03-15-2011 12:51 AM - edited 02-21-2020 05:13 PM
Hi,
I configured a remote-access vpn on an ASA 5510 version 8.3. This is the configuration
............
tunnel-group prova4 type remote-access
tunnel-group prova4 general-attributes
 address-pool vpnpool1
 default-group-policy test_vpnpool1_policy
tunnel-group prova4 ipsec-attributes
 pre-shared-key *****
................
access-list soft_vpnpool1 extended permit icmp host 192.168.31.1 host 192.168.32.254 
access-list soft_vpnpool1 extended permit ip host 192.168.31.1 host 192.168.32.254 
access-list soft_vpnpool1 extended permit ip any any 
access-list soft_vpnpool1 extended permit icmp any any
.............
group-policy test_vpnpool1_policy attributes
 vpn-filter value soft_vpnpool1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value soft_vpnpool1
..................
nat (inside,any) source static N1-192.168.32.0 N1-192.168.32.0 destination static N1-192.168.31.0 N1-192.168.31.0 unidirectional
.........
The vpn goes up and I get an ip address, but it's impossible to reach the internal network.
This is what I can see from the logs:
............................................................
Mar 11 10:10:20 192.168.32.140 : Mar 11 10:10:20 CET: %ASA-ipaa-6-737026: IPAA: Client assigned 192.168.31.1 from local pool
Mar 11 10:10:20 192.168.32.140 : Mar 11 10:10:20 CET: %ASA-vpn-6-713228: Group = prova4, Username = pippo, IP = 212.x.x.x, Assigned private IP address 192.168.31.1 to remote user
Mar 11 10:10:20 192.168.32.141 : Mar 11 10:10:20 CET: %ASA-ipaa-6-737029: IPAA: Added 192.168.31.1 to standby
Mar 11 10:10:29 192.168.32.140 : Mar 11 10:10:29 CET: %ASA-bridge-6-110002: Failed to locate egress interface for UDP from outside:192.168.31.1/1885 to 239.255.255.250/1900
Mar 11 10:11:51 192.168.32.140 : Mar 11 10:11:51 CET: %ASA-vpn-5-713050: Group = prova4, Username =pippo, IP = 212.x.x.x, Connection terminated for peer pippo.  Reason: Peer Terminate  Remote Proxy 192.168.31.1, Local Proxy 0.0.0.0
Mar 11 10:11:51 192.168.32.140 : Mar 11 10:11:51 CET: %ASA-ipaa-6-737016: IPAA: Freeing local pool address 192.168.31.1
Mar 11 10:11:51 192.168.32.141 : Mar 11 10:11:51 CET: %ASA-ipaa-6-737031: IPAA: Removed 192.168.31.1 from standby
............................................................
The only error I can see is %ASA-bridge-6-110002, which is not related to the traffic I'm generating, it's like a messenger program trying to do multicast.
What I can tell you from the vpn client I'm using is that I can see encrypted packets going out my tunnel, but nothing incoming. Also, on the firewall I can see no incoming packets from this tunnel.
Another thing I noticed: is it correct that I do not have a default gateway ip address when the tunnel goes up? I'm not talking about my normal network, when the vpn goes up I can see that my address is 192.168.31.1, which is correctly taken from the pool I've decided, but my default gateway is again 192.168.31.1.
Thank for your help.
 
					
				
		
03-15-2011 03:58 AM
The following configuration is incorrect:
nat (inside,any) source static N1-192.168.32.0 N1-192.168.32.0 destination static N1-192.168.31.0 N1-192.168.31.0 unidirectional
Please kindly remove it, and change it to the following:
nat (inside,outside) source static N1-192.168.32.0 N1-192.168.32.0 destination static N1-192.168.31.0 N1-192.168.31.0
Your split tunnel ACL is also incorrect, please kindly remove it and change it to:
access-list soft_vpnpool1 standard 192.168.32.0 255.255.255.0
03-16-2011 04:56 AM
03-16-2011 06:12 AM
Hi,
On being connected to the RA VPN are you able to ping the inside interface on the ASA. Please ensure that the following command is present.
management-access inside.
Also ensure that the inside interface ip address is a part of interesting traffic.
Make sure the host you are tring to ping from the client is pingable from the ASA.
If yes, please check the routing in the internal network and see if the route to pool ip exists on the L3 devices in the internal network.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
03-16-2011 07:23 AM
There's management-access inside, and there's a route in the routing table for the ip address of the vpn.
However I think the key of the problem is that the firewall does not encrypt the traffic back to my client.
Could it be a problem of the client version? I'm using 4.0.5.
03-16-2011 07:29 AM
Hi,
The problem is with the ASA right, as the ASA is not encrypting the data. we need to check if the ASA is dropping the packet or the packet is not reaching the ASA. hence it is not encrypting.
please try the mentioned in the previous posts.
Regards,
Anisha
-Do rate helpful posts.
03-16-2011 08:53 AM
I corrected my configuration, but maybe it's better if I start again from nothing.
Can you post a simple configuration for a remote access vpn using cisco client? I just would like to be able to access my devices in the inside interface at ip 192.168.32.0/24.
03-16-2011 09:48 AM
Hi,
Here is the sample configuration for the same:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
Also ensure that the interseting traffic is nat exempted which i guess is missing in the link. ASDM RA VPN Wizard will be best to configure.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
03-18-2011 09:07 AM
03-18-2011 12:11 PM
Hi,
On being connected to the RA VPN are you able to ping the inside interface on the ASA.
Also ensure that the inside interface ip address is a part of interesting traffic.
Make sure the host you are tring to ping from the client is pingable from the ASA.
If yes, please check the routing in the internal network and see if the route to pool ip exists on the L3 devices in the internal network.
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide