VPN Client via IPsec cannot connect to VPN gateway or inside LAN

revolver1102 · ‎06-06-2017

Hi,

I am doing lab with ASA to set up VPN client to site with VPN subnet is:192.168.3.0/24; ASA's inside interface is 192.168.1.0/24, outside interface is 192.168.2.0/24

Now my client computer have already connected to VPN network and had an IP from VPN pool (IP: 192.168.3.2, GW:192.168.3.1). I don't know how the Client get this gateway? and another problem is my VPN client computer can either connect to VPN gateway and inside LAN subnet.

I also enable debug icmp trace on my ASA and when i do a ping from my inside machine to VPN client the result is below:

ciscoasa(config)# ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=68 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=69 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=70 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=71 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=72 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=73 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=74 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=75 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=76 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=77 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=78 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=79 len=32
ICMP echo request from inside:192.168.1.5 to outside:192.168.3.1 ID=1 seq=80 len=32

When i do a reverse ping from my VPN client to ASA, ASA has no logs. It seem that my VPN client cannot forward packet to it's gateway.

I also made a second client access to VPN network to test connect between the VPN pool. And i was surprised that the second one get IP: 192.168.3.2, GW: 192.168.3.1.

Please help me to troubleshooting those problems.

Thank you a lot.

My ASA configuration is in attachment.

revolver1102 · ‎06-06-2017

Hi,

When i used the command packet-tracer to see the flow of packets, i realize i cannot ping from interface outside IP 192.168.2.10 to IP Client's VPN: 192.168.4.2

ciscoasa(config)# ping 192.168.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.2, timeout is 2 seconds:
ICMP echo request from 192.168.2.10 to 192.168.4.2 ID=14834 seq=43261 len=72
?ICMP echo request from 192.168.2.10 to 192.168.4.2 ID=14834 seq=43261 len=72
?ICMP echo request from 192.168.2.10 to 192.168.4.2 ID=14834 seq=43261 len=72
?ICMP echo request from 192.168.2.10 to 192.168.4.2 ID=14834 seq=43261 len=72

ciscoasa(config)# packet-tracer input outside icmp 192.168.2.10 8 8 192.168.4.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.4.2 255.255.255.255 outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x269d0ed0, priority=500, domain=permit, deny=true
hits=26, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.10, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

But i successfully did packet-tracer from interface inside IP:192.168.1.26 to VPN Client's IP: 192.168.4.2 like bellow:

ciscoasa(config)# packet-tracer input outside icmp 192.168.1.26 8 8 192.168.4.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.4.2 255.255.255.255 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group icmp-to-inside in interface outside control-plane
access-list icmp-to-inside extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x271bf560, priority=13, domain=permit, deny=false
hits=8, user_data=0x20c6af20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x269cd640, priority=0, domain=inspect-ip-options, deny=true
hits=241, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x269cd218, priority=66, domain=inspect-icmp-error, deny=false
hits=211, user_data=0x269cc830, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x261cf128, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=221, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x271b6680, priority=13, domain=debug-icmp-trace, deny=false
hits=38, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x271b71c0, priority=13, domain=vpn-user, deny=false
hits=1, user_data=0x20c6ae60, filter_id=0x3(VPN_ACL), protocol=0
src ip=192.168.1.26, mask=255.255.255.255, port=0
dst ip=192.168.4.0, mask=255.255.255.240, port=0

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2725b730, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x1fa4c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.2, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1000, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Any advice will be appreciated.