RA VPN into ASA5505 behind C871 Router with one public IP address

shugonaka · ‎07-03-2013

Hello,

I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.

PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2

The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it.

Here's the running config for the C871 and ASA. Thanks in advance for your help!

C871:
----------------------------------------------------
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxx
!
aaa new-model
!
aaa session-id common
!
clock timezone UTC -8
clock summer-time PDT recurring
!
dot11 syslog
ip source-route
!
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
!
ip dhcp pool dhcp-vlan2
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
!
ip cef
ip domain name xxxx.local
no ipv6 cef
!
multilink bundle-name authenticated
!
password encryption aes
!
username xxxx password 7 xxxx
!
ip ssh version 2
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Vlan1
no ip address
!
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
!
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
!
ip access-list extended nat-pat
deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.255.0.0 0.0.255.255 any
deny   ip 255.0.0.0 0.255.255.255 any
deny   ip 224.0.0.0 31.255.255.255 any
deny   ip host 0.0.0.0 any
deny   icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny   ip any any log
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
end
-------------------------------------------------------------------

ASA:

-------------------------------------------------------------------

ASA Version 9.1(2)

!

hostname asa

domain-name xxxx.local

enable password xxxx encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd xxxx encrypted

names

ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0

!

interface Ethernet0/0

switchport trunk allowed vlan 2,10

switchport mode trunk

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Vlan10

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.252

!

ftp mode passive

clock timezone UTC -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name xxxx.local

object network vlan2-mapped

subnet 192.168.2.0 255.255.255.0

object network vlan2-real

subnet 192.168.2.0 255.255.255.0

object network vpn-192.168.100.0

subnet 192.168.100.0 255.255.255.224

object network lan-192.168.2.0

subnet 192.168.2.0 255.255.255.0

access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup

!

object network vlan2-real

nat (inside,outside) static vlan2-mapped

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

http 10.10.10.1 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.2.0 255.255.255.0 inside

ssh 10.10.10.1 255.255.255.255 outside

ssh timeout 20

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy vpn internal

group-policy vpn attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-split

default-domain value xxxx.local

username xxxx password xxxx encrypted privilege 15

tunnel-group vpn type remote-access

tunnel-group vpn general-attributes

address-pool vpn-pool

default-group-policy vpn

tunnel-group vpn ipsec-attributes

ikev1 pre-shared-key xxxx

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2

: end

---------------------------------------------------------------

Michael Muenz · ‎07-04-2013

If you were able to establish the VPN to the ASA config of C871 is fine. I'd enable Logging and look for asymetric NAT statements. Easiest way is to connect via ASDM to ASA and enable logging.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

shugonaka · ‎07-06-2013

Thank you for your response and suggestion. The problem was resolved after changing the default-router for the vlan2 from 192.168.2.1 to 192.168.2.2.

Thank you,

Sent from Cisco Technical Support iPad App

shugonaka · ‎07-11-2013

Well, it turns out changing the default gateway breaks the internet connection.

If the default gateway for the internal hosts is set to 192.162.2.2, the remote vpn host can access the internal LAN but the hosts on the internal LAN are not able to go out to the internet. On the other hand if the gateway is 192.168.2.1, the internal hosts can go out to the internet but the remote host can not access the internal LAN.

By the way, the router is the DHCP server that lease the IP addressess and gateway to the 192.168.2.0 /24 hosts.

Attached are the current config for the ASA and router.

It's probably something simple like a missing route or something but I can't seem to figure out what needs to be fixed.Hope someone can shed light for me.

Thank you,

czaja0000 · ‎07-12-2013

Hi,

I think, that you want control all outbound traffic from the LAN to the outside by ASA.

I suggest some modifications as shown below.

C871:

interface Vlan2

description LAN-192.168.2

ip address 192.168.2.2 255.255.255.0

no ip nat inside

no ip proxy-arp

ip virtual-reassembly

ip access-list extended nat-pat

no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255

no permit ip 192.168.2.0 0.0.0.255 any

deny ip 192.168.2.0 0.0.0.255 any

permit ip 10.10.10.0 0.0.0.255 any

ASA 5505:

interface Vlan2

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

Try them out and response.

________________

Best regards,
MB

________________ Best regards, MB

shugonaka · ‎07-13-2013

Hi,

Thanks for the suggestion. I tried it but it disconnected the network from the internet. I revered the change and trying to figure out what else I can try. Thanks for your help!