cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
864
Views
0
Helpful
3
Replies

ASA RA VPN problem

sureshkrishnan
Level 1
Level 1

Hi,

I am setting up a IPSec remote access on an ASA (7.2.2).

I am running into one strange issue.

There is a 192.168.1.0/24 network on the Inside interface (EDC-INT)

There is a 192.168.16.0/24 network on the DMZ interface (DMZ)

The VPN pool is 192.168.10.0/24 (EDC-EXT). NAT is disabled for RA VPN pool and also ?sysopt connections permit-vpn? command is enabled.

After connecting from my VPN client, when I ping some device on the DMZ network, I am not able to reach it. Please find the ICMP trace below. It shows that the echo request comes from EDC-EXT to DMZ. But for some reason, echo reply is sent from the DMZ to EDC-INT (inside interface). Why would ASA decide that the 192.168.10.0/24 network should go to Inside interface?

******************************************************

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ:192.168.16.103 ID=1280 seq=2816 len=32

ICMP echo reply from DMZ:192.168.10.103 to EDC-INT:192.168.10.40 ID=1280 seq=2816 len=32

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ: 192.168.10.103 ID=1280 seq=3072 len=32

ICMP echo reply from DMZ: 192.168.10.103 to EDC-INT:192.168.10.40 ID=1280 seq=3072 len=32

Routing table

***********************************************

C 20x.x0.x.1x 255.255.255.128 is directly connected, EDC-EXT

S 192.168.10.40 255.255.255.255 [1/0] via 206.80.2.129, EDC-EXT

C 172.31.32.0 255.255.255.252 is directly connected, Failover

C 172.31.31.0 255.255.255.252 is directly connected, State

C 127.0.0.0 255.255.0.0 is directly connected, cplane

C 192.168.16.0 255.255.255.0 is directly connected, DMZ

C 192.168.1.0 255.255.255.0 is directly connected, EDC-INT

S 192.168.32.0 255.255.255.0 [1/0] via 192.168.1.6, EDC-INT

S* 0.0.0.0 0.0.0.0 [1/0] via 20x.x0.x.1x, EDC-EXT

S 192.168.32.0 255.255.240.0 [1/0] via 192.168.1.6, EDC-INT

RA VPN Configuration

*********************************************

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 10.50.0.0 255.255.0.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.32.0 255.255.240.0

access-list EDC-INT_nat0_outbound line 8 extended permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list EDC-INT_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

ip local pool Adminvpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

group-policy EDC-ADMIN internal

group-policy EDC-ADMIN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value EDC-ADMIN_splitTunnelAcl

dns-server value 192.168.1.60

default-domain value xyz.com

tunnel-group EDC-ADMIN type ipsec-ra

tunnel-group EDC-ADMIN general-attributes

default-group-policy EDC-ADMIN

address-pool Adminvpnpool

tunnel-group EDC-ADMIN ipsec-attributes

pre-shared-key xyz

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map EDC-EXT_dyn_map 60 set pfs group2

crypto dynamic-map EDC-EXT_dyn_map 60 set transform-set ESP-3DES-SHA

*************************************************

Looking forward to a early response. Please help.

Regards,

Suresh

3 Replies 3

sureshkrishnan
Level 1
Level 1

Hi,

There was a mistake in the ICMP trace. Please find the updated ICMP trace below.

Regards,

Suresh

******************************************************

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ:192.168.16.103 ID=1280 seq=2816 len=32

ICMP echo reply from DMZ:192.168.16.103 to EDC-INT:192.168.10.40 ID=1280 seq=2816 len=32

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ: 192.168.16.103 ID=1280 seq=3072 len=32

ICMP echo reply from DMZ: 192.168.16.103 to EDC-INT:192.168.10.40 ID=1280 seq=3072 len=32

this is probably a nat issue.

you need a command like the following:

nat (dmz) 0 access-list nat0_acl

nat0_acl will match any traffic going to your vpn pool from your dmz.

Hi,

I do have nat exempt for the vpn pool.

These are the NAT statements:

nat (DMZ) 0 access-list EDC-INT_nat0_outbound

nat (EDC-INT) 0 access-list EDC-INT_nat0_outbound

nat (EDC-INT) 10 0.0.0.0 0.0.0.0

static (EDC-INT,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

Regards,

Suresh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: