11-13-2009 01:05 PM - edited 02-21-2020 04:23 PM
Hi,
I am having a problem on VPN routing.
The VPN client is connected to ASA5510 properly but can't access the inside network of ASA and Internet either. What I want to reach is,
PC@Internet -> ASA5520(Public IP's) -> Inside(172.16.1.0)
The VPN address pool is using 172.168.10.0 (I also tried 172.16.1.100-120 with same network of inside).
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address a.a.a.a 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy VPNstaff internal
group-policy VPNstaff attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
tunnel-group VPNstaff type remote-access
tunnel-group VPNstaff general-attributes
address-pool vpnpool
default-group-policy VPNstaff
tunnel-group VPNstaff ipsec-attributes
pre-shared-key *
Solved! Go to Solution.
11-14-2009 08:28 PM
Hi ,
As a quick test , try this .
-Turn ON nat-t (if its disable)
Command : crypto isakmp nat-traversal 20
see if it helps.
If not,
-Run a continous ping from the client to the ASA inside interface, Make sure you execute the command " management-access inside" before you start with ping .
-Time our or ICMP REPLY from inside interface ..?
If Time out , then,
-Check the number of decrypts using the command " show crypto ipsec sa "
If ICMP reply from inside interface is recieved by VPN client.
-Run a ping to an internal host behind the ASA.
-"Show crypto ipsec sa "
IF you have received replies if first test then here you should see decrypts growing in number.
-Apply captures on inside interface
You can refer the document below
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
-If you see packet with source as VPN client interface reaching the inside interface for the destination of host behind the ASA, then its an issue with your internal routing.
In case you have a L3 device connected to the ASA inside interface , make sure you have a route for 192.168.1.x subnet pointing GW as ASA inside interface i.e 172.16.1.1
If its L2 or a dumb device , then as a quic test , put the follwoing route statement using the windows command line on the host behind the asa taking part in this test.
route add 192.168.1.0 mask 255.255.255.0 172.16.1.1
Please do let me know if this helps.
Regards
M
11-13-2009 01:46 PM
Your VPN pool in this config is 192.168.10.1-192.168.10.254 mask 255.255.255.0
-Make sure your internal routers (behind the ASA) route the traffic for 192.168.10.x/24 back towards the ASA.
-Do "show run access-group" on the ASA and make sure you aren't blocking the traffic in an access-list
To reach the Internet while connected you need to configure split tunneling or outside nat...
Split:
access-list split permit ip 172.16.1.0 255.255.255.0 192.168.10.0 255.255.255.0
group-policy VPNstaff attributes
split-tunnel-policy tunnelspecified
split-tunnel-network split
*Also consider enabling an internal dns server and split-dns
dns-server value x.x.x.x
split-dns value internaldomain.com
(and confirm if you have trouble reaching by ip and hostname)
or
Outside nat:
nat (outside) 1 192.168.10.0 255.255.255.0
same-security-traffic permit intra-interface
-heather
11-13-2009 08:56 PM
ciscoasa# sh run access-group
access-group Outside in interface outside
access-group Inside in interface inside
I even added permit ip any any in my earlier test.
when I show the route in the VPN client PC, the gateway is 192.168.10.2 if i use 192.168.10.0/24 as VPN pool.
While I used the IP's of 172.16.1.0, the gateway IP's is the inside interface of ASA but I can't reach any other hosts.
I don't have other route behind this ASA now. All the hosts i want to reach from VPN client are connected to inside network. Do I need to add a route for 192.168.10.0/24? or I can use the spare iP's from inside network?
Thank you.
11-14-2009 08:28 PM
Hi ,
As a quick test , try this .
-Turn ON nat-t (if its disable)
Command : crypto isakmp nat-traversal 20
see if it helps.
If not,
-Run a continous ping from the client to the ASA inside interface, Make sure you execute the command " management-access inside" before you start with ping .
-Time our or ICMP REPLY from inside interface ..?
If Time out , then,
-Check the number of decrypts using the command " show crypto ipsec sa "
If ICMP reply from inside interface is recieved by VPN client.
-Run a ping to an internal host behind the ASA.
-"Show crypto ipsec sa "
IF you have received replies if first test then here you should see decrypts growing in number.
-Apply captures on inside interface
You can refer the document below
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
-If you see packet with source as VPN client interface reaching the inside interface for the destination of host behind the ASA, then its an issue with your internal routing.
In case you have a L3 device connected to the ASA inside interface , make sure you have a route for 192.168.1.x subnet pointing GW as ASA inside interface i.e 172.16.1.1
If its L2 or a dumb device , then as a quic test , put the follwoing route statement using the windows command line on the host behind the asa taking part in this test.
route add 192.168.1.0 mask 255.255.255.0 172.16.1.1
Please do let me know if this helps.
Regards
M
11-16-2009 09:20 AM
It works. Thanks a lot.
Another qustion I don't understand is how does ASA create the routing for VPN clients?
I show the route on ASA, only get
S 192.168.10.1 255.255.255.255 [1/0] via x.x.x.x, outside
11-16-2009 10:47 AM
Glad i could help...
To be honest with you, i may not be able to give you a right answer on this. The answer resides more in coding of IOS on Cisco devices.
All i can say is by design ASA, learns a static route for the dynamic VPN connection when established.
Hope this answers your question.
Regards
M
11-16-2009 11:53 AM
Thanks, Mohit.
I will try to learn it from IOS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide