New on setting up VPN on ASA 551

Answered Question
Jul 24th, 2008

Hi,

I am trying for the first time to setup VPN connections from outside back to the company's network. Using the wizard from the ADSM to configure the VPN access and it looks ok at first. I can login to the ASA without problems but I cannot see any hosts on the network at all! I had created a pool to assign the addresses 10.0.1.240 to 10.0.1.250 to the VPN clients so that they can access devices on the 10.0.1.0 network. Nothing works from this point on. Can anyone suggest what could be wrong? Is there a need to do any NAT in order to ping devices on the same network?

Thanks in advance,

Tan

I have this problem too.
0 votes
Correct Answer by husycisco about 8 years 4 months ago

Tan,

By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working"

Thats great.

"By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working"

Sure you can. Just keep in mind that you should use different VPN pools for different profiles in order to specify exempt NATs per VPN pool, which will accomplish the goal of "form of restrictions in that when user VPN to network 10.0.1.0, he cannot ping or even see hosts on the other two"

Another method for accomplishing what you want is Downloadable ACLs using a RADIUS server, which is a little more complicated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
husycisco Thu, 07/24/2008 - 07:38

Hello Tan,

Please post your sanitized running config. Can client connect? Connects but no traffic?

Regards

tanziweigca Thu, 07/24/2008 - 08:01

Hello husycisco,

Thanks for your reply. I remembered that you helped me in the past too and really appreciated your help. Many thanks in advance.

The running config is as attached.

Also,

a. The client can connect using V4.8 of the Cisco VPN client. A password is also prompted and successfully login.

b. The client connects but no traffic at all.

c. Once the client starts to ping, there are a lot of translation errors shown on the logs.

d. You may also want to take note that once the client connects, he is NOT allowed to go internet (that's why I did not enable the split tunneling feature) and can only access devices locally in the VPN.

e. Is it ok that there are no DNS servers located within the VPN client 10.x.x.x network?

Many thanks for your help and hope to hear from you soon.

Tan

Attachment: 
husycisco Thu, 07/24/2008 - 08:26

Tan,

"I remembered that you helped me in the past too and really appreciated your help"

You are welcome :)

Lets follow the best practise line. First of all, your VPN pool is in same subnet with ethernet3 interface. Use a different pool

ip local pool VPN_Pool 172.16.30.241-172.16.30.254 netmask 255.255.255.240

tunnel-group Photo general-attributes

address-pool VPN_Pool

no address-pool Photo_auto

no ip local pool Photo_auto

access-list Inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 172.16.30.240 255.255.255.240

crypto isakmp nat-traversal 20

Please post the most recent config if problem still exists.

"e. Is it ok that there are no DNS servers located within the VPN client 10.x.x.x network?"

Thats fine, but if you did not assign a DNS server that you were afraid of letting them to be able to connect internet, dont worry, you can safely assign DNS server to them since they wont be able to connect to internet without having an outside nat configured in firewall

Regards

tanziweigca Thu, 07/24/2008 - 19:02

Hello Husycisco,

Thanks for your reply.

Problem still persists as the client is able to connect but cannot ping. The updates are added to the firewall and is as attached.

On the firewall syslog, it is showing "No translation group found for icmp src Outside: 172.16.10.100 dst Play 10.0.1.2 (type 8, code0)" when I try to ping when connected on VPN.

As for the client side, no problems connecting at all.

Thanks for your help as always,

Tan

Attachment: 
husycisco Fri, 07/25/2008 - 03:02

Tan,

Your config is not modified as exactly as I mentioned.

While my suggestion advises "networks", your config permits "host 10.0.1.0 to host 172.16.10.100". This is causing translation error. Also 255.240 is not the correct mask for 10.100-10.101.

Please modify your config exactly as I suggested

Regards

tanziweigca Sat, 07/26/2008 - 07:59

Hi Husycisco,

Some updates on the configuration. I had managed to figure out the masks and add in the changes you mentioned and there are some improvements to the situations. Updated config as attached.

I can now see that when I connected via the VPN, the gateway is now correct and when I ping, I can see "Built..." and "Teardown" messages. However, I think there are still something missing as I still cannot ping the host 10.0.1.2 which is already on the network. I believed the translation are correct as there are changes but the pinging still does not go through to the host (now the FW is saying 10.0.1.2 has no translation group error). Any suggestions?

Many many many thanks,

Tan

Attachment: 
husycisco Sat, 07/26/2008 - 08:09

Tan,

First missing line I saw is

crypto isakmp nat-traversal 20

Also the default global inspection policy is modified. Did you do that on purpose? Most of the inspections are missing. If it was on purpose, then you should add this one

policy-map asa_global_fw_policy

class inspection_default

inspect icmp

I am going on checking the config, will let you know about other issues if any,

husycisco Sat, 07/26/2008 - 08:24

I still couldnt understand why do you still insist on not using the pool I suggested. You use 254 subnetmask which may not be supported, this is relatively a new subnetting. If you want to have only 2 IPs, then I will set you a new pool accordingly

Second, I catched that 10.0.1.0 is now resides in play interface, then we should create the exempt nat for that specific interface as following

ip local pool VPN_Pool 172.16.30.9-172.16.30.10 netmask 255.255.255.252

tunnel-group Photo_Automation general-attributes

address-pool VPN_Pool

no Photo_auto_VPN_IP_Pool

no ip local pool Photo_Subt_VPN_IP_Pool 172.16.30.20-172.16.30.21 mask 255.255.255.240

no ip local pool Photo_auto_VPN_IP_Pool 172.16.30.10-172.16.30.11 mask 255.255.255.240

no ip local pool Photo_Om_VPN_IP_Pool 172.16.30.30-172.16.30.31 mask 255.255.255.240

no nat (Inside) 0 access-list Inside_nat0_outbound

no access-list Inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 172.16.30.10 255.255.255.254

access-list play_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 172.16.30.8 255.255.255.252

nat (play) o access-list play_nat0_outbound

clear xlate

Please post the most recent configuration after you do the above modifications and check the connectivity issue again

Regards

tanziweigca Mon, 07/28/2008 - 03:07

Hello Husycisco,

thanks for the help.

By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working.

I believed I can just follow the same exact configurations to create VPN profiles for 10.0.2.0 and 10.0.3.0 such that there are 3 different profiles for three different networks? This is the idea so that we can have some form of restrictions in that when user VPN to network 10.0.1.0, he cannot ping or even see hosts on the other two.

Thanks a lot once again,

Tan

Correct Answer
husycisco Mon, 07/28/2008 - 03:38

Tan,

By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working"

Thats great.

"By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working"

Sure you can. Just keep in mind that you should use different VPN pools for different profiles in order to specify exempt NATs per VPN pool, which will accomplish the goal of "form of restrictions in that when user VPN to network 10.0.1.0, he cannot ping or even see hosts on the other two"

Another method for accomplishing what you want is Downloadable ACLs using a RADIUS server, which is a little more complicated

tanziweigca Sat, 08/16/2008 - 21:27

Hi Husycisco,

Thanks for all your help. After running it for 3 weeks without any problems, the VPN are now working properly. Once again, many thanks for your help.

Regards,

Tan

Chris Allen Thu, 02/18/2010 - 08:41

This was a very good thread. I have been having the same issues with setting up VPN on our ASA. I have a question regarding the IP Pools for VPN users. Should you assing the pool to a specific interface? Say for instance I have a DMZ interface that is assigned an IP address of 192.168.1.0/24. What issues would arise if I were to assign a VPN IP pool of 192.168.2.0/24 to the DMZ interface? Does that affect in any way the hosts that are on the 192.168.1.0/24 subnet? I hope this makes sense.

Thanks for the great info and thanks in advance for your reply.

Actions

This Discussion