnelAcl standard permit 192.168.36.0 255.255.255.0
access-list hpcovpn04_splitTunnelAcl standard permit 192.168.52.0 255.255.255.0
access-list hpcovpn04_splitTunnelAcl standard permit 192.168.53.0 255.255.255.0
access-list hpcovpn04_splitTunnelAcl standard permit 192.168.54.0 255.255.255.0
access-list hpcovpn04_splitTunnelAcl standard permit 192.168.66.0 255.255.255.0
access-list hpcovpn04_splitTunnelAcl standard permit host
access-list hpcovpn04_splitTunnelAcl standard permit 192.168.64.0 255.255.255.0
access-list hpcovpn04_splitTunnelAcl standard permit 192.168.65.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.48.0 255.255.252.0 192.168.56.0 255.255.255.0
access-list nonat extended permit ip 192.168.48.0 255.255.252.0 192.168.56.0 255.255.255.0
pager lines 24
mtu Outside 1500
mtu Inside 1500
ip local pool DIAL-IN 192.168.56.10-192.168.56.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
nat (Inside) 0 access-list nonat
route Outside 0.0.0.0 0.0.0.0 12.54.190.17 1
route Inside 192.168.32.0 255.255.240.0 192.168.50.1 1
route Inside 192.168.52.0 255.255.252.0 192.168.48.5 1
route Inside 192.168.56.0 255.255.255.0
route Inside 192.168.64.0 255.255.255.0 192.168.50.2 1
route Inside 192.168.65.0 255.255.255.0 192.168.50.2 1
route Inside 192.168.66.0 255.255.255.0 192.168.48.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (Inside) host 192.168.xx.xx
timeout 5
key xxx
http server enable
http 192.168.48.0 255.255.252.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.48.0 255.255.252.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy hpcovpn04 internal
group-policy hpcovpn04 attributes
dns-server value 192.168.xx.xx 192.168.xx.xx
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hpcovpn04_splitTunnelAcl
default-domain value henrypratt.com
tunnel-group hpcovpn04 type remote-access
tunnel-group hpcovpn04 general-attributes
address-pool DIAL-IN
authentication-server-group RADIUS
default-group-policy ourpolicy
tunnel-group ourpolicy ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:beee0e013866150a3079f917676574fd
: end
05-13-2011 10:40 AM
Also, clients are using TCP over UDP - if that helps.
05-13-2011 10:49 AM
I am not sure why you have this entry.
route Inside 192.168.56.0 255.255.255.0
It should be route outside .......
You don't have any internal network which is overlapped with VPN client ip pool 192.168.56.x?
Issue a ping from client to an internal host and then check "show cry ipsec sa" to see if decrypt/encry count is incrementing?
Issue a ping from internal host to vpn client and then check "show cry ipsec sa" to see if decrypt/encry count is incrementing? also check vpn client statistics to see if encry/decry count incrementing as well.
05-13-2011 11:02 AM
Encrypting on the client is escalating, as is bypassed. On the router, there's activing pinging from the client to internal, decrypt packets go up. When going internal to client, no activity. No errors. No encryption or encapsulation on the 5510 and nothing received on the client.
05-13-2011 11:06 AM
interface: Outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.56.10/255.255.255.255/0/0)
current_peer:
dynamic allocated peer ip: 192.168.56.10
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.:
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: A08643E8
inbound esp sas:
spi: 0x3B849C45 (998546501)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, UDP-Encaps, }
slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28585
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x003FFFFF
outbound esp sas:
spi: 0xA08643E8 (2693153768)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, UDP-Encaps, }
slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28584
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
05-13-2011 11:22 AM
If you don't see encry count incrementing in "show cry ipsec sa" when you ping from internal host to vpn client, it indicated that the packet from internal host either did not reach ASA or it did not entry tunnel for some reason.
Do a packet capture on Inside interface to see if the packet reach inside interface
1. define a ACL
2. then use capture command to apply acl to inside interface.
If you don't see the packet in capture, you need check the routing to see why inside host did not forward packet to ASA.
If you do see the packet, use "packet-trace" command to see how ASA handle it after receiving it on inside interface.
05-13-2011 11:32 AM
Seems like when I do the packet trace, everything is being blocked by an implicit incoming rule on the Inside interface:
Source: any Dest: any Service: ip Action:Deny
There is a rule just above that:
Source any Dest: any Service ip Action: Permit
05-13-2011 11:34 AM
I've tried putting rules above it to permit everything, but the packet still gets dropped and ASDM points to that rule as the problem.
05-13-2011 11:39 AM
ran a debug and saw this when the client connects:
Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
05-13-2011 11:42 AM
With packet trace, I can go from the 192.168.50 network to the 192.168.56. network without a problem. When I try to go to from the 192.168.56 network to anywhere on the internal network, the packet gets dropped by a rule.
05-13-2011 11:17 AM
When I ping from the 5510 to the vpn client (56.10), I get no response, but looking at the ipsec, there are encrypted packets sent. I can ping the network fine from the 5510 on both sides. I am noticing now that the vpn connection seems to drop after a few minutes.
05-13-2011 11:40 AM
can you post the full packet-trace command output with the command which you used.
05-13-2011 11:43 AM
With packet trace, I can go from the 192.168.50 network to the 192.168.56. network without a problem. When I try to go to from the 192.168.56 network to anywhere on the internal network, the packet gets dropped by a rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide