Strange IPSec VPN Client Problem

limlayhin · ‎03-05-2014

My company had recently bought a pair of new cisco 5525-CX.

I encountered very strange problem in remote-access VPN setup in this device.

I can successfully login to VPN. However, after login, I can only access HTTPS web site, I cannot acces HTTP and I cannot do SSH.

If I will to use packet sniffer on my vpn client labtop, I saw initial TCP handshaking was successful. After that, I saw retransmission repeatedly, as if the destination server didn't receive request from the vpn client labtop.

I can reproduced same problem in both set of firewalls.

Config as below:

ASA Version 9.1(1)

!

hostname MYFIREWALL

ip local pool myvpn-ippool 10.10.9.65 mask 255.255.255.255

interface GigabitEthernet0/0

speed 1000

duplex full

nameif OUTSIDE

security-level 0

ip address 123.123.123.123 255.255.255.240

ipv6 enable

interface GigabitEthernet0/4

speed 1000

duplex full

nameif INTERNAL-MGT

security-level 100

ip address 10.10.10.254 255.255.255.0

ipv6 enable

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network MYVPN-IP-NAT-PUB

host 10.10.9.65

object network MYVPN-IP-PUB

host xx.xx.xx.65

access-list MYVPN-ACL extended permit ip any any

object network MYVPN-IP-NAT-PUB

nat (OUTSIDE,OUTSIDE) static MYVPN-IP-PUB

route OUTSIDE 0.0.0.0 0.0.0.0 123.123.123.169 1

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto ca trustpool policy

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

group-policy MYVPN-SET1 internal

group-policy MYVPN-SET1 attributes

wins-server none

dns-server value xx.xx.xx.xx xx.xx.xx.xx

vpn-filter value MYVPN-ACL

vpn-tunnel-protocol ikev1

group-lock value MYVPN-SET1

default-domain value myvpn.com

tunnel-group MYVPN-SET1 type remote-access

tunnel-group MYVPN-SET1 general-attributes

address-pool myvpn-ippool

default-group-policy MYVPN-SET1

tunnel-group MYVPN-SET1 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group MYVPN-SET1 ppp-attributes

authentication pap

authentication ms-chap-v2

deshtikypshaq · ‎03-12-2014

I did not fint that you apply MYVPN-ACL to any interface. Is it true?

limlayhin · ‎03-12-2014

Hi,

It is applied to group policy.

group-policy MYVPN-SET1 attributes

wins-server none

dns-server value xx.xx.xx.xx xx.xx.xx.xx

vpn-filter value MYVPN-ACL

vpn-tunnel-protocol ikev1

group-lock value MYVPN-SET1

Poonam Garg · ‎03-13-2014

Hi,

Check your vpn-filter ACL as it is stating permit ip any any. By default, if you don't configure split-tunnel and vpn-filter all traffic from client goes via tunnel. There is no need to configure vpn-filter if you dont want to restrict any traffic.

Remove this VPN Filter.

VPN Filters consist of rules that determine whether to allow or reject tunneled data packets that come through the security appliance, based on criteria such as source address, destination address, and protocol.

When a vpn-filter is applied to a group-policy/user name mode that governs Remote Access VPN Client connections, the ACL must be configured with the client assigned IP addresses in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

HTH

"Please rate helpful posts"