04-02-2014 02:51 PM
Greetings All,
I have an interesting situation:
Our Cisco VPN (ASA 5510) with RDP or windows file sharing works great in the United States. However, when traveling to our other office in the Netherlands VPN connects, but I cannot RDP into servers/workstation or for that matter access the windows shares of the main office.
Thinking perhaps the ASA 5510 had a hiccup - I asked a co-worker to see if he could vpn in and access the network. He was able to vpn and rdp into a server and access shares. He is located in the United States.
Main Office (USA) internal IP Scheme: 10.10.0.x
Branch Office (Netherlands) internal IP Scheme 10.0.0.x
I have uninstalled/reinstalled my Cisco VPN client, freshly installed it on a workstation at the branch office at the Netherlands, tried connecting from the Hotel Network, tried a sales person's laptop when they were passing through - all with the same result - can establish a vpn connection but cannot access the local network. – Yes, have tried connecting with the "Access Local Network" box is checked and unchecked in the vpn client ;-)
Interestingly, I just asked that same Sales Person to try again in Germany - she was able to connect to VPN and access rdp and shares. I was also able to connect to VPN and access rdp & shares at another hotel in the Netherlands.
Any idea what could be causing this? Any guess on a solution? Once a VPN tunnel is established - there should be no way to hinder any data flowing through it?
Thanks in advance!,
Bob
04-02-2014 03:07 PM
Hi you're right all traffic through the VPN tunnel should be encrypted and therefore not filtered by someone in the path.
The only thing I can think is that the tunnel itself establishes using ESP protocol, but the actual traffic through the tunnel uses UDP port 500 (ISAKMP), if we're talking IPsec.
So, perhaps the hotel is only allowing certain ports out and not UDP 500?
Try to see if you can PING or any other TCP traffic through the VPN tunnel just to check if UDP 500 is allowed.
Also you can check if the traffic from the hotel is reaching the ASA through the tunnel with the command "show crypto ipsec sa peer <>" Just change <> for your public IP.
Hope it helps.
04-02-2014 03:43 PM
Hello Coto.fusionet,
Thanks for the quick reply!
Below is the running config on the ASA at the branch office (5505 I think) - If you don't mind can you look through and tell me if anything looks amiss?
# sh run
: Saved
:
ASA Version 8.4(1)
!
hostname ##############
domain-name #####.local
enable password ################## encrypted
passwd ################### encrypted
names
!
interface Vlan10
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address ###.###.###.### 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 20
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name #####.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NET-LAN
subnet 10.0.0.0 255.255.255.0
object network HOST-SBS
host 10.0.0.2
object network NET-LAN-VPN
subnet 10.0.1.0 255.255.255.0
object network HOST-SBS-01
host 10.0.0.2
object network HOST-SBS-02
host 10.0.0.2
object network HOST-SBS-03
host 10.0.0.2
object network HOST-10.0.0.199
host 10.0.0.199
description Change 46182 2014-02-12 PinkElephant\SHepp
object-group network GRP-PRIVATE-RANGES
network-object ###.###.0.0 255.255.0.0
network-object ###.###.0.0 255.240.0.0
network-object 10.0.0.0 255.0.0.0
object-group service GRP-LAN-TO-ALL
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq 987
service-object tcp destination eq 983
service-object tcp destination eq citrix-ica
service-object tcp destination eq 2598
service-object tcp destination eq pop3
service-object tcp destination eq 8443
service-object tcp destination eq 2025
service-object tcp destination eq 995
service-object tcp destination eq 2525
service-object tcp destination eq 465
service-object tcp destination eq ssh
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object esp
service-object ah
service-object gre
service-object udp destination eq isakmp
service-object udp destination eq 4500
service-object udp destination eq 10000
object-group service GRP-SBS-TO-ALL
service-object tcp destination eq smtp
service-object tcp destination eq 987
service-object tcp destination eq 983
service-object tcp destination eq https
service-object tcp destination eq www
service-object udp destination eq domain
service-object tcp destination eq domain
service-object tcp destination eq pop3
object-group service GRP-ANY-TO-SBS
service-object tcp destination eq smtp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
access-list INSIDE-IN remark ### Deny LAN to Private subnets ###
access-list INSIDE-IN extended permit ip object NET-LAN object-group GRP-PRIVATE-RANGES
access-list INSIDE-IN remark ### PERMIT SBS to ANY ###
access-list INSIDE-IN extended permit object-group GRP-SBS-TO-ALL object HOST-SBS any
access-list INSIDE-IN remark ### PERMIT LAN to ANY ###
access-list INSIDE-IN extended permit object-group GRP-LAN-TO-ALL object NET-LAN any
access-list INSIDE-IN remark Deny any any
access-list INSIDE-IN extended deny ip any any
access-list OUTSIDE-IN remark PERMIT any TO SBS
access-list OUTSIDE-IN extended permit object-group GRP-ANY-TO-SBS any object HOST-SBS
access-list OUTSIDE-IN remark ### Permit tcp 7000 to host 10.0.0.199
access-list OUTSIDE-IN extended permit tcp any object HOST-10.0.0.199 eq 7000
access-list OUTSIDE-IN remark Deny any any
access-list OUTSIDE-IN extended deny ip any any
access-list TUNNEL-ACL remark Specify what trafic goes through VPN tunnel
access-list TUNNEL-ACL extended permit ip object NET-LAN object NET-LAN-VPN
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-IP-POOL 10.0.1.1-10.0.1.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NET-LAN NET-LAN destination static NET-LAN-VPN NET-LAN-VPN
!
object network NET-LAN
nat (inside,outside) dynamic interface
object network HOST-SBS
nat (inside,outside) static interface service tcp smtp smtp
object network HOST-SBS-01
nat (inside,outside) static interface service tcp www www
object network HOST-SBS-02
nat (inside,outside) static interface service tcp https https
object network HOST-SBS-03
nat (inside,outside) static interface service tcp pop3 pop3
object network HOST-10.0.0.199
nat (inside,outside) static interface service tcp 7000 7000
access-group INSIDE-IN in interface inside
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 ###.###.###.### 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS-LAN protocol radius
aaa-server RADIUS-LAN (inside) host 10.0.0.2
timeout 5
key *****
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable 8443
http ###.###.###.### 255.255.255.192 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set strong esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set extra-strong esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 99 set ikev1 transform-set extra-strong strong ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic dynmap
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh ###.###.###.### 255.255.255.192 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN1000 internal
group-policy VPN1000 attributes
wins-server value 10.0.0.2
dns-server value 10.0.0.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TUNNEL-ACL
default-domain value #####.local
username cadmin password ############### encrypted privilege 15
tunnel-group VPN1000 type remote-access
tunnel-group VPN1000 general-attributes
address-pool VPN-IP-POOL
authentication-server-group RADIUS-LAN LOCAL
default-group-policy VPN1000
tunnel-group VPN1000 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect ftp
inspect pptp
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:#####################
: end
04-02-2014 03:53 PM
Hi, I looked at the config. and based on the fact that you only have problems from one location remotely, I don't see problems with the ASA's configuration.
What we can check on the ASA side, is what happens when you attempt to pass traffic from the hotel. You can do the following:
sh cry ipsec sa peer IP (changing IP for your public IP) --> this will show if traffic is flowing bidirectionally from the hotel to the ASA via the tunnel.
This will lead us to where the problem is most likely.
04-03-2014 12:00 PM
Hello Coto.fusionet,
The config is from the ASA where we are having problems to connect - the Branch Office's ASA.
I am no longer at the branch office - but can vpn + rdp to their machines and perform connection tests
Thanks again
04-03-2014 01:49 PM
Hi, is this tunnel established between both ASAs right?
In other words, a Site-to-Site tunnel between both locations, or are you using a VPN client software from behind the remote office's ASA?
If it is a Site-to-Site tunnel, then on the remote office ASA you can check the tunnel is established with the command: sh cry ips sa, and also if it's both sending and receiving packets.
If it's a client software behind the remote office ASA, only UDP 500 and ESP are required to be open, but we need to check the same commands mentioned before on the main office ASA.
Hope it makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide