Solved: Re: NAT configuration problem, stopping OSX VPN communication.

rgaasbeek · ‎10-16-2012

Hi,

This is my first time posting in this forum. I am having trouble getting Mac computers (my test is OSX 10.8.2) to properly connect to our company's VPN. We have a Cisco ASA5510 which handles the VPN requests. Here are some details:

--Windows computers, running Cisco VPN Client (not Anyconnect) are able to connect to the VPN and access internal computers/fileserver etc, just as we'd like them to.

--Mac's can establish a VPN connection, but cannot communicate with internal machines or servers. I cannot connect to or ping the fileserver using its IP address. I also cannot ping my personal work computer.

--BUT, from my work computer I CAN ping the Mac's ip address which it received after connecting via VPN. So, internal Windows PC can ping external VPN'd Mac, but Mac cannot ping internal Windows pc.

Using ASDM I was able to start up Packet Tracer. I had it trace a ping from the Windows machine address 192.168.0.52 /23 to the Mac's VPN address 192.168.5.33 /24. This was successful.

Using Packet Tracer to trace a ping from the Mac's VPN address of 192.168.5.33 /24 to the Windows address of 192.168.0.52 /23 is not successful. The packet goes through the following phases: "Capture", "Access-list", "Route-Lookup", "Access-List", "IP Options", "Inspect", "Inspect", "Debug-ICMP", "NAT-Exempt", until it reaches "NAT" where I get this message:

Type - NAT Action - Drop

Config

nat (inside1) 1 0.0.0.0 0.0.0.0

match ip inside1 any inside1 any

dynamic translation to pool 1 (192.168.1.1 [Interface PAT])

translate_hits = 913403, untranslate_hits = 27

Result is the packet is dropped.

Info: (acl-drop) Flow is denied by configured rule

I'm not super familiar with ACL's or NAT configuration, so I am not sure what change I need to make to get this to work properly. I also find it strange that the Windows pc's using the Cisco client have no problem communicating internally after connecting, but Mac's using the Mac integrated Cisco IPSEC VPN are unsuccessful.

Any help would be greatly appreciated.

-Ramai

P.s. I included a screenshot of the Packet Tracer screen.

Jennifer Halim · ‎10-22-2012

Is your home wireless happened to be in the 192.168.1.0/24 subnet? if it is, try to change them to a different subnet as you have suggested earlier and see if it works.

View solution in original post

Jennifer Halim · ‎10-17-2012

Can you pls share your ASA config, and also advise if you are using different VPN pool address for your Windows and MACs, and if they are using the same group to connect.

rgaasbeek · ‎10-17-2012

Hi Jennifer,

Thanks for your response. Windows and Mac computers use the same pool of addresses for VPN connections, they are also part of the same group. Here is the running-configuration:

**Note: I have replaced some sensitive data with *** but left the beginning and ending characters to give an idea of what kind of information is present.

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry*********XU24 encrypted

passwd c/Z**********wMi encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 98.***.***.57 255.255.255.192

!

interface Ethernet0/1

nameif inside1

security-level 100

ip address 192.168.1.1 255.255.254.0

!

interface Ethernet0/2

nameif inside2

security-level 99

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

nameif inside3

security-level 98

ip address 192.168.3.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 101 extended permit tcp any host 98.***.***.57 eq ftp

access-list cap extended permit ip host 192.168.3.2 host 192.168.1.50

access-list cap extended permit ip host 192.168.3.2 host 192.168.1.75

access-list test extended permit ip host 192.168.2.27 host 192.168.1.20

access-list test extended permit ip host 192.168.1.20 host 192.168.2.27

access-list test extended permit ip any host 192.168.1.20

access-list test extended permit ip host 192.168.1.20 any

access-list split standard permit 192.168.0.0 255.255.254.0

access-list split standard permit 192.168.2.0 255.255.255.0

access-list split standard permit 192.168.3.0 255.255.255.0

access-list split standard permit 192.168.4.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.254.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip any 192.168.5.0 255.255.255.0

access-list nonat1 extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat2 extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list new extended permit ip host 192.168.1.50 host 192.168.2.131

access-list new extended permit ip host 192.168.2.131 host 192.168.1.50

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp any any eq ftp

access-list capin extended permit tcp host 192.168.2.131 host 192.168.2.1

access-list capin extended permit tcp host 192.168.2.1 host 192.168.2.131

access-list capin extended permit tcp host 192.168.1.1 host 192.168.1.50

access-list capin extended permit tcp host 192.168.1.50 host 192.168.1.1

access-list capin extended permit tcp any host 98.***.***.57

access-list capin extended permit tcp host 98.***.***.57 any

access-list capin extended permit tcp host 192.168.1.50 host 192.168.2.131

access-list capin extended permit tcp host 192.168.3.2 host 192.168.3.1

access-list capin extended permit tcp host 192.168.3.1 host 192.168.3.2

access-list tcpstatebypass extended permit tcp host 192.168.2.131 host 192.168.1.50

access-list inside1 extended permit ip any any

access-list inside2 extended permit ip any any

pager lines 15

logging enable

logging buffered debugging

logging asdm informational

logging from-address ciscoasa@ourdomain.com

logging recipient-address myemail@ourdomain.com level critical

mtu outside 1500

mtu inside1 1500

mtu inside2 1500

mtu inside3 1500

mtu management 1500

ip local pool VPNPOOL 192.168.5.1-192.168.5.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside1) 1 interface

global (inside2) 1 interface

nat (inside1) 0 access-list nonat

nat (inside1) 1 0.0.0.0 0.0.0.0

nat (inside2) 0 access-list nonat1

nat (inside2) 1 0.0.0.0 0.0.0.0

nat (inside3) 0 access-list nonat2

nat (inside3) 1 0.0.0.0 0.0.0.0

static (inside1,outside) tcp interface ftp 192.168.1.50 ftp netmask 255.255.255.255 dns

static (inside1,inside2) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255

static (inside1,inside3) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255

static (inside1,inside1) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255

static (inside2,inside3) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (inside3,inside1) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside3,inside2) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (inside3,inside1) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (inside3,inside2) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (inside1,inside3) 192.168.0.0 192.168.0.0 netmask 255.255.254.0

static (inside1,inside2) 192.168.0.0 192.168.0.0 netmask 255.255.254.0

access-group 101 in interface outside

access-group inside1 in interface inside2

access-group inside2 in interface inside3

route outside 0.0.0.0 0.0.0.0 98.***.***.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside1

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

sysopt connection tcpmss 0

sysopt noproxyarp inside1

crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 1 set pfs group1

crypto dynamic-map dynmap 1 set transform-set ESP-3DES

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-

128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-

MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside-map 65535 ipsec-isakmp dynamic dynmap

crypto map outside-map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside1

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside1

ssh timeout 20

console timeout 0

management-access inside2

dhcpd dns 208.***.***.222 208.***.***.220

!

dhcpd address 192.168.0.1-192.168.0.254 inside1

dhcpd enable inside1

!

dhcpd address 192.168.2.11-192.168.2.254 inside2

dhcpd enable inside2

!

dhcpd address 192.168.3.2-192.168.3.254 inside3

dhcpd enable inside3

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

enable inside1

enable inside2

enable inside3

group-policy VPNPOOL internal

group-policy VPNPOOL attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

username c******r password wZ************an encrypted

username s******w password 91************/3 encrypted

username c******s password pF************HQ.JP encrypted

username a******n password Bi************H7K encrypted

username m******el password mv6************5uj encrypted

username L******s password TY***************xl encrypted

username r******n password EA***************M11 encrypted

username V******n password 2DV**************4a encrypted

username e******r password .e6***************Hy encrypted

username F******y password Lke***************hV0 encrypted

username F******y attributes

group-lock value VPNPOOL

memberof VPNPOOL

username c******n password 6K***************Xf encrypted

username a******n password be***************Lyt encrypted privilege 15

username R******k password j.5Z***************4Vr encrypted

username R******k attributes

service-type admin

memberof VPNPOOL

username e******s password FN***************Z5 encrypted

username j******a password uor***************Ch encrypted

username K******z password 1a***************zw encrypted

username d******s password OC***************/8 encrypted

username P******z password XG***************Sp encrypted

username l******l password 9k***************q2 encrypted

username r******r password rP***************OC encrypted

username c******o password Uq***************5X encrypted privilege 15

username h******r password HD***************jw encrypted

username K******s password Sb***************0D encrypted

username j******d password ub***************oZ encrypted

username J******n password 2y***************== nt-encrypted

username m******n password oJ***************3v encrypted

username r******u password R/***************A5c encrypted

username J******i password Iu***************2g encrypted

username J******i attributes

group-lock value VPNPOOL

memberof VPNPOOL

tunnel-group DefaultRAGroup general-attributes

address-pool VPNPOOL

default-group-policy VPNPOOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group VPNPOOL type remote-access

tunnel-group VPNPOOL general-attributes

address-pool VPNPOOL

default-group-policy VPNPOOL

tunnel-group VPNPOOL ipsec-attributes

pre-shared-key *****

!

class-map tcpstatebypass

match access-list tcpstatebypass

class-map inspection_default

match default-inspection-traffic

class-map new

match access-list new

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

class new

set connection random-sequence-number disable

set connection advanced-options tcp-state-bypass

policy-map tcpstatebypass

class tcpstatebypass

set connection advanced-options tcp-state-bypass

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:10d***************************43c

: end

Jennifer Halim · ‎10-18-2012

If they are connecting to the same group and using the same pool, it is unlikely that it is something on the ASA that is causing the issue. It's most probably something on the MAC itself.

Are you able to ping 192.168.2.1 from the MAC?

How is the MAC connected? wired, or wireless, or something else? What is the local subnet that the MAC is connected at?

Pls share the output of "show cry ipsec sa peer " when you are connected via MAC and try to access internal resources.

rgaasbeek · ‎10-18-2012

Mac's are connecting to the VPN using their built in VPN client, located within Network Preferences.

Most local computers are located on the 192.168.0.0/23 network. When clients VPN in they are assigned a 192.168.5.0 address. I don't see the 192.168.5.0 address being tied to any specific interface, is that necessary for VPN?

These are the addresses I tried pinging:

From my local work machine (192.168.0.240) I pinged the VPN'd Mac which had been assigned an address of 192.168.5.30. This ping was successful. I then tried in the opposite direction, pinging from the Mac to my local machine, this ping timed out.

I just tested pinging 192.168.2.1 from my local machine (192.168.0.240) and it timed out. I then tested pinging from the Mac (192.168.5.30) to 192.168.2.1 and it was successful. Using ASDM's packet tracer, I had the same results. Interesting.

So it would seem there is some internal routing issue?

Jennifer Halim · ‎10-18-2012

Ah, if you can ping 2.1 from MAC (5.30), that is a good sign.

On the local work machine (0.240) that you are trying to ping from the MAC, does the local machine has any Windows firewall that might be blocking inbound connection from remote subnet?

rgaasbeek · ‎10-18-2012

Hey Jennifer,

So we are making progress. I turned off my local machine's firewall and was able to ping it (0.240) from the mac (5.30), so we know that is working. I created a rule on my local machine allowing access through the firewall from any 192.168.5.* address and now with the firewall on I can still be pinged by the mac.

Unfortunately, I checked the server machine and the Windows firewall for private networks is not even on, so that isn't what is stopping the Mac from pinging it. The server has an address of 192.168.1.50, so it is on the same subnet as my local machine which is 192.168.0.240 /23. What is weird is that I can ping the server (1.50) from my machine (0.240), though the mac can't. There must be some firewall snagging it somewhere, I'll have to investigate further. I can't believe this ended up being a firewall issue, I was so sure it was something much more complex. Anyway, it still might turn out to be something complicated, we'll see if I can find what is blocking it. Any suggestions of where to look?

Thanks for your help.

*EDIT*

The server actually had the firewall off, for when connected to a local network, but not for public networks. Normally when I ping (1.50) from the mac I get this response every ping "Request timeout for icmp_seq 0" etc.

After turning off every aspect of windows firewall I get:

"ping: sendto: No route to host" (only on first ping)

"ping: sendto: Host is down" (every ping)

"Request timeout for icmp_seq 0" (1, 2, etc)

Jennifer Halim · ‎10-18-2012

Excellent, great findings, and thanks for the update.

In regards to the server, does it have just 1 NIC, or 2 NICs? If it has 2 NICs, then you would need either access it via its other NIC as it probably has default route going that other NIC, or if you want to access it via its 1.50 address, then configure a static route on that server for 192.168.5.0/24 pointing towards the ASA interface (192.168.1.1)

rgaasbeek · ‎10-19-2012

I checked the server and it only has 1 physical NIC, also no virtual NIC's except for something listed in "Network Connections" related to having people Remote into the server.

I don't think the server needs a route to the 192.168.5.0/24 network, because it can ping the VPN'd Mac, but the Mac can't ping back. Wouldn't' that indicate that the server has a proper route to the VPN subnet? I will still look into the route thing while I wait for your reply.

-Ramai

**EDIT**

Also, the default gateway for the server is 192.168.1.1, so isn't that essentially the default route?

Jennifer Halim · ‎10-19-2012

Yes, you are correct. My previous comment was just if the server has 2 NICs. Otherwise, you only need the default gateway configured on the server.

BTW, it's weird that when you disable all windows firewall, you have those error message.

Can you pls reenable the firewall, and on the public networks, add the rule to allow ICMP, as well as any other services that you would like access from the VPN.

rgaasbeek · ‎10-19-2012

I already added an inbound and outbound rule for the server to allow all traffic to and from the 192.168.5.0 range. The same rule that I implemented on my personal machine, which has been allowing the Mac to ping me.

The messages:

"ping: sendto: No route to host" (only on first ping)

"ping: sendto: Host is down" (every ping)

"Request timeout for icmp_seq 0" (1, 2, etc)

Actually appear any time I ping I have noticed. It's just that they don't pop up until after the 4th or 5th ping. Where as for some reason, when I would disable the public firewall completely, it would show the messages after the first ping, instead of the 4th or 5th. Strange stuff.

I have looked to see if for some reason there was some additional program installed or service running that may be interfering, but nothing obvious stands out.

I still feel like it's some ACL or NAT rule on the ASA that is blocking this communication, but I am not expert enough to know.

Jennifer Halim · ‎10-19-2012

Well, if you can ping your local machine (0.240) which is in the same subnet as the server (1.50) as well as able to ping the ASA inside interface (1.1) from the VPN Client MAC machine (192.168.5.x), that means it is not an ACL or NAT rule on the ASA as they are configured per subnet.

What about any other machine in the 192.168.0.0 subnet? Can you ping them from the VPN Client MAC machine?

Also, your server, what is the subnet mask (is it 255.255.254.0)

rgaasbeek · ‎10-22-2012

The server's subnet mask is 255.255.254.0. By looking at the configuration, it seems that the VPNPOOL gives out 192.168.5.X addresses with a 255.255.255.0 subnet mask, that should be fine though correct?

Yes, I am able to ping other machines on the 192.168.0.0 subnet (after turning off the firewall).

I am going to try connecting the Mac at my home to a wired connection instead of wireless and see if that fixes things, and maybe change the network address the computer is assigned, maybe it's conflicting.

rgaasbeek · ‎10-22-2012

Hmmm, I don't seem to be able to connect to the ASA any more, I don't know if I accidentally changed something to cause this...

I cannot ping 192.168.1.1 from any computer on the network. I cannot SSH in using Putty. I cannot connect using ASDM. I also cannot connect using a console cable in the network closet. All the functions still work properly (people getting DHCP, able to VPN in, etc.) but I cannot login to configure anything. Any idea what I may have changed or can do to get in? I am thinking to restart, since I previously saved the running-config to the startup-config before changing things. I don't know if ASDM automatically saves things to the startup config though.

Breaking more things than I am fixing it seems lol.

***EDIT***

As noted before, the mac could ping my personal computer with a 192.168.0.X address. I just manually configured a desktop here to have an address of 192.168.1.28 and the Mac is unable to ping it, getting the same messages as when trying to ping the server. I am really starting to think that it has to do with the local address the computer is assigned, before establishing a VPN connection. The Mac Cisco Ipsec configuration does not give any option to configure split tunneling or not. Once I go home I'll change my wireless router to assign something like 192.168.8.5 and have the default gateway also be 192.168.8.1, then see if it can ping the server here properly.

Jennifer Halim · ‎10-22-2012

Is your home wireless happened to be in the 192.168.1.0/24 subnet? if it is, try to change them to a different subnet as you have suggested earlier and see if it works.