11-30-2010 12:32 AM
hi,
Please find below the following configuration of my firewall.
ASA Version 7.2(3)
!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
mtu VPN-TEST 1500
same-security-traffic permit inter-interface
access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST
ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside
icmp permit any inside
icmp permit any VPN-TEST
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 90
crypto isakmp ipsec-over-tcp port 10000
group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes
My vpn users connect and get the ip from the pool. but from there, they don seem to go further into the inside network. I am very new to this, and i am sure i have missed some detail.
Please advice.
Hassan
12-01-2010 07:27 AM
well i will have to check the upstream if ipsec over tcp port 10000 is allowed.
But if it wasnt then why does it connect. It shouldnt connect in the first place.
Moreover i noticed the following in my vpn client log after connection.
63 18:24:15.515 12/01/10 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 1: code 87
Destination 192.168.93.255
Netmask 255.255.255.255
Gateway 192.168.96.9
Interface 192.168.96.9
64 18:24:15.515 12/01/10 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a85dff, Netmask: ffffffff, Interface: c0a86009, Gateway: c0a86009.
what is it complaining about ?
12-01-2010 07:52 AM
Negotiation of ISAKMP happens on udp 500 or 4500(If there is any natting device between client and ASA), But when the tunnel comes up the data becomes ESP (IP 50). So if any device between client and asa allows udp 500 but blocks ESP, the tunnel will come up on udp ports, but when client will try to pass some traffic through the tunnel it will become ESP and will get routed to public ip address of the ASA. But if that esp packet is blocked somewhere in between the ASA will never recieve the packets.
There are some device which doesn't do nat for the ESP packets. Currently NAT traversal is already enabled on the ASA so the tunnel may come up udp 4500
So make sure that udp 4500 and esp are not blocked between the client and ASA.
Regards
Ashish
12-01-2010 07:35 AM
12-01-2010 03:01 PM
Can you please share the latest full config of your ASA.
12-02-2010 01:04 AM
Hello jennifer.
Glad to hear from you.
Well i have enclosed the vpn client status screenshot after connecting.
Please note my vpn clients connect and then then cannot reach my servers in
the INSIDE network.
well here is my ASA config output
==============================================
ASA Version 7.2(3)
!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
mtu VPN-TEST 1500
!
interface GigabitEthernet0/1
description local lan
nameif inside
security-level 100
ip address 192.168.93.249 255.255.255.0
same-security-traffic permit inter-interface
access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST
ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside
icmp permit any inside
icmp permit any VPN-TEST
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 90
crypto isakmp ipsec-over-tcp port 10000
group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes
192.168.100.0 255.255.255.0 1/0 via 192.168.93.250, inside
=============================================================
Just to summarize.
ASA VPN INTERFACE = 192.168.92.1
ASA VPN POOL = 192.168.96.1 - 192.168.96.14
ASA INSIDE INTERFACE = 192.168.93.249 -----CONNECTED TO------ 192.168.93.250 CISCO 3750
DESTINATION SUBNET TO REACH FROM VPN POOL IS = 192.168.100.0/30
ASA : HERE there is already a route present for 192.168.100.0 via 192.168.93.250
CISCO 3750 : HERE there is already a route present for vpn pool (192.168.96.0) via 192.168.93.249 in the 3750
Please advice.
Hassan
12-02-2010 02:34 PM
guys i am waiting for an update....please.. i need help in this.......
12-02-2010 02:42 PM
I apologize if you already answered this in earlier posts but can your ASA ping the servers that the VPN clients are trying to access? Also, have you tried actually specifying the 192.168.100.x/24 network in the split tunnel access-list to see if that works. I see that you are permitting any but worth a try at this point.
12-03-2010 05:04 AM
Hi Hassan,
Did you check the connectivity from a different location.
Regards
Ashish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide