Solved: vpn client's IP address needs to show external IP of ASA 5505

coyote8921029 · ‎11-08-2010

Hi guys,

We have a small project with government which has some challenging requiment with security.

Current situation;

1. Government site has allowed one of our company's public IP address to access their internal server.

2. In our office, staffs can connect to their server using RDP through Cisco ASA 5505 I've configured with couple of clicks.

3. This ASA has outside(public) IP address government allowed.

Changed request;

1. Due to increased work, our staffs need to have access to government server from home.

2. Government will not provide vpn access to them directly.

3. They ask us to provide VPN access to our staff then RDP to government site.

I've setup VPN and it's connecting fine with no problem just for connection itself.

But if i check using www.whatismyIPaddress.com, it's showing local IP address they've got from their ISP not CISCO ASA 5505 outside interface.

The problem is unlike Microsoft ISA 2006 VPN which shows external public IP address when a client connects to VPN server, Cisco vpn client only shows it's local IP address which is not in the allowed list in government site.

I'm more like MS guy then Cisco as i did't have lots of chances to play with Cisco, sorry about this,

Is this something i missed in the middle of config or needs more setting to achieve this?

How can I make VPN client to show it's IP address with Cisco ASA interface rather than local ISP's IP address?

Thanks in advance,

Charlie

Yudong Wu · ‎11-10-2010

did you add "same-security-traffic permit intra-interface" as I told in the previous post?

View solution in original post

Yudong Wu · ‎11-08-2010

Can you post your VPN configuration here?

I think you are using split tunnel, so the traffic to the internet won't go through the vpn tunnel and as a result, whatismyipaddress.com show the local public IP.

If you just use VPN to connect to your internal server and then from that server to use RDP to access the government server, you should be OK.

But if you are planing to let vpn client to RDP to the government server directly, you have to include the traffic to the government server in the split tunnel ACL, and then enable U-turn/NAT for this traffic on ASA so that they can reach the government server.

coyote8921029 · ‎11-08-2010

Hi Wu,

Thanks for your quick reply first of all,

"If you just use VPN to connect to your internal server and then from that server to use RDP to access the government server, you should be OK."

We thought about this and maybe the last resort as they will face lots of issues with copy and paste files between server and their local PC.

And YES, I made a split tunnel for traffic from client not to go through ASA.

I'm pretty newbie to this so please don't blame my ignorance,

Anyway here is configuration i made, just using show conf,

Result of the command: "show conf"

: Saved

: Written by cyang at 16:28:05.177 EDT Fri Nov 5 2010

!

ASA Version 8.2(1)

!

hostname asa5505

enable password dmErxU/Lznzxn1xg encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name ISP Gateway MC

name 192.168.11.0 VPN-network

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XX.XX.XX.XX 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 72.14.163.190

name-server 216.183.90.190

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list TelusVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool Telushome 192.168.11.1-192.168.11.32 mask 255.255.255.224

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 VPN-network 255.255.255.192

nat (inside) 1 192.168.10.0 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.10.0 255.255.255.0 inside

http XX.XX.XX.XX 255.255.255.224 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

client-update enable

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.10.5-192.168.10.36 inside

dhcpd dns 72.14.163.190 216.183.90.190 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 209.87.233.53 source outside prefer

webvpn

group-policy TelusVPN internal

group-policy TelusVPN attributes

dns-server value 72.14.163.190 216.183.90.190

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TelusVPN_splitTunnelAcl

username VTVu password QybZ8DUkijGG433G encrypted

username cyang password por4/bJjyLsH6cSN encrypted privilege 15

username KTan password H0/DVfNyclOsv.0b encrypted

tunnel-group Orbitor type remote-access

tunnel-group Orbitor general-attributes

address-pool Telus_Group

default-group-policy Orbitor

tunnel-group Orbitor ipsec-attributes

pre-shared-key *

tunnel-group TelusVPN type remote-access

tunnel-group TelusVPN general-attributes

address-pool Telushome

default-group-policy TelusVPN

tunnel-group TelusVPN ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:dcba485f35cba3fc1fa88b246d53bb36

Yudong Wu · ‎11-08-2010

If you would like to let the client to RDP to the server directly, you need do the following to permit u-turn traffic.

- same-security-traffic permit intra-interface
- Add the following to ACL

access-list TelusVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 (already in the config)

access-list TelusVPN_splitTunnelAcl standard permit host

- add the following nat

nat (outside) 1 VPN-network 255.255.255.192

If the vpn client need to access your internal host, you need add the following to bypass the nat for vpn traffic between client and internal host.

- nat (inside) 0 access-list nonat

- access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

coyote8921029 · ‎11-10-2010

Hi Wu,

access-list TelusVPN_splitTunnelAcl standard permit host

Does mean ASA's outside interface IP or RDP server IP address?

I did with outside interface IP address and still show local PC's IP address instead of ASA IP address hence it's not connecting.

Charlie

Yudong Wu · ‎11-10-2010

That IP should be the government server's IP which your vpn client will use to connect to via RDP.

After adding it in your ACL, vpn client's RDP traffic to the government server will go through the tunnel to your ASA5505. And then the packet will be decrypted and make a u-turn to the Internet to access the government server.

vpn client's IP will be NAT-ed at ASA5505 to its outside interface IP which is allowed at government server side.

coyote8921029 · ‎11-10-2010

Looks like still packet came out of ASA is not NATed or something else...

It's still showing client's IP address instead of NATed IP address.

Anyways if you don't mind, could you please take a look at config file again?

Result of the command: "show conf"

: Saved
: Written by cyang at 14:17:12.893 EST Wed Nov 10 2010
!
ASA Version 8.2(1)
!
hostname asa5505
enable password dmErxU/Lznzxn1xg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 72.14.168.92 Blink description Blink MC
name 192.168.11.0 VPN-network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.14.168.94 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 72.14.163.190
name-server 216.183.90.190
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list TelusVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list TelusVPN_splitTunnelAcl remark To get outside interface to show on VPN client
access-list TelusVPN_splitTunnelAcl standard permit host 209.89.99.56
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Telushome 192.168.11.1-192.168.11.32 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 VPN-network 255.255.255.192
nat (inside) 1 192.168.10.0 255.255.255.0
nat (outside) 0 VPN-network 255.255.255.192
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.168.93 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 72.14.174.160 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.5-192.168.10.36 inside
dhcpd dns 72.14.163.190 216.183.90.190 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 209.87.233.53 source outside prefer
webvpn
group-policy TelusVPN internal
group-policy TelusVPN attributes
dns-server value 72.14.163.190 216.183.90.190
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TelusVPN_splitTunnelAcl
username VTVu password QybZ8DUkijGG433G encrypted
username cyang password por4/bJjyLsH6cSN encrypted privilege 15
username KTan password H0/DVfNyclOsv.0b encrypted
tunnel-group Orbitor type remote-access
tunnel-group Orbitor general-attributes
address-pool Telus_Group
default-group-policy Orbitor
tunnel-group Orbitor ipsec-attributes
pre-shared-key *
tunnel-group TelusVPN type remote-access
tunnel-group TelusVPN general-attributes
address-pool Telushome
default-group-policy TelusVPN
tunnel-group TelusVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2c90183bc02ddb5640c8b6981c159cd1

Yudong Wu · ‎11-10-2010

remove the following

nat (outside) 0 VPN-network 255.255.255.192

nat (inside) 1 VPN-network 255.255.255.192

Adding the following

access-list nonat permit ip 192.168.10.0 255.255.255.0 VPN-network 255.255.255.192

nat (outside) 1 VPN-network 255.255.255.192

nat (inside) 0 nonat

You won't see vpn client's public IP as 72.14.168.94 at whatismyipaddress.com since you have split-tunnel here. But if the client try to RDP to the government server, its IP will be nat-ed to 72.14.168.94 at ASA.

coyote8921029 · ‎11-10-2010

nat (inside) 0 nonat

^

it expects a hostname instead of nonat,,,

Sorry for my ignorance,

Thanks,

Yudong Wu · ‎11-10-2010

sorry,

nat (inside) 0 access-list nonat

coyote8921029 · ‎11-10-2010

Still no luck,,

6 Nov 10 2010 17:05:25 302014 192.168.11.4 1326 209.89.99.56 3389 Teardown TCP connection 40512 for outside:192.168.11.4/1326 to outside:209.89.99.56/3389 duration 0:00:00 bytes 0 Flow is a loopback (cyang)

Looks like it's trying to connect but it's coming back???

Charlie

Yudong Wu · ‎11-10-2010

did you add "same-security-traffic permit intra-interface" as I told in the previous post?

coyote8921029 · ‎11-11-2010

Hi Wu,

Thanks million,

Your instruction works and I am very happy to finish this.

Actually I did that - same-security-traffic - before and looked like it's not saved.

Have a great day and happy networking ,

Cheers,

Charlie