ASA 5505 Remote VPN Problem

Answered Question
Jan 25th, 2008

I am having trouble getting to host(s) on my inside network via remote vpn. I can successfully connect to the ASA using cisco client, but I cannot ping or connect to any devices on my inside network. When I ssh to the ASA I can ping the hosts on the inside network and the hosts on the outside (VPN) network. I've setup remote vpn via ASDM wizard before, but have not encountered this problem. Any help would be appreciated. I have attached my config.

Thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by ajagadee about 8 years 10 months ago

Kevin,

This confirms that there is nothing wrong with the configuration on the ASA. Are you using IPSEC Over UDP, can you make sure that nat-t is enabled.

crypto isakmp nat-traversal

Also, can you provide some information on how the Client is getting connected to the internet. Is there a firewall that is blocking any traffic.

Regards,

Arul

** Please rate all helpful posts **

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ajagadee Fri, 01/25/2008 - 08:14

You need to apply NAT 0 to by pass NAT for VPN Client pool of IP Addresses. I see an ACL Configured but not applied. What you need is,

nat (inside) 0 inside_nat0_outbound

Please configure this and let me know how it goes.

Regards,

Arul

** Please rate all helpful posts **

kevin.eidel Fri, 01/25/2008 - 08:23

Thank you for your reply. That did not fix it. I'm not even seeing any hitcounts on my ACL's.

I did the following command

MehASA(config)# nat (inside) 0 access-list inside_nat0_outbound

MehASA(config)# sho access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list Test_VPN_splitTunnelAcl; 1 elements

access-list Test_VPN_splitTunnelAcl line 1 standard permit 192.168.1.0 255.255.255.0 (hitcnt=0) 0x85f9e2ff

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0x94bd01e3

ajagadee Fri, 01/25/2008 - 08:35

So, you are getting connected but not able to access the LAN. What is the IP Address that you are trying to ping from the VPN Client.

Also, can you post the output of "Show cry is sa" and "Show cry ipsec sa" when you are VPNed in and trying to access to the LAN.

Also, did you get a chance to do a "clear xlate" after you configured the NAT 0 statement.

Regards,

Arul

kevin.eidel Fri, 01/25/2008 - 09:05

I did a clear xlate and it didnt' change anything. I'm trying to connect to 192.168.1.111 Here is the output from the commands:

MehASA(config)# sho cry is sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 170.163.152.43

Type : user Role : responder

Rekey : no State : AM_ACTIVE

MehASA(config)# sho cry ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 67.87.102.24

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)

current_peer: 170.163.152.43, username: test_user

dynamic allocated peer ip: 192.168.100.1

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 67.87.102.24, remote crypto endpt.: 170.163.152.43

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 9F034A2E

inbound esp sas:

spi: 0xF2FE6308 (4076757768)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 28672, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28758

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x9F034A2E (2667792942)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 28672, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28758

IV size: 16 bytes

replay detection support: Y

thanks again for your help

ajagadee Fri, 01/25/2008 - 09:35

Thanks for the outputs! Based on the show commands, the ASA is encrypting and decrypting traffic. So, chances are that the ASA is sending the traffic back to the VPN Client and is getting dropped somewhere in between.

On the VPN Client, under statistics, do you see packets encrypted and decrypted or only encrypted. How is the VPN Client connected to the internet. Can you use a dial up and test this just to make sure that we rule out the configuration on the ASA.

Regards,

Arul

** Please rate all helpful posts **

kevin.eidel Fri, 01/25/2008 - 09:41

I did a ping -t to a host on my LAN that I know is up (pinged from ASA) for 30 seconds and this is what my stats look like

Encrypted 13

Decrypted 0

Discarded 3

Bypassed 820

Correct Answer
ajagadee Fri, 01/25/2008 - 09:45

Kevin,

This confirms that there is nothing wrong with the configuration on the ASA. Are you using IPSEC Over UDP, can you make sure that nat-t is enabled.

crypto isakmp nat-traversal

Also, can you provide some information on how the Client is getting connected to the internet. Is there a firewall that is blocking any traffic.

Regards,

Arul

** Please rate all helpful posts **

Actions

This Discussion