10-30-2012 12:07 PM
Hello All,
I've been troubleshooting this issue and was hoping to get some more feed back and maybe point out an error if I'm not seeing it. I recently setup a remote access VPN on Cisco ASA 5505. Everything appeared to work at first and the IPsec client connect. However if you look at the packets being encrypted an decrypted on the Client side only the encrypted counter is incrementing and the decrypted stays at 0. The opposite is true on the ASA side the decrypted continures to increment and the encrypted stays at zero. My first thought was maybe a mis configured NAT 0 statement or not defining the correct Split tunnel ACL but I have verified that. I will post my config so maybe someone can point on the error. The asa version 8.2(5), I'll also list a packet-tracer I did from an inside host to VPN IP.
-----
Any help will be greatly appreacted, thanks in advance!
-----
ASA Version 8.2(5)
!
terminal width 511
hostname xyz
domain-name xyz.local
no names
dns-guard
!
interface Ethernet0/0
description ISP Connection
switchport access vlan 900
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
switchport access vlan 30
!
interface Ethernet0/4
switchport access vlan 40
!
interface Ethernet0/5
switchport access vlan 50
switchport trunk allowed vlan 10,20,30,40,350
switchport trunk native vlan 10
switchport mode trunk
!
interface Ethernet0/6
switchport trunk allowed vlan 10,20,30,40,350
switchport trunk native vlan 10
switchport mode trunk
!
interface Ethernet0/7
description WAP
switchport trunk allowed vlan 10,20,30,40,350
switchport trunk native vlan 10
switchport mode trunk
!
interface Vlan10
description LAN
nameif inside
security-level 100
ip address 10.10.254.1 255.255.0.0
!
interface Vlan20
description LAN
nameif inside20
security-level 100
ip address 10.20.254.1 255.255.0.0
!
interface Vlan30
description LAN
nameif inside30
security-level 100
ip address 10.30.254.1 255.255.0.0
!
interface Vlan40
description LAN
nameif inside40
security-level 100
ip address 10.40.254.1 255.255.0.0
!
interface Vlan350
description Guest LAN
nameif guest
security-level 50
ip address 10.3.50.254 255.255.255.0
!
interface Vlan900
description ISP Connection
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xyz.local
same-security-traffic permit intra-interface
access-list OUTSIDE-IN remark :
access-list OUTSIDE-IN remark : Allow OUTSIDE to inside
access-list OUTSIDE-IN remark :
access-list OUTSIDE-IN remark Allow ICMP Replies
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-IN extended permit icmp any any unreachable
access-list NAT-0-INSIDE remark :
access-list NAT-0-INSIDE remark : Do not NAT this traffic
access-list NAT-0-INSIDE remark :
access-list NAT-0-INSIDE remark Allow LAN to VPN Users
access-list NAT-0-INSIDE extended permit ip 10.10.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list NAT-0-INSIDE extended permit ip 10.20.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list NAT-0-INSIDE extended permit ip 10.40.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list NAT-0-INSIDE extended permit ip 10.30.0.0 255.255.0.0 172.16.10.0 255.255.255.0
access-list NAT-0-INSIDE extended permit ip 10.3.0.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list NAT-10-INSIDE remark :
access-list NAT-10-INSIDE remark : Allow LAN NAT
access-list NAT-10-INSIDE remark :
access-list NAT-10-INSIDE extended permit ip 10.0.0.0 255.0.0.0 any
access-list VPN-SPLIT-TUNNEL remark :
access-list VPN-SPLIT-TUNNEL remark : Add Routes for these networks to the VPN clients
access-list VPN-SPLIT-TUNNEL remark :
access-list VPN-SPLIT-TUNNEL extended permit ip 10.10.0.0 255.255.0.0 any
access-list VPN-SPLIT-TUNNEL extended permit ip 10.20.0.0 255.255.0.0 any
access-list VPN-SPLIT-TUNNEL extended permit ip 10.30.0.0 255.255.0.0 any
access-list VPN-SPLIT-TUNNEL extended permit ip 10.40.0.0 255.255.0.0 any
access-list VPN-SPLIT-TUNNEL extended permit ip 10.3.0.0 255.255.255.0 any
pager lines 40
logging enable
logging timestamp
logging buffer-size 16384
logging buffered debugging
logging trap informational
logging history errors
logging asdm informational
mtu inside 1500
mtu inside20 1500
mtu inside30 1500
mtu inside40 1500
mtu guest 1500
mtu outside 1500
ip local pool VPN-POOL 172.16.10.1-172.16.10.99 mask 255.255.255.0
ip audit name IDSATTACK attack action alarm drop reset
ip audit interface inside IDSATTACK
ip audit interface inside20 IDSATTACK
ip audit interface inside30 IDSATTACK
ip audit interface inside40 IDSATTACK
ip audit interface guest IDSATTACK
ip audit interface outside IDSATTACK
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any inside20
icmp permit any inside30
icmp permit any inside40
icmp permit any guest
icmp permit any outside
asdm image disk0:/asdm-649.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list NAT-0-INSIDE
nat (inside) 10 access-list NAT-10-INSIDE
nat (inside20) 0 access-list NAT-0-INSIDE
nat (inside20) 10 access-list NAT-10-INSIDE
nat (inside30) 0 access-list NAT-0-INSIDE
nat (inside30) 10 access-list NAT-10-INSIDE
nat (inside40) 0 access-list NAT-0-INSIDE
nat (inside40) 10 access-list NAT-10-INSIDE
nat (guest) 0 access-list NAT-0-INSIDE
nat (guest) 10 access-list NAT-10-INSIDE
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS-AUTH protocol radius
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication secure-http-client
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
sysopt noproxyarp inside
sysopt noproxyarp inside20
sysopt noproxyarp inside30
sysopt noproxyarp inside40
crypto ipsec transform-set AES-256-SHA-ENCRYPT esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map VPN-DYN-MAP 1 set transform-set AES-256-SHA-ENCRYPT
crypto dynamic-map VPN-DYN-MAP 1 set security-association lifetime seconds 28800
crypto dynamic-map VPN-DYN-MAP 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE-MAP 65535 ipsec-isakmp dynamic VPN-DYN-MAP
crypto map OUTSIDE-MAP interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 20
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 10.10.1.1-10.10.1.99 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd domain xyz.local interface inside
dhcpd enable inside
!
dhcpd address 10.20.1.1-10.20.1.99 inside20
dhcpd dns 4.2.2.2 interface inside20
dhcpd enable inside20
!
dhcpd address 10.30.1.1-10.30.1.99 inside30
dhcpd dns 4.2.2.2 interface inside30
dhcpd enable inside30
!
dhcpd address 10.40.1.1-10.40.1.99 inside40
dhcpd dns 4.2.2.2 interface inside40
dhcpd enable inside40
!
dhcpd address 10.3.50.1-10.3.50.99 guest
dhcpd dns 4.2.2.2 interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tunnel-group-list enable
group-policy VPN-POLICY internal
group-policy VPN-POLICY attributes
vpn-simultaneous-logins 20
vpn-idle-timeout 3600
vpn-session-timeout 1440
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT-TUNNEL
default-domain value xyz.local
split-dns value xyz.local
tunnel-group secant type remote-access
tunnel-group secant general-attributes
address-pool VPN-POOL
authentication-server-group (outside) LOCAL
default-group-policy VPN-POLICY
tunnel-group secant ipsec-attributes
pre-shared-key *****
!
class-map INSPECTION-DEFAULT
description Complete Protocol Inspection List Class Map
match default-inspection-traffic
!
!
policy-map type inspect dns INSPECT-DNS-MAP
parameters
message-length maximum client auto
message-length maximum 4096
policy-map GLOBAL-INSPECTION-POLICY
description Global Inspection Policy
class INSPECTION-DEFAULT
inspect ftp
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
inspect pptp
inspect ipsec-pass-thru
inspect icmp
inspect dns INSPECT-DNS-MAP
inspect ctiqbe
inspect dcerpc
inspect mgcp
inspect icmp error
inspect snmp
inspect waas
inspect h323 h225
inspect h323 ras
!
service-policy GLOBAL-INSPECTION-POLICY global
A5505-1# packet-tracer input inside icmp 10.10.253.1 1 1 172.16.10.1 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.10.1 255.255.255.255 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96adb20, priority=0, domain=inspect-ip-options, deny=true
hits=69511, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map INSPECTION-DEFAULT
description Complete Protocol Inspection List Class Map
match default-inspection-traffic
policy-map GLOBAL-INSPECTION-POLICY
description Global Inspection Policy
class INSPECTION-DEFAULT
inspect icmp
service-policy GLOBAL-INSPECTION-POLICY global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc510638, priority=70, domain=inspect-icmp, deny=false
hits=10388, user_data=0xcc510438, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc51dbb8, priority=70, domain=inspect-icmp-error, deny=false
hits=10388, user_data=0xcc51d9b8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97e7e30, priority=12, domain=debug-icmp-trace, deny=false
hits=16500, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.10.0.0 255.255.0.0 outside 172.16.10.0 255.255.255.0
NAT exempt
translate_hits = 5, untranslate_hits = 796
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97b1d40, priority=6, domain=nat-exempt, deny=false
hits=5, user_data=0xc9840640, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.10.0.0, mask=255.255.0.0, port=0
dst ip=172.16.10.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 access-list NAT-10-INSIDE
match ip inside 10.0.0.0 255.0.0.0 outside any
dynamic translation to pool 10 (x.x.x.x [Interface PAT])
translate_hits = 61470, untranslate_hits = 8513
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9950080, priority=2, domain=nat, deny=false
hits=61604, user_data=0xc994ffc0, cs_id=0x0, flags=0x0, protocol=0
src ip=10.0.0.0, mask=255.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 access-list NAT-10-INSIDE
match ip inside 10.0.0.0 255.0.0.0 inside any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc994d1e0, priority=2, domain=host, deny=false
hits=69627, user_data=0xc994cdc8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.0.0.0, mask=255.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc983d570, priority=70, domain=encrypt, deny=false
hits=777, user_data=0x4c2e4, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=172.16.10.1, mask=255.255.255.255, port=0, dscp=0x0
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 102356, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
10-30-2012 12:43 PM
Hi Alan,
Please make the following changes:
access-list VPN_SPLIT_ACL remark :
access-list VPN_SPLIT_ACL remark : Add Routes for these networks to the VPN clients
access-list VPN_SPLIT_ACL remark :
access-list VPN_SPLIT_ACL permit 10.10.0.0 255.255.0.0
access-list VPN_SPLIT_ACL permit 10.20.0.0 255.255.0.0
access-list VPN_SPLIT_ACL permit 10.30.0.0 255.255.0.0
access-list VPN_SPLIT_ACL permit 10.40.0.0 255.255.0.0
access-list VPN_SPLIT_ACL permit 10.3.0.0 255.255.255.0
!
group-policy VPN-POLICY attributes
split-tunnel-network-list value VPN_SPLIT_ACL
!
crypto isakmp nat-traversal 30
!
capture capin interface inside match ip 10.10.0.0 255.255.0.0 172.16.10.0 255.255.255.0
Then connect and try to ping any IP within the 10.10.0.0 /16 range.
Once done, issue:
show capture capin
HTH.
Portu.
Please rate any helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide