ASA RA VPN problem

Unanswered Question
Aug 11th, 2007
User Badges:

Hi,


I am setting up a IPSec remote access on an ASA (7.2.2).


I am running into one strange issue.


There is a 192.168.1.0/24 network on the Inside interface (EDC-INT)


There is a 192.168.16.0/24 network on the DMZ interface (DMZ)


The VPN pool is 192.168.10.0/24 (EDC-EXT). NAT is disabled for RA VPN pool and also ?sysopt connections permit-vpn? command is enabled.


After connecting from my VPN client, when I ping some device on the DMZ network, I am not able to reach it. Please find the ICMP trace below. It shows that the echo request comes from EDC-EXT to DMZ. But for some reason, echo reply is sent from the DMZ to EDC-INT (inside interface). Why would ASA decide that the 192.168.10.0/24 network should go to Inside interface?




******************************************************

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ:192.168.16.103 ID=1280 seq=2816 len=32

ICMP echo reply from DMZ:192.168.10.103 to EDC-INT:192.168.10.40 ID=1280 seq=2816 len=32

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ: 192.168.10.103 ID=1280 seq=3072 len=32

ICMP echo reply from DMZ: 192.168.10.103 to EDC-INT:192.168.10.40 ID=1280 seq=3072 len=32




Routing table

***********************************************

C 20x.x0.x.1x 255.255.255.128 is directly connected, EDC-EXT

S 192.168.10.40 255.255.255.255 [1/0] via 206.80.2.129, EDC-EXT

C 172.31.32.0 255.255.255.252 is directly connected, Failover

C 172.31.31.0 255.255.255.252 is directly connected, State

C 127.0.0.0 255.255.0.0 is directly connected, cplane

C 192.168.16.0 255.255.255.0 is directly connected, DMZ

C 192.168.1.0 255.255.255.0 is directly connected, EDC-INT

S 192.168.32.0 255.255.255.0 [1/0] via 192.168.1.6, EDC-INT

S* 0.0.0.0 0.0.0.0 [1/0] via 20x.x0.x.1x, EDC-EXT

S 192.168.32.0 255.255.240.0 [1/0] via 192.168.1.6, EDC-INT





RA VPN Configuration

*********************************************

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 10.50.0.0 255.255.0.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.32.0 255.255.240.0

access-list EDC-INT_nat0_outbound line 8 extended permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list EDC-INT_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

ip local pool Adminvpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

group-policy EDC-ADMIN internal

group-policy EDC-ADMIN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value EDC-ADMIN_splitTunnelAcl

dns-server value 192.168.1.60

default-domain value xyz.com

tunnel-group EDC-ADMIN type ipsec-ra

tunnel-group EDC-ADMIN general-attributes

default-group-policy EDC-ADMIN

address-pool Adminvpnpool

tunnel-group EDC-ADMIN ipsec-attributes

pre-shared-key xyz

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map EDC-EXT_dyn_map 60 set pfs group2

crypto dynamic-map EDC-EXT_dyn_map 60 set transform-set ESP-3DES-SHA


*************************************************


Looking forward to a early response. Please help.


Regards,

Suresh


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sureshkrishnan Sat, 08/11/2007 - 09:24
User Badges:

Hi,


There was a mistake in the ICMP trace. Please find the updated ICMP trace below.


Regards,

Suresh



******************************************************

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ:192.168.16.103 ID=1280 seq=2816 len=32

ICMP echo reply from DMZ:192.168.16.103 to EDC-INT:192.168.10.40 ID=1280 seq=2816 len=32

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ: 192.168.16.103 ID=1280 seq=3072 len=32

ICMP echo reply from DMZ: 192.168.16.103 to EDC-INT:192.168.10.40 ID=1280 seq=3072 len=32

srue Sun, 08/12/2007 - 20:44
User Badges:
  • Blue, 1500 points or more

this is probably a nat issue.


you need a command like the following:

nat (dmz) 0 access-list nat0_acl


nat0_acl will match any traffic going to your vpn pool from your dmz.

sureshkrishnan Wed, 08/15/2007 - 08:38
User Badges:

Hi,


I do have nat exempt for the vpn pool.


These are the NAT statements:

nat (DMZ) 0 access-list EDC-INT_nat0_outbound

nat (EDC-INT) 0 access-list EDC-INT_nat0_outbound

nat (EDC-INT) 10 0.0.0.0 0.0.0.0

static (EDC-INT,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0


Regards,

Suresh

Actions

This Discussion