Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2032
Views
0
Helpful
8
Replies

VPN up but no traffic

alois.roche
Level 1
Level 1

‎05-24-2011 01:45 PM

Hi,

I am supposed to configured an ASA 5510 for remote VPN connection but I am a beginner.

I did the wizard from the ASDM.

I did configure the VPN client (Cisco official client) and it connects to the ASA, but then the ping from the client toward the LAN (computer sitting on the LAN) doesn't work.

Only ping working (hold on I cannot believe it either) is the one from the ASDM ping "wizard", but bare with me again, only when I don't select the interface from which the ping is sended (see screenshots).

And when I check the monitoring screen on the ASDM, the tunnel seems to be working only one way (client to ASA).

You are probably gonna say that using the ASDM wizard was "not the best thing to do" but again I am a begginner and the configuration needed seemed simple.

I don't even know how to give you the "running-config", so if you want to help, please tell me how to.

Please help!

Labels:
Preview file
36 KB
0 Helpful
8 Replies 8

Yudong Wu
Level 7
Level 7

‎05-24-2011 02:56 PM

You can get command line from ASDM  

Tool-> Command Line Interface

Please issue a ping from vpn client to PC sitting in your inside network. and then use the above tool to get the following output

- show run

- show crypto ipsec sa

0 Helpful

alois.roche
Level 1
Level 1
In response to Yudong Wu

‎05-24-2011 03:36 PM

Thanks for your answer!

Here is a basic schema of my configuration:

remote-pc(extIP: 99.xx.xx.126)

to comcast cable 173.xx.xx.14

to ASA 5510 ext interface 10.2.10.254/24

to "admin" interface 10.0.0.0/24

And here is the config file, I replaced some external IP address for obvious reason!

Result of the command: "show run"

: Saved
:
ASA Version 8.2(1)
!
hostname R1
enable password N7FecZuSHJlVZC2P encrypted
passwd N7FecZuSHJlVZC2P encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.2.10.254 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif admin
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/3
nameif housekeeping
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp-udp
description rdp
port-object eq 3389
object-group service geovision tcp-udp
port-object eq 4550
port-object eq 5550
port-object eq 6550
port-object eq www
port-object eq 3389
object-group service rdp-geovision tcp-udp
port-object eq 3389
port-object eq 4550
port-object eq 5550
port-object eq 6550
port-object eq www
access-list outside_access_in extended permit object-group TCPUDP any host 173.xx.xx.3 object-group rdp-geovision
access-list outside_access_in extended permit object-group TCPUDP any host 173.xx.xx.2 object-group rdp-geovision
access-list outside_access_in extended permit object-group TCPUDP any host 173.xx.xx.1 object-group rdp-geovision
access-list admin_nat0_outbound extended permit ip any 10.1.10.192 255.255.255.192
access-list admin_nat0_outbound extended permit ip 10.1.10.0 255.255.255.0 10.1.10.192 255.255.255.192
access-list admin_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0
access-list admin_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu admin 1500
mtu housekeeping 1500
mtu management 1500
ip local pool remote-users 10.1.10.200-10.1.10.249 mask 255.255.255.0
ip local pool remote-admin 10.0.0.100-10.0.0.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (admin) 0 access-list admin_nat0_outbound
nat (admin) 1 0.0.0.0 0.0.0.0
nat (housekeeping) 1 0.0.0.0 0.0.0.0
static (admin,outside) 173.xx.xx.1 10.0.0.252 netmask 255.255.255.255
static (admin,outside) 173.xx.xx.2 10.0.0.253 netmask 255.255.255.255
static (admin,outside) 173.xx.xx.3 10.0.0.254 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.2.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.255.0 admin
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 admin
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 75.75.76.76 75.75.75.75
!
dhcpd address 10.0.0.10-10.0.0.240 admin
dhcpd dns 8.8.8.8 8.8.4.4 interface admin
dhcpd enable admin
!
dhcpd address 10.1.10.10-10.1.10.240 housekeeping
dhcpd dns 10.1.10.254 75.75.75.75 interface housekeeping
dhcpd enable housekeeping
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy tunnel-admin internal
group-policy tunnel-admin attributes
banner value dans la nuit
vpn-tunnel-protocol IPSec l2tp-ipsec
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 0
username admin attributes
vpn-group-policy tunnel-admin
tunnel-group tunnel-admin type remote-access
tunnel-group tunnel-admin general-attributes
address-pool remote-admin
default-group-policy tunnel-admin
tunnel-group tunnel-admin ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:23bcf144d39ab2df42e295ffa7efd218
: end

Result of the command: "show crypto ipsec sa"

interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 10.2.10.254

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.100/255.255.255.255/0/0)
      current_peer: 99.xx.xx.126, username: admin
      dynamic allocated peer ip: 10.0.0.100

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 1706, #pkts decrypt: 1706, #pkts verify: 1706
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.2.10.254/4500, remote crypto endpt.: 99.xx.xx.126/63962
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 4BAA362E

    inbound esp sas:
      spi: 0x141F996C (337615212)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 19498
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x4BAA362E (1269446190)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4096, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 19498
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to alois.roche

‎05-24-2011 09:14 PM

Hi,

I see that the pool ip is in the subnet as the internal network. i request you to change your pool ip to a different subnet say 192.168.10.1-192.168.10.100

Thus you will have to do the following:

no ip local pool remote-admin 10.0.0.100-10.0.0.150 mask  255.255.255.0

ip local pool remote-admin 192.168.10.1-192.168.10.100 mask  255.255.255.0

no access-list admin_nat0_outbound extended permit ip 10.0.0.0  255.255.255.0 10.0.0.0 255.255.255.0

access-list admin_nat0_outbound extended permit ip 10.0.0.0  255.255.255.0 192.168.10.0 255.255.255.0

Also ensure that any Layer 3 device present on the inside network has a route for the pool ip pointing to the ASA inside interface.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

alois.roche
Level 1
Level 1
In response to andamani

‎05-25-2011 09:12 AM

Just to make sure, you want me to put the "vpn clients" address pool outside the destination subnet?

Also ensure that any Layer 3 device present on the inside network has a route for the pool ip pointing to the ASA inside interface.

When you say "has a route", I understand the why, but I don't see the how, is that a setting on the ASA or on each Layer 3 devices?

Sorry, I know Networks but I am new to Cisco!

Thanks for the answer!

0 Helpful

alois.roche
Level 1
Level 1
In response to andamani

‎05-25-2011 11:54 AM

Hi,

I did the change you advised me to do.

Please let me know what I did wrong again!

Also one more thing, I tried to ping from a machine inside the network toward the client (192.168.2.1) and it worked but still no chance the other way, is that a NAT problem then?

Thanks for the help!

Result of the command: "show run"

: Saved
:
ASA Version 8.2(1)
!
hostname R1
enable password N7FecZuSHJlVZC2P encrypted
passwd N7FecZuSHJlVZC2P encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.2.10.254 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif admin
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/3
nameif housekeeping
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp-udp
description rdp
port-object eq 3389
object-group service geovision tcp-udp
port-object eq 4550
port-object eq 5550
port-object eq 6550
port-object eq www
port-object eq 3389
object-group service rdp-geovision tcp-udp
port-object eq 3389
port-object eq 4550
port-object eq 5550
port-object eq 6550
port-object eq www
access-list outside_access_in extended permit object-group TCPUDP any host 173.xx.xx.3 object-group rdp-geovision
access-list outside_access_in extended permit object-group TCPUDP any host 173.xx.xx.2 object-group rdp-geovision
access-list outside_access_in extended permit object-group TCPUDP any host 173.xx.xx.1 object-group rdp-geovision
access-list admin_nat0_outbound extended permit ip any 10.1.10.192 255.255.255.192
access-list admin_nat0_outbound extended permit ip 10.1.10.0 255.255.255.0 10.1.10.192 255.255.255.192
access-list admin_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0
access-list admin_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list admin_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu admin 1500
mtu housekeeping 1500
mtu management 1500
ip local pool remote-test 192.168.2.1-192.168.2.100 mask 255.255.255.0
ip local pool remote-admin 10.0.0.100-10.0.0.150 mask 255.255.255.0
ip local pool remote-users 10.1.10.200-10.1.10.249 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (admin) 0 access-list admin_nat0_outbound
nat (admin) 1 0.0.0.0 0.0.0.0
nat (housekeeping) 1 0.0.0.0 0.0.0.0
static (admin,outside) 173.xx.xx.1 10.0.0.252 netmask 255.255.255.255
static (admin,outside) 173.xx.xx.2 10.0.0.253 netmask 255.255.255.255
static (admin,outside) 173.xx.xx.3 10.0.0.254 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.2.10.1 1
route outside 192.168.2.0 255.255.255.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.255.0 admin
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 admin
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 75.75.76.76 75.75.75.75
!
dhcpd address 10.0.0.10-10.0.0.240 admin
dhcpd dns 8.8.8.8 8.8.4.4 interface admin
dhcpd enable admin
!
dhcpd address 10.1.10.10-10.1.10.240 housekeeping
dhcpd dns 10.1.10.254 75.75.75.75 interface housekeeping
dhcpd enable housekeeping
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy tunnel-admin internal
group-policy tunnel-admin attributes
banner value dans la nuit
vpn-tunnel-protocol IPSec l2tp-ipsec
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 0
username admin attributes
vpn-group-policy tunnel-admin
tunnel-group tunnel-admin type remote-access
tunnel-group tunnel-admin general-attributes
address-pool remote-test
default-group-policy tunnel-admin
tunnel-group tunnel-admin ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:23bcf144d39ab2df42e295ffa7efd218
: end

0 Helpful

Yudong Wu
Level 7
Level 7
In response to alois.roche

‎05-25-2011 01:37 PM

Configuration looks good to me.

If you can ping from inside host to vpn client without problem but it won't work if you ping from client to internal host, it is most likely that the internal host might have a firewall which is blocking incoming ping packet.

When you issue ping from vpn client to the internal host, can you capture "show crypto ipsec sa" to see if encry/decry count is incrementing? You can also check the same in the statistics on VPN client.

0 Helpful

alois.roche
Level 1
Level 1
In response to Yudong Wu

‎05-25-2011 02:30 PM

I am going to try tonight and give the result of the cmd.

Thanks again for the answers.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to alois.roche

‎05-26-2011 07:10 AM

Hi,

i would suggest have a look at the statistics.

please make a note of the following command before and after initiating a ping from the client to the server on the network.

sh cry isa sa

sh cry ips sa

On the client go to status > Statistics > Tunnel Details.

let us know the outputs.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. do rate helpful posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents