09-18-2012 03:03 PM
I have a few ASAs with L2Ls in a hub-and-spoke fashion, works great. All ASAs are 8.2(1). I've tried to add remote-vpn to the HQ ASA. I have this working on a PIX 6.3 box at HQ, but have not been able to make it work completely on the ASA.
Just to check, I also set up remote client vpn access on one of the spoke ASAs, and that actually did go well. Applying the equivalent config on the HQ ASA - won't function.
The problem with the HQ ASA remote client vpn is that after completed phase 1 & 2, the traffic goes one way only, from client side towards the ASA. I e remote side only encaps, no decaps; ASA side only decaps, no encaps. If the remote client pings a host on the inside (i e behind the HQ ASA) the packets arrive, and are returned towards the ASA (a correct route for the remote vpn network is in place on the inside host). However, it seems as if the ASA doesn't send that traffic back into the tunnel, but rather sends it unencrypted through the default route (doing a traceroute from the inside host for instance suggests this).
The ONLY way I can pass traffic towards the remote client is by initiating a ping from within the HQ ASA, it's the only time I get encaps on the ASA side and decaps on the remote side of the tunnel. Interestingly, it's actually the "ping outside 192.168..." that works, doing an "inside" ping fails. Compare this to the spoke ASA and its remote vpn client, there an inside ping is succesful, but not a outside ping, i e the spoke ASA functions as expected with its remote vpn. Given that the configs on the two ASAs are the same for remote client access, I would have expected both to work, not only one of them. But then, the HQ ASA has more lines of code, and I guess that something there gets in the way.
Below is a sanitised config from the HQ ASA, would be absolutely great if someone could put me on the right track here
Best,
Johnny
-------------------------------------------------------------------
HQ:
ASA Version 8.2(1)
!
hostname HQ
domain-name blah.com
enable password blah
passwd blah encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address ip address 172.16.106.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address 191.xx.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
dns server-group DefaultDNS
domain-name blah.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 172.16.106.0 255.255.255.0 any
access-list outside_1_cryptomap_1 extended permit ip 172.16.106.0 255.255.255.0 any
access-list HQ-BRANCH extended permit ip 172.16.106.0 255.255.255.128 172.16.106.160 255.255.255.248
access-list HQ-BRANCH extended permit ip 191.xx.xx.xx 255.255.224.0 172.16.106.160 255.255.255.248
access-list HQ-2ndBRANCH extended permit ip 172.16.106.0 255.255.255.128 172.16.106.168 255.255.255.248
access-list HQ-2ndBRANCH permit ip 191.xx.xx.xx 255.255.224.0 172.16.106.168 255.255.255.248
access-list remote_vpn_split_Tunnel standard permit 172.16.106.0 255.255.255.128
access-list remote_vpn_split_Tunnel standard permit 191.xx.xx.xx 255.255.224.0
!
ip local pool remote_client_pool 192.168.17.1-192.168.17.6
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 191.xx.xx.xx 1
!
dynamic-access-policy-record DfltAccessPolicy
!
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.16.106.15
timeout 5
key blah
!
sysopt noproxyarp inside
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 10 match address HQ-BRANCH
crypto map outside_map 10 set peer xx.xx.xx.xx
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address HQ-2ndBRANCH
crypto map outside_map 20 set peer yy.yy.yy.yy
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 90 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 100 match address outside_1_cryptomap_1
crypto map outside_map 100 set peer 191.xx.xx.xx
crypto map outside_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.16.106.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
group-policy remote_vpn internal
group-policy remote_vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_vpn_split_Tunnel
username whatever password blah encrypted
tunnel-group 191.xx.xx.xx type ipsec-l2l
tunnel-group 191.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group yy.yy.yy.yy type ipsec-l2l
tunnel-group yy.yy.yy.yy ipsec-attributes
pre-shared-key *
tunnel-group remote_vpn_clients type remote-access
tunnel-group remote_vpn_clients general-attributes
address-pool remote_client_pool
authentication-server-group RADIUS
default-group-policy remote_vpn
tunnel-group remote_vpn_clients ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 191.xx.xx.xx
!
class-map inspection_default
match default-inspection-traffic
!
!
service-policy global_policy global
prompt hostname context
: end
09-18-2012 04:34 PM
Hello Johnny,
I had a case like this,
Customer was running 8.2.1 and this was the bug we hitted.
Please checked it
Bug ID CSCtd36473
Any other question..Sure... Just remember to rate all of my answers
Julio
09-20-2012 02:21 PM
Thanks Julio, but the ASA does not give the kind of asp drops that come with that bug. So it's something else.
The sh asp drop reveals this though:
IPSec inner policy mismatch failure (ipsec-selector-failure)
Its counter increases at the same rate no matter if the remote-client is connected or not, so it's apparently not triggered by the remote client vpn connection. But maybe the source of this error also causes the issues with the remote client vpn? Looking at my other ASA with the other (functioning) remote VPN, the asp is clean of any such messages.
When I had issues with one-way traffic on an L2L a month or so ago, this was solved by re-arranging crypto map priorities. Have not found any glaring similar faults this time though, maybe somebody else with a fresh perspective can pinpoint any config issues here...
09-20-2012 02:39 PM
Hi,
Could you please share a packet-tracer output?
packet-tracer input inside icmp internal_host 8 0 remote_client_IP detail
Thanks.
Portu.
09-20-2012 03:08 PM
Hello Portu, sure, here goes:
-----------------------------------------
HQ# packet-tracer input inside icmp 172.16.106.71 8 0 192.168.17.1 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8178dc0, priority=1, domain=permit, deny=false
hits=4032991, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.17.1 255.255.255.255 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd817b5d0, priority=0, domain=permit-ip-option, deny=true
hits=64438, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule
in id=0xd817ac70, priority=66, domain=inspect-icmp-error, deny=false
hits=438, user_data=0xd817ab68, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip inside 172.16.106.0 255.255.255.0 outside any
NAT exempt
translate_hits = 51682, untranslate_hits = 13413
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81f23f8, priority=6, domain=nat-exempt, deny=false
hits=54354, user_data=0xd81f2338, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=172.16.106.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (191.xx.xx.xx [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81f36c8, priority=1, domain=nat, deny=false
hits=52662, user_data=0xd81f3608, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81f3218, priority=1, domain=host, deny=false
hits=72495, user_data=0xd81f2e00, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81c59b8, priority=0, domain=host-limit, deny=false
hits=53575, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd5237b50, priority=70, domain=encrypt, deny=false
hits=106, user_data=0x4efe1c, cs_id=0xd858c7a0, reverse, flags=0x0, protocol=0
src ip=172.16.106.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 88325, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragmen
snp_ifc_sta
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
--------------------------------------
Best,
Johnny
09-21-2012 02:36 PM
SO, I finally solved it.
Long (very long) story short - I removed the "any" ACLs, and put in granular ones pointing to the respective networks at the other ends. Both the nonat, and the crypto-ACL for the main L2L, and in that order. After that, the RA VPN worked as it should!
Interestingly, I have had no problem with these while running several L2L vpns simultaneously, not until I wanted to add this RA VPN. Oh well. Got to love the ASA.
Thanks to those who took the time to look and come up with suggestions. This thing with the "any" statements never came up in this thread, but it's a rather common suggestion when VPNs are one-sided. The fact that I solved an issue with a one-sided L2L earlier on the same box without altering the "any" statements caused me to not look that way for quite some while...
On my wishing list - if anyone can actually explain this behaviour (rather than just state that this is the way the ASA seems to work at times), a post on the subject would be most welcome.
Best,
Johnny
09-25-2012 05:10 AM
Hi Everyone,
I have a similar problem, I'm able to connect via VPN client and ping only one host on the remote lan and nothing else. I'm using both split-tunnel and non-split-tunnel, but none has worked. My main objective is to make the remote user connect to office lan (remote lan for him) and office Internet connection. Both these objectives are not fulfilled by my configuration given below:
Please have a look, any help will be highly appreciated.
Result of the command: "show run"
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name xxx.xxx
enable password PYCOFbMCV52U4BMk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.251 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.32
name-server 221.132.112.8
domain-name xxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NONAT remark ***VPN****
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.192
access-list GVSKhiNW standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNPOOL 192.168.20.1-192.168.20.50
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 192.168.20.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.5.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set pfs group1
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map DYN_MAP 10 set security-association lifetime seconds 28800
crypto dynamic-map DYN_MAP 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set reverse-route
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy newgrp internal
group-policy newgrp attributes
dns-server value 192.168.2.32 221.132.112.8
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GVSKhiNW
default-domain value GVS.Khi
group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
dns-server value 192.168.2.32
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelall
split-tunnel-network-list none
username ajmal password RFhaYswjfEEiEFRF encrypted privilege 15
username ajmal attributes
vpn-group-policy company-vpn-policy
username mali password xPY4CsMWghZDv83P encrypted privilege 0
username mali attributes
vpn-group-policy newgrp
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool VPNPOOL
default-group-policy company-vpn-policy
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group newgrp type remote-access
tunnel-group newgrp general-attributes
address-pool VPNPOOL
default-group-policy newgrp
tunnel-group newgrp ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a7720c723cdc74148690b044fee171c3
: end
Thanks.
09-25-2012 05:57 AM
Hi Johnny,
I am happy to know that it works fine now.
Please mark this post as answered
On the other hand, Ali, please check your other post, I already updated it.
Thanks.
Portu.
Message was edited by: Javier Portuguez
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide