Solved: Specify remote access interesting traffic?

mdschomburg · ‎02-10-2013

This is probably a dumb question, but I am having trouble making my remote access vpn decrypt traffic. I am using an ASA5510 and the cisco 5.0 vpn client. I have no problem getting the tunnel to come up. But the "decrypted traffic" stays zero and the "discarded traffic" increments continuously.

Here is the ASA5510 crypto config:

OK I guess this site doesn't allow pasting text so I attached the config.

I am pretty sure that I can't pass traffic because I have not been able to figure out how to specify the interesting traffic for the vpn connection. Can someone please show me the syntax for this? It looks like it should be some kind of tunnel-group commands.

Am I the only one who thinks that the Cisco documentation is worthless on this subject? The ASA config guide gives you everything you need to set up a tunnel, but has absolutely nothing on the config required to actually pass traffic. That helps a lot.

Jouni Forss · ‎02-10-2013

Hi,

If you see traffic being encrypted by the VPN Client but no return traffic there might be some configuration that are missing on the ASA or destination host dont have a correct route to the VPN Client or something else.

To my understanding if you dont specify what to tunnel on the VPN Client connection then ALL will be tunneled from the client to the VPN endpoint.

If you want to specify what to forward to the VPN you use the "group-policy" configurations

group-policy VPN-GROUP-POLICY internal

group-policy VPN-GROUP-POLICY attributes

split-tunnel-policy tunnelall

OR

access-list SPLIT-TUNNEL standard permit

group-policy VPN-GROUP-POLICY internal

group-policy VPN-GROUP-POLICY attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

Usually "standard" ACL that includes "permit" statements for all the network you want to tunnel to the VPN

The "group-policy" is then attached under the "tunnel-group" configurations.

This would probably be easier to check when seing the configurations on the ASA. If you are simply testing connectivity with ICMP I suggest checking that you have "inspect icmp" configured so that ICMP Echo-reply messages are automatically allowed by the ASA.

- Jouni

View solution in original post

Jouni Forss · ‎02-10-2013

Hi,

According to the attached configuraiton you have probably configured the VPN Client as "Full Tunnel"

This would mean that as soon as the host connect with the VPN Client all traffic is forwarded to the VPN connection. So in that case on the client side every destination address would be considered as "interesting traffic" for the VPN Client connection (though there might be some discarded traffic also I guess)

You can confirm if the VPN Client connection is configured as Full Tunnel by checking the Statistics section of the VPN Client and then finding the section for routes. It should only have line for "0.0.0.0 0.0.0.0" which in turn means that all networks are tunneled to the VPN connection.

Now if you wanted to only forward certain traffic to the VPN Client and rest out trough the local Internet connection of the host, you would configure "Split Tunnel" VPN.

But on to the problem. I suspect you might be missing the NAT0 / NAT Exempt configuration for the traffic to go through the firewall.

The very basic format for this configuration would be

access-list LAN-NAT0 permit ip

nat (inside) 0 access-list LAN-NAT0

Where

LAN-NAT0 = is the ACL that defines what traffic the firewall SHOULD NOT NAT when going through the firewall. Can naturally be named something else
nat = This command configures that NAT0 by using the above configured ACL
inside = The usual interface name for a Cisco firewall. Can naturally be something else.

Can you confirm if you have the NAT0 configuration on your firewall?

I do agree that sometimes its really hard to find specific information on how to configure something. At the moment I'm personally managing well with the Configuration Guide and Command Reference. For some cases I simply Google for certain configurations but even then I have to know the correct terms to actually find the information.

But theres always the these forums to ask too

- Jouni

mdschomburg · ‎02-10-2013

Jouni - I do have nat 0 configured for my inside interface and my dmz. I see the "encrypted" counter steadily increasing, but "decrypted" remains zero. That makes me think that no traffic is "interesting" on the ASA side - nothing is being sent to the client. Again, where is this interesting traffic configured? It is not mentioned in the documentation.

Jouni Forss · ‎02-10-2013

Hi,

If you see traffic being encrypted by the VPN Client but no return traffic there might be some configuration that are missing on the ASA or destination host dont have a correct route to the VPN Client or something else.

To my understanding if you dont specify what to tunnel on the VPN Client connection then ALL will be tunneled from the client to the VPN endpoint.

If you want to specify what to forward to the VPN you use the "group-policy" configurations

group-policy VPN-GROUP-POLICY internal

group-policy VPN-GROUP-POLICY attributes

split-tunnel-policy tunnelall

OR

access-list SPLIT-TUNNEL standard permit

group-policy VPN-GROUP-POLICY internal

group-policy VPN-GROUP-POLICY attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

Usually "standard" ACL that includes "permit" statements for all the network you want to tunnel to the VPN

The "group-policy" is then attached under the "tunnel-group" configurations.

This would probably be easier to check when seing the configurations on the ASA. If you are simply testing connectivity with ICMP I suggest checking that you have "inspect icmp" configured so that ICMP Echo-reply messages are automatically allowed by the ASA.

- Jouni