01-24-2014 05:23 AM - edited 02-21-2020 07:27 PM
Dear Experts,
Kindly assist me with this Remote Access VPN issue.
I have configured IPSec Remote Access VPN, using the wizard. The remote client connects to the Headquarters quite fine, obtains defined IP Address, sends packets and Bytes, BUT does not receive any Bytes nor decrypt any packet. Rather, the counter for discarded keeps rising.
What could be possibly responsible, or what other configuration needs to be done on the ASA for the connection to be completely functional?
It may help to state that Anyconnect VPN is configured on the same Outside Interface on the ASA, and it is still functional. Could that be the reason?
Anyconnect VPN is being used by Staff for Remote Access.
Kindly assist.
Thank you.
Solved! Go to Solution.
01-24-2014 06:19 AM
Hi,
So if I understand correctly you for example have an interface for LAN and WAN and naturally the destination networks which you want to reach through the VPN Client connection are all located behind the LAN interface.
In that case the NAT0 configuration with your newer software would look something like this
object-group network LAN-NETWORKS-VPN
network-object
network-object
network-object
object network VPN-POOL
subnet
nat (LAN,WAN) 1 source static LAN-NETWORKS-VPN LAN-NETWORKS-VPN destination static VPN-POOL VPN-POOL
Naturally the naming of interfaces and objects could be different. In this case its simply meant to illustrate the purpose of the object or the interface.
I am naturally not sure if the NAT0 configuration is the problem though I can't really say anything for certain as I can't see the configuration.
As to the other question,
I have not set up an ASA to use 2 WAN interfaces in such a way in production environments as in those cases customer usually has separate platforms for both or we might be hosting/providing the service for them.
I would imagine that there is ways to do this but the main problem is the routing. Essentially we know that VPN Client connections can come from pretty much any public source IP address and in that case we would need default route pointing towards the VPN interface since its not really practical to configure separate routes for the IP address where the VPN Client connections would come from.
Then when we consider that we would also need default route on the INTERNET link on the ASA we run to the problem as we can not have 2 default routes on the same device active at the same time.
Naturally with your software level you would be able to use the NAT to get the result you wanted.
In short the requirements would be the following
The above things would essentially let the VPN interface have the default route which would mean that no matter what the source IP address of the VPN Client it should be able to communicate with the ASA.
The NAT0 configuration purposes would be to force the ASA to pass this traffic between the LAN and VPN (pools) for the VPN traffic.
The special NAT configuration would then match traffic coming from LAN towards ANY destination address and forward it to INTERNET interface. After that decision is made the traffic would follow the lower value default route out through that interface.
I would say this is not really the ideal situation and configuration to use in a productin environment. It creates potentially a complex NAT configuration as you are using it to manipulate traffic instead of letting the routing table make the choice in the first place.
Naturally there might be other options but I would have to test such setup before I can say anything more for certain.
- Jouni
01-24-2014 05:26 AM
Hi,
I would look at the NAT0 configuration on the ASA first.
You will need a NAT0 configuration that specifies that the LAN networks will not be NATed when destined to the VPN user pool.
Are the SSL Client and IPsec Client using their own address pools for VPN?
- Jouni
01-24-2014 05:33 AM
Hello,
The various VPNs Clients are using different POOLS for VPN connection.
As for the NAT0 configuration, please how do I configure that?
01-24-2014 05:38 AM
Hi,
Depends on your ASAs software level. The NAT configuration format is different depending on the software level. Change happened in the jump from 8.2 to 8,3 (and newer) softwares.
Also the configuration depends on are there more than 1 interface behind which LAN networks are located where the VPN Clients need to connect to?
- Jouni
01-24-2014 05:48 AM
Hello,
Thank you so much for the prompt response, I sincerely do appreciate it.
I am currently using ASA 5520 with IOS image of 8.4(5), and asdm 7.0(2)
There is ONLY one Interface which the Remote Networks need to connect to, and that same Interface is what i use to connect to the Internet.
Just a quick one, (a little digression, please). Is it possible to dedicate one (outside or WAN) interface for VPN connections and another (Outside or WAN) interface dedicated for Internet connection?
Thank you once again.
01-24-2014 06:19 AM
Hi,
So if I understand correctly you for example have an interface for LAN and WAN and naturally the destination networks which you want to reach through the VPN Client connection are all located behind the LAN interface.
In that case the NAT0 configuration with your newer software would look something like this
object-group network LAN-NETWORKS-VPN
network-object
network-object
network-object
object network VPN-POOL
subnet
nat (LAN,WAN) 1 source static LAN-NETWORKS-VPN LAN-NETWORKS-VPN destination static VPN-POOL VPN-POOL
Naturally the naming of interfaces and objects could be different. In this case its simply meant to illustrate the purpose of the object or the interface.
I am naturally not sure if the NAT0 configuration is the problem though I can't really say anything for certain as I can't see the configuration.
As to the other question,
I have not set up an ASA to use 2 WAN interfaces in such a way in production environments as in those cases customer usually has separate platforms for both or we might be hosting/providing the service for them.
I would imagine that there is ways to do this but the main problem is the routing. Essentially we know that VPN Client connections can come from pretty much any public source IP address and in that case we would need default route pointing towards the VPN interface since its not really practical to configure separate routes for the IP address where the VPN Client connections would come from.
Then when we consider that we would also need default route on the INTERNET link on the ASA we run to the problem as we can not have 2 default routes on the same device active at the same time.
Naturally with your software level you would be able to use the NAT to get the result you wanted.
In short the requirements would be the following
The above things would essentially let the VPN interface have the default route which would mean that no matter what the source IP address of the VPN Client it should be able to communicate with the ASA.
The NAT0 configuration purposes would be to force the ASA to pass this traffic between the LAN and VPN (pools) for the VPN traffic.
The special NAT configuration would then match traffic coming from LAN towards ANY destination address and forward it to INTERNET interface. After that decision is made the traffic would follow the lower value default route out through that interface.
I would say this is not really the ideal situation and configuration to use in a productin environment. It creates potentially a complex NAT configuration as you are using it to manipulate traffic instead of letting the routing table make the choice in the first place.
Naturally there might be other options but I would have to test such setup before I can say anything more for certain.
- Jouni
01-24-2014 10:14 AM
Hello Jouni,
I must say I am very grateful to you. Through your patience and guidance, I was able to figure out what the problem was.
I mistakenly used part of the subnet for the Internal Network as the External-Pool.
From your examples, I saw the misake and corrected it.
Using the VPN, i can access the Internal Resources.
Thank you so much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide