cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13107
Views
0
Helpful
24
Replies

IPSEC VPN Setup on ASA 5510

klombard
Level 1
Level 1

I know I'm missing something really simple here, but I'm a relative newbie to Cisco, so bear with me.

We're in the process of setting up an ASA 5510 as our main VPN appliance.

The Outside interface of the 5510 faces our DMZ, the Inside interface sits on our main network.  The 5510 uses radius for authentication going to a server on the same subnet for the authentication.  That works fine.  VPN client can connect to the 5510 and successfully authenticate.  Routes are pass through to the VPN client, no problem.  PC with VPN client can access internet (which is by design, it should use it's own internet connection), but cannot ping/access/trace over the tunnel at all.

My hunch is that this is a nat issue - but I am confused as to how the NAT should be configured - I've tried several configurations with no luck.

The VPN client is set to pull an ip address from the pool - 192.168.56.10 - 100.  The 5510 is sitting on a separate subnet (50.x/22).  This seems to work on the Cisco 1700 that it will be replacing just fine.  I mirrored routes and ACLs as well onto the new 5510.  No luck.  Client connects, authenticates, pulls an IP address and routes, but can't see anything on the inside of the 5510. 

Any thoughts would be appreciated. 

Thanks!

24 Replies 24

Yudong Wu
Level 7
Level 7

1. In general, you need bypass NAT for the vpn traffic to the client.

On ASA, you need add something similar like the following.

access-list nonat permit ip 192.168.50.0 255.255.252.0 192.168.56.0 255.255.255.0

nat (inside) 0 access-list nonat

2. check the routing and make sure the internal network know to send the packet to ASA if they need to reach 192.168.56.0

Tried that with no luck.  Still connecting, authenticating, pulling routes, but know traffic.  Checked the client - it isn't receiving any packets.  It's sending packets, showing some as encrypted, but most are bypassed.  Here's the config:

ASA Version 8.2(1)

!

hostname ASAVPN

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 255.255.255.240

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.50.5 255.255.252.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.48.0 255.255.252.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.36.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.52.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.53.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.54.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.66.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit host

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.64.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.65.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.48.0 255.255.252.0 192.168.56.0 255.255.255.0

access-list nonat extended permit ip 192.168.48.0 255.255.252.0 192.168.56.0 255.255.255.0

pager lines 24

mtu Outside 1500

mtu Inside 1500

ip local pool DIAL-IN 192.168.56.10-192.168.56.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

nat (Inside) 0 access-list nonat

route Outside 0.0.0.0 0.0.0.0 12.54.190.17 1

route Inside 192.168.32.0 255.255.240.0 192.168.50.1 1

route Inside 192.168.52.0 255.255.252.0 192.168.48.5 1

route Inside 192.168.56.0 255.255.255.0 1

route Inside 192.168.64.0 255.255.255.0 192.168.50.2 1

route Inside 192.168.65.0 255.255.255.0 192.168.50.2 1

route Inside 192.168.66.0 255.255.255.0 192.168.48.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (Inside) host 192.168.xx.xx

timeout 5

key xxx

http server enable

http 192.168.48.0 255.255.252.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.48.0 255.255.252.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol webvpn

group-policy hpcovpn04 internal

group-policy hpcovpn04 attributes

dns-server value 192.168.xx.xx 192.168.xx.xx

vpn-tunnel-protocol IPSec l2tp-ipsec

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value hpcovpn04_splitTunnelAcl

default-domain value henrypratt.com

tunnel-group hpcovpn04 type remote-access

tunnel-group hpcovpn04 general-attributes

address-pool DIAL-IN

authentication-server-group RADIUS

default-group-policy ourpolicy

tunnel-group ourpolicy ipsec-attributes

pre-shared-key *

!

!

prompt hostname context

Cryptochecksum:beee0e013866150a3079f917676574fd

: end

Also, clients are using TCP over UDP - if that helps.

I am not sure why you have this entry.

route Inside 192.168.56.0 255.255.255.0 1

It should be route outside .......

You don't have any internal network which is overlapped with VPN client ip pool 192.168.56.x?

Issue a ping from client to an internal host and then check "show cry ipsec sa" to see if decrypt/encry count is incrementing?

Issue a ping from internal host to vpn client and then check "show cry ipsec sa" to see if decrypt/encry count is incrementing? also check vpn client statistics to see if encry/decry count incrementing as well.

Encrypting on the client is escalating, as is bypassed.  On the router, there's activing pinging from the client to internal, decrypt packets go up.  When going internal to client, no activity.  No errors.  No encryption or encapsulation on the 5510 and nothing received on the client. 

interface: Outside

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr:

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.56.10/255.255.255.255/0/0)

      current_peer: , username: xxxx

      dynamic allocated peer ip: 192.168.56.10

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: /10000, remote crypto endpt.: /10000

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: A08643E8

    inbound esp sas:

      spi: 0x3B849C45 (998546501)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  UDP-Encaps, }

         slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28585

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x003FFFFF

    outbound esp sas:

      spi: 0xA08643E8 (2693153768)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  UDP-Encaps, }

         slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28584

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

If you don't see encry count incrementing in "show cry ipsec sa" when you ping from internal host to vpn client, it indicated that the packet from internal host either did not reach ASA or it did not entry tunnel for some reason.

Do a packet capture on Inside interface to see if the packet reach inside interface

1. define a ACL

2. then use capture command to apply acl to inside interface.

If you don't see the packet in capture, you need check the routing to see why inside host did not forward packet to ASA.

If you do see the packet, use "packet-trace" command to see how ASA handle it after receiving it on inside interface.

Seems like when I do the packet trace, everything is being blocked by an implicit incoming rule on the Inside interface: 

Source: any Dest: any Service: ip Action:Deny

There is a rule just above that:

Source any Dest: any Service ip Action: Permit

I've tried putting rules above it to permit everything, but the packet still gets dropped and ASDM points to that rule as the problem.

ran a debug and saw this when the client connects:

Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This end is NOT behind a NAT device

With packet trace, I can go from the 192.168.50 network to the 192.168.56. network without a problem.  When I try to go to from the 192.168.56 network to anywhere on the internal network, the packet gets dropped by a rule.

klombard
Level 1
Level 1

When I ping from the 5510 to the vpn client (56.10), I get no response, but looking at the ipsec, there are encrypted packets sent.  I can ping the network fine from the 5510 on both sides.  I am noticing now that the vpn connection seems to drop after a few minutes.

can you post the full packet-trace command output with the command which you used.

With packet trace, I can go from the 192.168.50 network to the 192.168.56. network without a problem.  When I try to go to from the 192.168.56 network to anywhere on the internal network, the packet gets dropped by a rule.