08-11-2007 09:20 AM - edited 03-11-2019 03:56 AM
Hi,
I am setting up a IPSec remote access on an ASA (7.2.2).
I am running into one strange issue.
There is a 192.168.1.0/24 network on the Inside interface (EDC-INT)
There is a 192.168.16.0/24 network on the DMZ interface (DMZ)
The VPN pool is 192.168.10.0/24 (EDC-EXT). NAT is disabled for RA VPN pool and also ?sysopt connections permit-vpn? command is enabled.
After connecting from my VPN client, when I ping some device on the DMZ network, I am not able to reach it. Please find the ICMP trace below. It shows that the echo request comes from EDC-EXT to DMZ. But for some reason, echo reply is sent from the DMZ to EDC-INT (inside interface). Why would ASA decide that the 192.168.10.0/24 network should go to Inside interface?
******************************************************
ICMP echo request from EDC-EXT:192.168.10.40 to DMZ:192.168.16.103 ID=1280 seq=2816 len=32
ICMP echo reply from DMZ:192.168.10.103 to EDC-INT:192.168.10.40 ID=1280 seq=2816 len=32
ICMP echo request from EDC-EXT:192.168.10.40 to DMZ: 192.168.10.103 ID=1280 seq=3072 len=32
ICMP echo reply from DMZ: 192.168.10.103 to EDC-INT:192.168.10.40 ID=1280 seq=3072 len=32
Routing table
***********************************************
C 20x.x0.x.1x 255.255.255.128 is directly connected, EDC-EXT
S 192.168.10.40 255.255.255.255 [1/0] via 206.80.2.129, EDC-EXT
C 172.31.32.0 255.255.255.252 is directly connected, Failover
C 172.31.31.0 255.255.255.252 is directly connected, State
C 127.0.0.0 255.255.0.0 is directly connected, cplane
C 192.168.16.0 255.255.255.0 is directly connected, DMZ
C 192.168.1.0 255.255.255.0 is directly connected, EDC-INT
S 192.168.32.0 255.255.255.0 [1/0] via 192.168.1.6, EDC-INT
S* 0.0.0.0 0.0.0.0 [1/0] via 20x.x0.x.1x, EDC-EXT
S 192.168.32.0 255.255.240.0 [1/0] via 192.168.1.6, EDC-INT
RA VPN Configuration
*********************************************
access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list EDC-ADMIN_splitTunnelAcl standard permit 10.50.0.0 255.255.0.0
access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0
access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.32.0 255.255.240.0
access-list EDC-INT_nat0_outbound line 8 extended permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EDC-INT_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0
ip local pool Adminvpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
group-policy EDC-ADMIN internal
group-policy EDC-ADMIN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EDC-ADMIN_splitTunnelAcl
dns-server value 192.168.1.60
default-domain value xyz.com
tunnel-group EDC-ADMIN type ipsec-ra
tunnel-group EDC-ADMIN general-attributes
default-group-policy EDC-ADMIN
address-pool Adminvpnpool
tunnel-group EDC-ADMIN ipsec-attributes
pre-shared-key xyz
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map EDC-EXT_dyn_map 60 set pfs group2
crypto dynamic-map EDC-EXT_dyn_map 60 set transform-set ESP-3DES-SHA
*************************************************
Looking forward to a early response. Please help.
Regards,
Suresh
08-11-2007 09:24 AM
Hi,
There was a mistake in the ICMP trace. Please find the updated ICMP trace below.
Regards,
Suresh
******************************************************
ICMP echo request from EDC-EXT:192.168.10.40 to DMZ:192.168.16.103 ID=1280 seq=2816 len=32
ICMP echo reply from DMZ:192.168.16.103 to EDC-INT:192.168.10.40 ID=1280 seq=2816 len=32
ICMP echo request from EDC-EXT:192.168.10.40 to DMZ: 192.168.16.103 ID=1280 seq=3072 len=32
ICMP echo reply from DMZ: 192.168.16.103 to EDC-INT:192.168.10.40 ID=1280 seq=3072 len=32
08-12-2007 08:44 PM
this is probably a nat issue.
you need a command like the following:
nat (dmz) 0 access-list nat0_acl
nat0_acl will match any traffic going to your vpn pool from your dmz.
08-15-2007 08:38 AM
Hi,
I do have nat exempt for the vpn pool.
These are the NAT statements:
nat (DMZ) 0 access-list EDC-INT_nat0_outbound
nat (EDC-INT) 0 access-list EDC-INT_nat0_outbound
nat (EDC-INT) 10 0.0.0.0 0.0.0.0
static (EDC-INT,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
Regards,
Suresh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: