Solved: Remote access VPN routing

David Lin · ‎11-13-2009

Hi,

I am having a problem on VPN routing.

The VPN client is connected to ASA5510 properly but can't access the inside network of ASA and Internet either. What I want to reach is,

PC@Internet -> ASA5520(Public IP's) -> Inside(172.16.1.0)

The VPN address pool is using 172.168.10.0 (I also tried 172.16.1.100-120 with same network of inside).

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address a.a.a.a 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.1.1 255.255.255.0

ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy VPNstaff internal

group-policy VPNstaff attributes

dns-server value 4.2.2.2

vpn-tunnel-protocol IPSec

tunnel-group VPNstaff type remote-access

tunnel-group VPNstaff general-attributes

address-pool vpnpool

default-group-policy VPNstaff

tunnel-group VPNstaff ipsec-attributes

pre-shared-key *

mopaul · ‎11-14-2009

Hi ,

As a quick test , try this .

-Turn ON nat-t (if its disable)

Command : crypto isakmp nat-traversal 20

see if it helps.

If not,

-Run a continous ping from the client to the ASA inside interface, Make sure you execute the command " management-access inside" before you start with ping .

-Time our or ICMP REPLY from inside interface ..?

If Time out , then,

-Check the number of decrypts using the command " show crypto ipsec sa "

If ICMP reply from inside interface is recieved by VPN client.

-Run a ping to an internal host behind the ASA.

-"Show crypto ipsec sa "

IF you have received replies if first test then here you should see decrypts growing in number.

-Apply captures on inside interface

You can refer the document below

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

-If you see packet with source as VPN client interface reaching the inside interface for the destination of host behind the ASA, then its an issue with your internal routing.

In case you have a L3 device connected to the ASA inside interface , make sure you have a route for 192.168.1.x subnet pointing GW as ASA inside interface i.e 172.16.1.1

If its L2 or a dumb device , then as a quic test , put the follwoing route statement using the windows command line on the host behind the asa taking part in this test.

route add 192.168.1.0 mask 255.255.255.0 172.16.1.1

Please do let me know if this helps.

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

hdashnau · ‎11-13-2009

Your VPN pool in this config is 192.168.10.1-192.168.10.254 mask 255.255.255.0

-Make sure your internal routers (behind the ASA) route the traffic for 192.168.10.x/24 back towards the ASA.

-Do "show run access-group" on the ASA and make sure you aren't blocking the traffic in an access-list

To reach the Internet while connected you need to configure split tunneling or outside nat...

Split:

access-list split permit ip 172.16.1.0 255.255.255.0 192.168.10.0 255.255.255.0

group-policy VPNstaff attributes

split-tunnel-policy tunnelspecified

split-tunnel-network split

*Also consider enabling an internal dns server and split-dns

dns-server value x.x.x.x

split-dns value internaldomain.com

(and confirm if you have trouble reaching by ip and hostname)

or

Outside nat:

nat (outside) 1 192.168.10.0 255.255.255.0

same-security-traffic permit intra-interface

-heather

David Lin · ‎11-13-2009

ciscoasa# sh run access-group

access-group Outside in interface outside

access-group Inside in interface inside

I even added permit ip any any in my earlier test.

when I show the route in the VPN client PC, the gateway is 192.168.10.2 if i use 192.168.10.0/24 as VPN pool.

While I used the IP's of 172.16.1.0, the gateway IP's is the inside interface of ASA but I can't reach any other hosts.

I don't have other route behind this ASA now. All the hosts i want to reach from VPN client are connected to inside network. Do I need to add a route for 192.168.10.0/24? or I can use the spare iP's from inside network?

Thank you.

mopaul · ‎11-14-2009

Hi ,

As a quick test , try this .

-Turn ON nat-t (if its disable)

Command : crypto isakmp nat-traversal 20

see if it helps.

If not,

-Run a continous ping from the client to the ASA inside interface, Make sure you execute the command " management-access inside" before you start with ping .

-Time our or ICMP REPLY from inside interface ..?

If Time out , then,

-Check the number of decrypts using the command " show crypto ipsec sa "

If ICMP reply from inside interface is recieved by VPN client.

-Run a ping to an internal host behind the ASA.

-"Show crypto ipsec sa "

IF you have received replies if first test then here you should see decrypts growing in number.

-Apply captures on inside interface

You can refer the document below

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

-If you see packet with source as VPN client interface reaching the inside interface for the destination of host behind the ASA, then its an issue with your internal routing.

In case you have a L3 device connected to the ASA inside interface , make sure you have a route for 192.168.1.x subnet pointing GW as ASA inside interface i.e 172.16.1.1

If its L2 or a dumb device , then as a quic test , put the follwoing route statement using the windows command line on the host behind the asa taking part in this test.

route add 192.168.1.0 mask 255.255.255.0 172.16.1.1

Please do let me know if this helps.

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

David Lin · ‎11-16-2009

It works. Thanks a lot.

Another qustion I don't understand is how does ASA create the routing for VPN clients?

I show the route on ASA, only get

S 192.168.10.1 255.255.255.255 [1/0] via x.x.x.x, outside

mopaul · ‎11-16-2009

Glad i could help...

To be honest with you, i may not be able to give you a right answer on this. The answer resides more in coding of IOS on Cisco devices.

All i can say is by design ASA, learns a static route for the dynamic VPN connection when established.

Hope this answers your question.

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

David Lin · ‎11-16-2009

Thanks, Mohit.

I will try to learn it from IOS.