Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4227
Views
0
Helpful
9
Replies

remote-access vpn problem on asa

ocram12345
Level 1
Level 1

‎03-15-2011 12:51 AM - edited ‎02-21-2020 05:13 PM

Hi,
I configured a remote-access vpn on an ASA 5510 version 8.3. This is the configuration


............
tunnel-group prova4 type remote-access
tunnel-group prova4 general-attributes
address-pool vpnpool1
default-group-policy test_vpnpool1_policy
tunnel-group prova4 ipsec-attributes
pre-shared-key *****
................
access-list soft_vpnpool1 extended permit icmp host 192.168.31.1 host 192.168.32.254
access-list soft_vpnpool1 extended permit ip host 192.168.31.1 host 192.168.32.254
access-list soft_vpnpool1 extended permit ip any any
access-list soft_vpnpool1 extended permit icmp any any
.............
group-policy test_vpnpool1_policy attributes
vpn-filter value soft_vpnpool1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value soft_vpnpool1
..................
nat (inside,any) source static N1-192.168.32.0 N1-192.168.32.0 destination static N1-192.168.31.0 N1-192.168.31.0 unidirectional
.........


The vpn goes up and I get an ip address, but it's impossible to reach the internal network.

This is what I can see from the logs:

............................................................
Mar 11 10:10:20 192.168.32.140 : Mar 11 10:10:20 CET: %ASA-ipaa-6-737026: IPAA: Client assigned 192.168.31.1 from local pool
Mar 11 10:10:20 192.168.32.140 : Mar 11 10:10:20 CET: %ASA-vpn-6-713228: Group = prova4, Username = pippo, IP = 212.x.x.x, Assigned private IP address 192.168.31.1 to remote user
Mar 11 10:10:20 192.168.32.141 : Mar 11 10:10:20 CET: %ASA-ipaa-6-737029: IPAA: Added 192.168.31.1 to standby
Mar 11 10:10:29 192.168.32.140 : Mar 11 10:10:29 CET: %ASA-bridge-6-110002: Failed to locate egress interface for UDP from outside:192.168.31.1/1885 to 239.255.255.250/1900
Mar 11 10:11:51 192.168.32.140 : Mar 11 10:11:51 CET: %ASA-vpn-5-713050: Group = prova4, Username =pippo, IP = 212.x.x.x, Connection terminated for peer pippo.  Reason: Peer Terminate  Remote Proxy 192.168.31.1, Local Proxy 0.0.0.0
Mar 11 10:11:51 192.168.32.140 : Mar 11 10:11:51 CET: %ASA-ipaa-6-737016: IPAA: Freeing local pool address 192.168.31.1
Mar 11 10:11:51 192.168.32.141 : Mar 11 10:11:51 CET: %ASA-ipaa-6-737031: IPAA: Removed 192.168.31.1 from standby
............................................................


The only error I can see is %ASA-bridge-6-110002, which is not related to the traffic I'm generating, it's like a messenger program trying to do multicast.
What I can tell you from the vpn client I'm using is that I can see encrypted packets going out my tunnel, but nothing incoming. Also, on the firewall I can see no incoming packets from this tunnel.
Another thing I noticed: is it correct that I do not have a default gateway ip address when the tunnel goes up? I'm not talking about my normal network, when the vpn goes up I can see that my address is 192.168.31.1, which is correctly taken from the pool I've decided, but my default gateway is again 192.168.31.1.
Thank for your help.

Labels:
0 Helpful
9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-15-2011 03:58 AM

The following configuration is incorrect:

nat (inside,any) source static N1-192.168.32.0 N1-192.168.32.0 destination static N1-192.168.31.0 N1-192.168.31.0 unidirectional

Please kindly remove it, and change it to the following:

nat (inside,outside) source static N1-192.168.32.0 N1-192.168.32.0 destination static N1-192.168.31.0 N1-192.168.31.0

Your split tunnel ACL is also incorrect, please kindly remove it and change it to:


access-list soft_vpnpool1 standard 192.168.32.0 255.255.255.0

0 Helpful

ocram12345
Level 1
Level 1
In response to Jennifer Halim

‎03-16-2011 04:56 AM

Hi I still can't connect, if you take a look at the output of the asdm you can see that my firewall does not encrypts packets out!

What could be the problem?

Preview file
64 KB
0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to ocram12345

‎03-16-2011 06:12 AM

Hi,

On being connected to the RA VPN are you able to ping the inside interface on the ASA. Please ensure that the following command is present.

management-access inside.

Also ensure that the inside interface ip address is a part of interesting traffic.

Make sure the host you are tring to ping from the client is pingable from the ASA.

If yes, please check the routing in the internal network and see if the route to pool ip exists on the L3 devices in the internal network.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

ocram12345
Level 1
Level 1
In response to andamani

‎03-16-2011 07:23 AM

There's management-access inside, and there's a route in the routing table for the ip address of the vpn.

However I think the key of the problem is that the firewall does not encrypt the traffic back to my client.

Could it be a problem of the client version? I'm using 4.0.5.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to ocram12345

‎03-16-2011 07:29 AM

Hi,

The problem is with the ASA right, as the ASA is not encrypting the data. we need to check if the ASA is dropping the packet or the packet is not reaching the ASA. hence it is not encrypting.

please try the mentioned in the previous posts.

Regards,

Anisha

-Do rate helpful posts.

0 Helpful

ocram12345
Level 1
Level 1
In response to andamani

‎03-16-2011 08:53 AM

I corrected my configuration, but maybe it's better if I start again from nothing.

Can you post a simple configuration for a remote access vpn using cisco client? I just would like to be able to access my devices in the inside interface at ip 192.168.32.0/24.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to ocram12345

‎03-16-2011 09:48 AM

Hi,

Here is the sample configuration for the same:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Also ensure that the interseting traffic is nat exempted which i guess is missing in the link. ASDM RA VPN Wizard will be best to configure.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as  answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

ocram12345
Level 1
Level 1
In response to andamani

‎03-18-2011 09:07 AM

I followed the guide and copied every configuration, but I still have the same problem, the firewall does not encrypt the traffic towards my client. I add a screenshot after the new configuration. I hope someone can tell me what to do, thanks.

Preview file
69 KB
0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to ocram12345

‎03-18-2011 12:11 PM

Hi,

On being connected to the RA VPN are  you able to ping the inside interface on the ASA.

Also ensure  that the inside interface ip address is a part of interesting traffic.

Make sure  the host you are tring to ping from the client is pingable from the ASA.

If yes,  please check the routing in the internal network and see if the route to  pool ip exists on the L3 devices in the internal network.

Hope this  helps.

Regards,

Anisha

P.S.:  please mark this post as answered if you feel your query is resolved. Do  rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents