VPN IPSEC 501

Answered Question
Jun 18th, 2009
User Badges:

Im trying to configure a backup connection with a 501 that will have VPN connection. I am able to connect to the tunnel Using the client. But once Im connected I cant ping or connect to anything in the network. This is the config from the 501.


501

access-list NONAT permit ip 192.168.200.0 255.255.255.0 10.25.0.0 255.255.0.0

ip address outside World 255.255.255.248

ip address inside 10.74.253.0 255.255.255.252

ip local pool TECH_VPN_POOL 192.168.200.10-192.168.200.254

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 World 1

route inside 10.25.0.0 255.255.0.0 10.25.200.2 1

route inside 192.168.25.0 255.255.255.0 192.168.25.1 1

route inside 192.168.200.0 255.255.255.0 192.168.200.1 1



4500 switch

Gateway of last resort is 10.25.21.1 to network 0.0.0.0


C 192.168.200.0/24 is directly connected, Vlan61

C 10.25.0.0/16 is directly connected, Vlan10

C 192.168.25.0/24 is directly connected, Vlan1

S* 0.0.0.0/0 [1/0] via 10.25.21.1

C 10.65.253.0/30 is directly connected, FastEthernet5/48


Interface IP-Address OK? Method Status Protocol

Vlan1 192.168.34.7 YES NVRAM up up

Vlan10 10.34.200.2 YES NVRAM up up

Vlan666 192.168.200.1 YES manual up up


Correct Answer by JORGE RODRIGUEZ about 8 years 1 day ago

Joshua,


Sorry for late reply, been busy.


Did you configured the static routes I suggested in my last post.


for telnet ssh to the pix while connected through vpn tunnel you will need management-access inside


asa(config)#management-access inside



Just for giggles, even though I am connecting to the PIX, could the ISP be blocking certain traffic?


This is very unlikely


Do I need to setup split tunneling maybe


Don't need to go there.


If you have access to the PIX while VPN connected try confirming the PC RA client is indeed connected.


You can verify in the firewall by issuing the following and save the output.


show crypto isakmp sa


you may also confirm the client is geting IP from local pool


show ip local pool


it should show the IP address the RA client was assigned.


from the PIX itself you should be able to ping the RA client IP provided the PC client does not have firewall turned on.


If you get up to above point we can say RA VPN is fine.. now from that point on downstream to reach your networks in the 4500 switch is where you have to do the routing changes I provided you.



The problem I see that you cannot reach the networks in the 4500 switch is because there is no route back to the secondary PIX for RA VPN pool network. Because you have a default route in 4500 switch pointing to the primary PIX the switch has not knowledge of Secondary PIX RA.


Looking at the show ip route of 4500 switch it shows your default route is

S* 0.0.0.0/0 [1/0] via 10.25.21.1 , but your diagram says 10.25.20.1 I assume diagram is a typo.


In any case, try working your way down to reach your subnets in 4500 switch, once you get this fixed then move towards the 6500 switch subnets. Are you doing any dynamic routing internally?



Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Patrick0711 Thu, 06/18/2009 - 16:00
User Badges:
  • Bronze, 100 points or more

Please post the crypto and vpngroup portion of the configs.



jmaurer1205 Thu, 06/18/2009 - 18:12
User Badges:

sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set TECH_TRANSFORM esp-des esp-md5-hmac

crypto ipsec transform-set TECH_TRANSFORM2 esp-3des esp-md5-hmac

crypto dynamic-map DYN-TECH 90 set transform-set TECH_TRANSFORM

crypto dynamic-map DYN-TECH2 92 set transform-set TECH_TRANSFORM2

crypto map TECH-MAP 90 ipsec-isakmp dynamic DYN-TECH

crypto map TECH-MAP2 92 ipsec-isakmp dynamic DYN-TECH2

crypto map TECH-MAP2 interface outside

isakmp enable outside

isakmp keepalive 30 10

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption des

isakmp policy 15 hash md5

isakmp policy 15 group 2

isakmp policy 15 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup user1 address-pool TECH_VPN_POOL

vpngroup user1 dns-server 10.25.35.50 10.25.35.60

vpngroup user1 default-domain test.tld

vpngroup user1 idle-time 1800

vpngroup user1 password *************

ssh 10.25.0.0 255.255.0.0 inside

sh 192.168.200.0 255.255.255.0 inside

ssh timeout 10

JORGE RODRIGUEZ Fri, 06/19/2009 - 07:21
User Badges:
  • Green, 3000 points or more

Joshua,


I would start by using different network in TECH_VPN_POOL for RA client to differ from that of 192.168.200.0/24 already being routed internally.. I have seen ether works or just does not work when using VPN pool network as same as one already used in the LAN,sometimes cumersome to troubleshoot.


Second, after you change VPN pool net, re-write nat exempt ACL to reflect your new VPN pool network to access resources on 10.25.0.0/16 net add to PIX config isakmp nat-traversal 20


here are some tips for future reference

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1


let us know how it works out


Regards


jmaurer1205 Fri, 06/19/2009 - 12:38
User Badges:

Ok, I removed the VPN pool and created ip local pool 2POOL 172.29.20.1-172.29.20.10

Then, removed the old nat 0 and made the new one access-list NONAT permit ip 172.29.20.0 255.255.255.0 10.25.0.0 255.255.0.0

access-list NONAT permit ip 172.29.20.0 255.255.255.0 192.168.25.0 255.255.255.0

nat (in) 0 access-list NONAT


I added isakmp nat-traversal 20. I also tried to add the route in 172.29.20.0 255.255.255.0 10.74.253.1, but I cant connect or ping anything on the on the inside of 10.74.253.1.. (10.74.253.1/30 is the ip of the 4507 and 10.74.253.2/30 is the pix. I miss typed in the 1st question.)


There is no route on the 4507 for the 172.29.20.0/24 network. Shouldnt I have one on there?

jmaurer1205 Fri, 06/19/2009 - 12:58
User Badges:

The 4507R points to another firewall that takes them out to the internet. The Firewall I an configuring is for testing and VPN connections. Its is not the default gateway for the LAN hosts.

JORGE RODRIGUEZ Fri, 06/19/2009 - 14:05
User Badges:
  • Green, 3000 points or more

Invert your nonat acl


from

access-list NONAT permit ip 172.29.20.0 255.255.255.0 10.25.0.0 255.255.0.0


to

access-list NONAT permit ip 10.25.0.0 255.255.0.0 172.29.20.0 255.255.255.0


you dont need route inside in ASA for VPN pool network.


you do not need to route 172.29.20.0 VPN pool in 4507 towards ASA5500 firewall if you have default route in 4507 pointing to ASA5500 firewall, if not then you will need static route in 4507 for VPN pool network via ASA inside interface , could you repost clear topology.


give it another try.


[edit]


same nonat applies for your other two networks 192.168.25.0/24 and 192.168.200.0/24 if you want RA to access those.


access-list NONAT permit ip 192.168.200.0 255.255.255.0 172.29.20.0 255.255.255.0

access-list NONAT permit ip 192.168.25.0 255.255.255.0 172.29.20.0 255.255.255.0


Regards


jmaurer1205 Sun, 06/21/2009 - 18:44
User Badges:

Ok, I attached a quick visio of what thinks look like.


I have a PIX515 = 10.25.20.1. This is the main firewall for the network.


The 4500, VLAN5= 10.25.200.2 and VLAN1 = 192.168.25.1. The DEFAULT GATEWAY is set for 10.25.20.1, the PIX515. I configured a point to point connection for the secondary firewall with the IP = 10.74.253.1/30


The firewall's inside IP = 10.74.253.2/30

TECH_VPN_POOL = 172.29.20.0/24


501

access-list NONAT permit ip 172.29.20.0 255.255.255.0 10.25.0.0 255.255.0.0

ip address outside World 255.255.255.248

ip address inside 10.74.253.2 255.255.255.252

ip local pool TECH_VPN_POOL 172.29.20.1-172.29.20.254

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 World 1

route inside 10.25.0.0 255.255.0.0 10.25.200.2 1

route inside 192.168.25.0 255.255.255.0 192.168.25.1 1



4500 switch

Gateway of last resort is 10.25.21.1 to network 0.0.0.0


C 10.25.0.0/16 is directly connected, Vlan10

C 192.168.25.0/24 is directly connected, Vlan1

S* 0.0.0.0/0 [1/0] via 10.25.21.1

C 10.74.253.0/30 is directly connected, FastEthernet5/48


Interface IP-Address OK? Method Status Protocol

Vlan1 192.168.25.7 YES NVRAM up up

Vlan10 10.25.200.2 YES NVRAM up up


So what you are saying is my NONAT needs switched like so:

access-list NONAT permit ip 10.25.0.0 255.255.0.0 172.29.20.0 255.255.255.0


access-list NONAT permit ip 192.168.25.0 255.255.0.0 172.29.20.0 255.255.255.0


So for the 4500 I should not need a route to the VPN but, when I configure VLANs for the building with the 6500 I will need to create a route to the VPN firewall using 10.25.200.2 correct?


Dumb question but why do I need to which the NONAT around? Is it because when the packet hits the inside interface, the from is 10.25.0.0/16 network and the to is the TECH_VPN_POOL, and not the other way around?



Attachment: 
JORGE RODRIGUEZ Sun, 06/21/2009 - 21:01
User Badges:
  • Green, 3000 points or more

Joshua, thanks for posting diagram..


ok you have 515 as your primary default route device on 4500 L3 switch this chnages things a bit , you will need to enter static route for vpn pool network in 4500 back to PIX501 , if you were doing some dynamic routing internally you could redistribute that static route pertaining to VPN pool downsream to the 6500 core switch, but it seems you are doing static routing instead you will also need static route in 6500 for vpn pool network via 4500.


So in your 4500 you will need a route back to PIX501 for VPN network


ip route 172.29.20.0 255.255.255.0 10.74.253.2


So for the 4500 I should not need a route to the VPN but, when I configure VLANs for the building with the 6500 I will need to create a route to the VPN firewall using 10.25.200.2 correct?

on the 6500 for 10.25.200.0/24 to reach VPN pool network in PIX501 you need a route via 4500, again, if you were doing dynamic routing on the 4500 and 6500 only one static would have been required in the 4500 L3 switch.


ip route 172.29.20.0 255.255.255.0 < Via_4500_10.74.253.1>


why do I need to which the NONAT around? Is it because when the packet hits the inside interface, the from is 10.25.0.0/16 network and the to is the TECH_VPN_POOL, and not the other way around?

Yes, first try from secondary PIX501 to work your way down to the 4500 networks before touching the 6500 with regards to VPN pool, test connectivity from ra vpn to subnets in your 4500 after you correct nonat exempt access list I asked to invert.


post results


Regards

jmaurer1205 Tue, 06/23/2009 - 10:37
User Badges:

Sorry I am on vacation and was not here to test. I stopped in and made the changes and I still can not connect. I have copied all the configs and going to try to setup a test lab at home.


Do I need to setup split tunneling maybe. I have been trying all this out on my MacBookPro could that be stopping me?


I will try from home and see if with my pc it will work.


I am so cornfuzed....

jmaurer1205 Wed, 06/24/2009 - 12:29
User Badges:

I was thinking that maybe it was the vpn software on the Mac that was maybe stopping access but even from my PC at home, I can not talk to anything. I can not SSH or telnet to the 501 or anything else in the network. I am getting the VPN Pool address.


Tonight I am going to try to setup test network at home and see if I can get in.


Just for giggles, even though I am connecting to the PIX, could the ISP be blocking certain traffic? Just a thought.

Correct Answer
JORGE RODRIGUEZ Wed, 06/24/2009 - 15:44
User Badges:
  • Green, 3000 points or more

Joshua,


Sorry for late reply, been busy.


Did you configured the static routes I suggested in my last post.


for telnet ssh to the pix while connected through vpn tunnel you will need management-access inside


asa(config)#management-access inside



Just for giggles, even though I am connecting to the PIX, could the ISP be blocking certain traffic?


This is very unlikely


Do I need to setup split tunneling maybe


Don't need to go there.


If you have access to the PIX while VPN connected try confirming the PC RA client is indeed connected.


You can verify in the firewall by issuing the following and save the output.


show crypto isakmp sa


you may also confirm the client is geting IP from local pool


show ip local pool


it should show the IP address the RA client was assigned.


from the PIX itself you should be able to ping the RA client IP provided the PC client does not have firewall turned on.


If you get up to above point we can say RA VPN is fine.. now from that point on downstream to reach your networks in the 4500 switch is where you have to do the routing changes I provided you.



The problem I see that you cannot reach the networks in the 4500 switch is because there is no route back to the secondary PIX for RA VPN pool network. Because you have a default route in 4500 switch pointing to the primary PIX the switch has not knowledge of Secondary PIX RA.


Looking at the show ip route of 4500 switch it shows your default route is

S* 0.0.0.0/0 [1/0] via 10.25.21.1 , but your diagram says 10.25.20.1 I assume diagram is a typo.


In any case, try working your way down to reach your subnets in 4500 switch, once you get this fixed then move towards the 6500 switch subnets. Are you doing any dynamic routing internally?



Regards


jmaurer1205 Tue, 07/07/2009 - 05:57
User Badges:

Sorry for not responding sooner.


Last week I was able to get everything working. I tried reconfiguring from scratch so many times I lost count. After not getting anywhere, I reloaded the IOS 6.3.5 again. I copied over my config and everything was working beautifully. I don't know.


Thank you for all you help.

Actions

This Discussion