cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
6511
Views
5
Helpful
7
Replies

SOLVED: Remote client VPN, traffic one way only

johnnykaye
Level 1
Level 1

I have a few ASAs with L2Ls in a hub-and-spoke fashion, works great. All ASAs are 8.2(1). I've tried to add remote-vpn to the HQ ASA. I have this working on a PIX 6.3 box at HQ, but have not been able to make it work completely on the ASA.

Just to check, I also set up remote client vpn access on one of the spoke ASAs, and that actually did go well. Applying the equivalent config on the HQ ASA - won't function.

The problem with the HQ ASA remote client vpn is that after completed phase 1 & 2, the traffic goes one way only, from client side towards the ASA. I e remote side only encaps, no decaps; ASA side only decaps, no encaps. If the remote client pings a host on the inside (i e behind the HQ ASA) the packets arrive, and are returned towards the ASA (a correct route for the remote vpn network is in place on the inside host). However, it seems as if the ASA doesn't send that traffic back into the tunnel, but rather sends it unencrypted through the default route (doing a traceroute from the inside host for instance suggests this).

The ONLY way I can pass traffic towards the remote client is by initiating a ping from within the HQ ASA, it's the only time I get encaps on the ASA side and decaps on the remote side of the tunnel. Interestingly, it's actually the "ping outside 192.168..." that works, doing an "inside" ping fails. Compare this to the spoke ASA and its remote vpn client, there an inside ping is succesful, but not a outside ping, i e the spoke ASA functions as expected with its remote vpn. Given that the configs on the two ASAs are the same for remote client access, I would have expected both to work, not only one of them. But then, the HQ ASA has more lines of code, and I guess that something there gets in the way.

Below is a sanitised config from the HQ ASA, would be absolutely great if someone could put me on the right track here

Best,

Johnny

-------------------------------------------------------------------

HQ:

ASA Version 8.2(1)

!

hostname HQ

domain-name blah.com

enable password blah

passwd blah encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address ip address 172.16.106.1 255.255.255.128

!

interface Vlan2

nameif outside

security-level 0

ip address 191.xx.xx.xx 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

dns server-group DefaultDNS

domain-name blah.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.0 any

access-list outside_1_cryptomap_1 extended permit ip 172.16.106.0 255.255.255.0 any

access-list HQ-BRANCH extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.248

access-list HQ-BRANCH extended permit ip 191.xx.xx.xx 255.255.224.0 172.16.106.160 255.255.255.248

access-list HQ-2ndBRANCH extended permit ip 172.16.106.0 255.255.255.128 172.16.106.168 255.255.255.248

access-list HQ-2ndBRANCH permit ip 191.xx.xx.xx 255.255.224.0 172.16.106.168 255.255.255.248

access-list remote_vpn_split_Tunnel standard permit 172.16.106.0 255.255.255.128

access-list remote_vpn_split_Tunnel standard permit 191.xx.xx.xx 255.255.224.0

!

ip local pool remote_client_pool 192.168.17.1-192.168.17.6

!

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1

!

dynamic-access-policy-record DfltAccessPolicy

!

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 172.16.106.15

timeout 5

key blah

!

sysopt noproxyarp inside

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association replay disable

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 10 match address HQ-BRANCH

crypto map outside_map 10 set peer xx.xx.xx.xx

crypto map outside_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 20 match address HQ-2ndBRANCH

crypto map outside_map 20 set peer yy.yy.yy.yy

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 90 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 100 match address outside_1_cryptomap_1

crypto map outside_map 100 set peer 191.xx.xx.xx

crypto map outside_map 100 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 172.16.106.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

!

group-policy remote_vpn internal

group-policy remote_vpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value remote_vpn_split_Tunnel

username whatever password blah encrypted

tunnel-group 191.xx.xx.xx type ipsec-l2l

tunnel-group 191.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group yy.yy.yy.yy type ipsec-l2l

tunnel-group yy.yy.yy.yy ipsec-attributes

pre-shared-key *

tunnel-group remote_vpn_clients type remote-access

tunnel-group remote_vpn_clients general-attributes

address-pool remote_client_pool

authentication-server-group RADIUS

default-group-policy remote_vpn

tunnel-group remote_vpn_clients ipsec-attributes

pre-shared-key *

tunnel-group-map default-group 191.xx.xx.xx

!

class-map inspection_default

match default-inspection-traffic

!

!

service-policy global_policy global

prompt hostname context

: end

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Johnny,

I had a case like this,

Customer was running 8.2.1 and this was the bug we hitted.

Please checked it

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd36473

Bug ID CSCtd36473

Any other question..Sure... Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks Julio, but the ASA does not give the kind of asp drops that come with that bug. So it's something else.

The sh asp drop reveals this though:

IPSec inner policy mismatch failure (ipsec-selector-failure)

Its counter increases at the same rate no matter if the remote-client is connected or not, so it's apparently not triggered by the remote client vpn connection. But maybe the source of this error also causes the issues with the remote client vpn? Looking at my other ASA with the other (functioning) remote VPN, the asp is clean of any such messages.

When I had issues with one-way traffic on an L2L a month or so ago, this was solved by re-arranging crypto map priorities. Have not found any glaring similar faults this time though, maybe somebody else with a fresh perspective can pinpoint any config issues here...

Hi,

Could you please share a packet-tracer output?

packet-tracer input inside icmp internal_host 8 0 remote_client_IP detail

Thanks.

Portu.

Hello Portu, sure, here goes:

-----------------------------------------

HQ# packet-tracer input inside icmp 172.16.106.71 8 0 192.168.17.1 detail

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd8178dc0, priority=1, domain=permit, deny=false

hits=4032991, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.17.1    255.255.255.255 outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd817b5d0, priority=0, domain=permit-ip-option, deny=true

hits=64438, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule

in  id=0xd817ac70, priority=66, domain=inspect-icmp-error, deny=false

hits=438, user_data=0xd817ab68, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

  match ip inside 172.16.106.0 255.255.255.0 outside any

    NAT exempt

    translate_hits = 51682, untranslate_hits = 13413

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd81f23f8, priority=6, domain=nat-exempt, deny=false

hits=54354, user_data=0xd81f2338, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=172.16.106.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

  match ip inside any outside any

    dynamic translation to pool 1 (191.xx.xx.xx [Interface PAT])

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd81f36c8, priority=1, domain=nat, deny=false

hits=52662, user_data=0xd81f3608, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd81f3218, priority=1, domain=host, deny=false

hits=72495, user_data=0xd81f2e00, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd81c59b8, priority=0, domain=host-limit, deny=false

hits=53575, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd5237b50, priority=70, domain=encrypt, deny=false

hits=106, user_data=0x4efe1c, cs_id=0xd858c7a0, reverse, flags=0x0, protocol=0

src ip=172.16.106.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 88325, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragmen

snp_ifc_sta

Module information for reverse flow ...

Result:      

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

--------------------------------------

Best,

Johnny

johnnykaye
Level 1
Level 1

SO, I finally solved it.

Long (very long) story short - I removed the "any" ACLs, and put in granular ones pointing to the respective networks at the other ends. Both the nonat, and the crypto-ACL for the main L2L, and in that order. After that, the RA VPN worked as it should!

Interestingly, I have had no problem with these while running several L2L vpns simultaneously, not until I wanted to add this RA VPN. Oh well. Got to love the ASA.

Thanks to those who took the time to look and come up with suggestions. This thing with the "any" statements never came up in this thread, but it's a rather common suggestion when VPNs are one-sided. The fact that I solved an issue with a one-sided L2L earlier on the same box without altering the "any" statements caused me to not look that way for quite some while...

On my wishing list - if anyone can actually explain this behaviour (rather than just state that this is the way the ASA seems to work at times), a post on the subject would be most welcome.

Best,

Johnny

Hi Everyone,

I have a similar problem, I'm able to connect via VPN client and ping only one host on the remote lan and nothing else.  I'm using both split-tunnel and non-split-tunnel, but none has worked.  My main objective is to make the remote user connect to office lan (remote lan for him) and office Internet connection.  Both these objectives are not fulfilled by my configuration given below:

Please have a look, any help will be highly appreciated. 

Result of the command: "show run"

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name xxx.xxx

enable password PYCOFbMCV52U4BMk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.2.251 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.5.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.2.32

name-server 221.132.112.8

domain-name xxx.xxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list NONAT remark ***VPN****

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.192

access-list GVSKhiNW standard permit 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool VPNPOOL 192.168.20.1-192.168.20.50

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 192.168.20.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.5.0 255.255.255.0 management

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set pfs group1

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto dynamic-map DYN_MAP 10 set security-association lifetime seconds 28800

crypto dynamic-map DYN_MAP 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set reverse-route

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.5.2-192.168.5.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy newgrp internal

group-policy newgrp attributes

dns-server value 192.168.2.32 221.132.112.8

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value GVSKhiNW

default-domain value GVS.Khi

group-policy company-vpn-policy internal

group-policy company-vpn-policy attributes

dns-server value 192.168.2.32

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelall

split-tunnel-network-list none

username ajmal password RFhaYswjfEEiEFRF encrypted privilege 15

username ajmal attributes

vpn-group-policy company-vpn-policy

username mali password xPY4CsMWghZDv83P encrypted privilege 0

username mali attributes

vpn-group-policy newgrp

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes

address-pool VPNPOOL

default-group-policy company-vpn-policy

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

tunnel-group newgrp type remote-access

tunnel-group newgrp general-attributes

address-pool VPNPOOL

default-group-policy newgrp

tunnel-group newgrp ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a7720c723cdc74148690b044fee171c3

: end

Thanks.

Hi Johnny,

I am happy to know that it works fine now.

Please mark this post as answered

On the other hand, Ali, please check your other post, I already updated it.

Thanks.

Portu.

Message was edited by: Javier Portuguez

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: