11-30-2010 12:32 AM
hi,
Please find below the following configuration of my firewall.
ASA Version 7.2(3)
!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
mtu VPN-TEST 1500
same-security-traffic permit inter-interface
access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST
ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside
icmp permit any inside
icmp permit any VPN-TEST
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 90
crypto isakmp ipsec-over-tcp port 10000
group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes
My vpn users connect and get the ip from the pool. but from there, they don seem to go further into the inside network. I am very new to this, and i am sure i have missed some detail.
Please advice.
Hassan
11-30-2010 01:51 AM
Hi Hassan,
Hope you are doing good, I checked the configuration that you have attached to the forum and it looks fine to me.
Please check some more settings on the ASA
1) The VPN pool should be exempted from nat
EX- access-list vpn-pool per ip 192.168.96.0 255.255.255.0 any
nat (inside) 0 access-list vpn-pool (This configuration will exempt the vpn pool to get natted when the reply packets hits the inside interface)
2) On the client end open command prompt and see issue "Route Print" and make sure it has a route 0.0.0.0 0.0.0.0 pointing to ip address of the vpn adapter
3) Open vpn client click on status>statitics and make sure that the encrypt count is increasing when you are passing the traffic through the tunnel.
please issue show crypto ipsec sa on the ASA and see its decaps are increasing.
4) We can also configure captures on the ASA to see the packet flow
you need to issue following commands for that.
access-list capture per ip host
access-list capture per ip host host
capture vpn access-list capture interface inside
you can see the output by issuing show cap vpn
Please update the output of the steps
Below is the link which has the steps to configure remote vpn on the ASA
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
Regards
Ashish
11-30-2010 05:04 AM
Thank you for the update.
I have implemented the steps you have mentioned. But still. This time the route print shows all the routes to 192.168.96.1. This is the same IP which is assigned to the vpn adapter.
I still do not have any clue.
please advice.
By the way the encrypt traffic is increasing through the tunnel as you have asked to check.
11-30-2010 07:12 AM
Hello Hassan,
Can you confirm that you are routing the pool range of 192.168.96.1-192.168.96.14 back out to your firewall on your internal network?
thanks,
Jason
11-30-2010 07:16 AM
thanks for your reply..Well i dont have routes for 192.168.96.0.
Please advice.
11-30-2010 07:32 AM
You will need to have at least that pool range routed back to your firewall. Otherwise, when the VPN users come in and pick up an address out of that pool and are routed inside to access your internal applications there isn't a return route for them and they get nothing... You should try routing the pool range to your firewall and test again. Also, are you using both the inside and managment interfaces to connect internally?
11-30-2010 08:18 AM
well here is my output
ASA Version 7.2(3)
!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
mtu VPN-TEST 1500
!
interface GigabitEthernet0/1
description local lan
nameif inside
security-level 100
ip address 192.168.93.249 255.255.255.0
same-security-traffic permit inter-interface
access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST
ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside
icmp permit any inside
icmp permit any VPN-TEST
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 90
crypto isakmp ipsec-over-tcp port 10000
group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes
The inside interface is back to back connected with our LAYER3SW on 192.168.93.250
This LAYER3SW is also connected to the 192.168.100.0 network.
The VPN users need to access this 100.0 subnet.
so my scenario is
VPNUSERS VPN INTERFACE INSIDE INTERFACE L3SW
COMING FROM IN TO ASA OUT FROM ASA TO (which is connected
INTERNET to 100.0 network)
192.168.92.1 192.168.93.249 192.168.93.250
On the L3SW i have the following route
192.168.96.0 [1/0] via 192.168.93.249
please advice
11-30-2010 08:30 AM
Your ASA needs a route to get to the 192.168.100.x network also.
11-30-2010 10:02 AM
This is my route on the ASA
192.168.100.0 255.255.255.0 [1/0] via 192.168.93.250, inside
10-11-2018 02:58 PM
apply a return traffic ( statitic route ) to the vpn subnet back to the next hop ( inside asa interface )
apply this command on the router directly connected behind the ASA
11-30-2010 07:43 AM
Hi hassan,
Thanks for an update,
Just want to confirm the topology with you again
VPN client====IPSEC VPN===ASA---N1
OR
VPN client ====IPSEC VPN===ASA---Router---N1
In first case you just need the server to have correct gateway as ASA
In second case , You need to add a route on the router for the pool network (192.168.96.0) gateway as ASA
Please attach the output of show cry ipsec sa and captures which i asked you to do in my previous update.
12-01-2010 12:51 AM
0.0.0.0 0.0.0.0 [255/0] via 192.168.92.1, VPN-TEST tunneled
The above is my gateway for my ip pool. 192.168.92.1 is the interface allowing VPN incoming sessions.
Just to summarize.
ASA VPN INTERFACE = 192.168.92.1
ASA VPN POOL = 192.168.96.1 - 192.168.96.14
ASA INSIDE INTERFACE = 192.168.93.249 -----CONNECTED TO------ 192.168.93.250 CISCO 3750
DESTINATION SUBNET TO REACH FROM VPN POOL IS = 192.168.100.0/30
ASA : HERE there is already a route present for 192.168.100.0 via 192.168.93.250
CISCO 3750 : HERE there is already a route present for vpn pool (192.168.96.0) via 192.168.93.249 in the 3750
show crypto ipsec sa
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
the numbers stay zero when connect and start the ping request.
show cap vpn
FW# sh cap vpn
0 packet captured
0 packet shown
this also stays zero when i connect and initiate a ping request.
i think something is not happening between the vpn pool and the vpn interface as there is no activity.
please advice.
hassan
12-01-2010 01:10 AM
Hi Hassen
Thanks for an update,
Can you please configure one more capture on the ASA
Right now we can't see any decaps on the ASA, so we need to make sure that ASA is getting ESP or UDP 4500 packets from the client
Please follow the following steps
1. open www.whatismyip.com on the clients end.
2. Make a note of the public ip address of the client
3 configure one more access-list
access-list test-new per ip host
capture cap-public access-list test-new interface outside
try to ping the same host again from the VPN client and take the output of show cap cap-public
Is it happening with all clients or only few..?
Regards
Ashish
12-01-2010 05:44 AM
FW# sh capture
capture vpn type raw-data access-list capture interface inside [Capturing - 0 bytes]
capture cap-public type raw-data access-list test-new interface outside [Capturing - 0 bytes]
i still have no clue as to why the hell my vpn pool client can't access the inside network....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
12-01-2010 07:13 AM
Hi Hassan,
Then in that case it seems that some device on the upstream is blocking esp or udp 4500 packets as in the captures we can't see any packets hitting the ASA from clients public ip address. The ports may be blocked on the clients end as well in the outbound direction. In your previous updates you have mentioned that the you can see the number of encaps are increasing on the VPN clients end. Correct me if i am wrong.
Please try to connect to the ASA from someother place and test the connectivity to the internal network. This is just to isolate client's end issue.
Regards
Ashish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide