VPN trough ASA5510

Answered Question
Dec 1st, 2009

Hello,

I have a problem that I have some trouble to understand and find a solution.

I am using a ASA5510 for 2 months now about to be between an internet connection and a network of multiple VLANs, corresponding to multiple companies sharing the same internet connection.

One of this companie has problem with its VPN connection. For couple of weeks, it works, and then no more. When I am plugging them directly on the internet, their VPN is working, but when I put the Firewall, no connection.

They are using a windows client and it is normally PPTP (GRE) connection.

On my configuration that you can see below, I am using the command "inspect PPTP" and have also tried the command "inspect ipsec-pass-thru".

But still, no connection to their remote server.

Anyone have an idea ?

Here is the config file :

************************

ASA Version 8.0(5)
!
hostname xxxxxx
domain-name xxxxxx
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Internet
security-level 0
ip address 1.2.3.4 255.255.255.xxx
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.1
vlan 1
nameif VLAN_Admin
security-level 10
ip address 10.xxx.xx3.1 255.255.255.128
!
interface Ethernet0/1.10
vlan 10
nameif VLAN_Visitor
security-level 30
ip address 10.xxx.xx2.129 255.255.255.128
!
.....
!
interface Ethernet0/1.39
vlan 39
nameif VLAN_YYY
security-level 20
ip address 10.xxx.xx7.65 255.255.255.192
!
.....
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.xxx.xx4.241 255.255.255.240
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name ol3.fi
same-security-traffic permit inter-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu VLAN_Admin 1500
mtu VLAN_Visitor 1500
...
mtu VLAN_YYY 1500
...
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.xxx.xx3.0 255.255.255.128 VLAN_Admin
asdm image disk0:/asdm-623.bin
asdm history enable
arp timeout 14400
nat-control
global (Internet) 101 interface
nat (VLAN_Admin) 101 0.0.0.0 0.0.0.0
nat (VLAN_Visitor) 101 0.0.0.0 0.0.0.0
....
nat (VLAN_YYY) 101 0.0.0.0 0.0.0.0
....
nat (management) 101 0.0.0.0 0.0.0.0
access-group Internet_access_in_1 in interface Internet
route Internet 0.0.0.0 0.0.0.0 1.2.3.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 10.xxxxxxxxxxxxxxxx management
ssh timeout 5
console timeout 0
dhcpd address 10.x.xxx3.130-10.xxx.xx3.254 VLAN_Visitor
dhcpd dns 212.86.0.5 212.86.0.6 interface VLAN_Visitor
dhcpd enable VLAN_Visitor
!
.......
!
dhcpd address 10.xxx.xx5.66-10.xxx.xx5.126 VLAN_YYY
dhcpd dns 2xx.xxx.xxx.xx5 2xx.xxx.xxx.xx6 interface VLAN_YYY
dhcpd enable VLAN_YYY
!
.........
!
dhcpd address 10.xxx.x4.242-10.xxx.x4.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
match default-inspection-traffic
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ipsec-pass-thru
  inspect icmp
  inspect icmp error
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
  drop-connection log
match request uri regex _default_x-kazaa-network
  drop-connection log
policy-map IM_P2P
class P2P
  inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface VLAN_Visitor
prompt hostname context


*****************************************

Thanks in advance.


JB

I have this problem too.
0 votes
Correct Answer by busterswt about 7 years 1 week ago

Just tossing this out there, but I have a feeling that since you've implemented the static NAT translation and are now using the interface IP for both the static NAT and the PAT, the global NAT xlate entry (created by initiating traffic from 10.3.74.69) is 'overriding' the PAT xlate entry. So in a sense return inbound traffic is being caught by the global xlate entry and thus being directed to the wrong server in VLAN_ZZZ.

Do you have the ability to use a unique public IP address for either the static NAT entry or the global entry, other than the interface ip?

James

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

You have the config:-

access-group Internet_access_in_1 in interface Internet

However there is no acl in the posted config of this description?

Even though you are allowing the PPTP to bypass the firewall inspection - it's generally a good idea to allow the specific protocols & TCP/UDP ports thru your perimeter ACL.

Also there is no NAT statement - how are the remote users connecting to the server? What is the IP address?

HTH>

billetj09 Wed, 12/02/2009 - 23:34

Hi,

Thanks for the answer.

So, what I have done earlier yesterday is adding some rules to open the traffic for that VLAN.I have maybe forgot to tell it but my problem is around the VLAN YYY.

********************

object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  protocol-object gre

access-list VLAN_YYY_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any

************************

For the NAT, it is using "nat (VLAN_YYY) 101 0.0.0.0 0.0.0.0"

Now, what I can see in the log is :

********

6|Dec 02 2009|11:30:58|305011|10.3.75.84|1034|1.2.3.4|9649|Built dynamic UDP translation from VLAN_YYY:10.3.75.84/1034 to DNA_Internet:1.2.3.4/9649
6|Dec 02 2009|11:30:56|302015|192.168.30.42|161|10.3.75.87|1025|Built outbound UDP connection 823973 for DNA_Internet:192.168.30.42/161 (192.168.30.42/161) to VLAN_YYY:10.3.75.87/1025 (1.2.3.4/56117)
6|Dec 02 2009|11:30:53|302018|91.5.6.7||10.3.74.69|44122|Teardown GRE connection 823959 from DNA_Internet:91.5.6.7 to VLAN_YYY:10.3.74.69/44122 duration 0:00:00 bytes 61
6|Dec 02 2009|11:30:53|110003|91.5.6.7|1723|10.3.74.69|44122|Routing failed to locate next hop for GRE from DNA_Internet:91.5.6.7/1723 to VLAN_YYY:10.3.74.69/44122
6|Dec 02 2009|11:30:53|302017|91.5.6.7||10.3.74.69|44122|Built inbound GRE connection 823959 from DNA_Internet:91.5.6.7 (91.5.6.7) to VLAN_YYY:10.3.74.69/44122 (1.2.3.4/44122)
6|Dec 02 2009|11:30:53|302017|10.3.75.85||91.5.6.7|63141|Built outbound GRE connection 823958 from VLAN_YYY:10.3.75.85 (1.2.3.4) to DNA_Internet:91.5.6.7/63141 (91.5.6.7/63141)
6|Dec 02 2009|11:30:53|305011|10.3.75.85|1723|1.2.3.4|54425|Built dynamic GRE translation from VLAN_YYY:10.3.75.85/1723 to DNA_Internet:1.2.3.4/54425
6|Dec 02 2009|11:30:53|305011|10.3.75.85|16384|1.2.3.4|44122|Built dynamic GRE translation from VLAN_YYY:10.3.75.85/16384 to DNA_Internet:1.2.3.4/44122
6|Dec 02 2009|11:30:53|302013|10.3.75.85|3101|91.5.6.7|1723|Built outbound TCP connection 823956 for DNA_Internet:91.5.6.7/1723 (91.5.6.7/1723) to VLAN_YYY:10.3.75.85/3101 (1.2.3.4/47996)
6|Dec 02 2009|11:30:53|305011|10.3.75.85|3101|1.2.3.4|47996|Built dynamic TCP translation from VLAN_YYY:10.3.75.85/3101 to DNA_Internet:1.2.3.4/47996

*******************

I think I have located the problem but I don't understand why it is doing that.

So the company YYY is on a VLAN with network address 10.3.75.64 255.255.255.192.

I have another company using another kind of VPN. Let say company ZZZ which are on the network 10.3.74.64 255.255.255.192, and for that company ZZZ I have on my firewall a static NAT rule "static (VLAN_ZZZ,DNA_Internet) interface 10.3.74.69 netmask 255.255.255.255 ".

All the other company are using dynamic rules for NAT.

As we can see on the log, for YYY company, until the "Build outbond GRE", it is using good inside address. But for "Build unbound GRE connection", it is starting to use the ip address from ZZZ company, the ip address defined in the rule.

I don;t understand how this is possible.

billetj09 Thu, 12/03/2009 - 02:19

The client is in my VLAN YYY and he is trying to connect to his VPN end point in his own company in another countrie. It has worked before and stopped to work like 3weeks ago. I would say that it stopped to work at about the same time I have created this static NAT rule for company ZZZ.

billetj09 Thu, 12/03/2009 - 03:58

Lets start with ACL

*****************

object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
protocol-object gre

access-list VLAN_ZZZ_access_in extended permit object-group DM_INLINE_PROTOCOL_4 any any
access-list DNA_Internet_access_in_1 remark ZZZ VPN
access-list DNA_Internet_access_in_1 extended permit ip host x9x.xxx.xxx.xx7 any
access-list DNA_Internet_access_in_1 remark ZZZ VPN 2
access-list DNA_Internet_access_in_1 extended permit ip host 1xx.xxx.xxx.xx5 any
access-list DNA_Internet_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 host 1xx.xxx.xxx.xx1 any


access-list VLAN_YYY_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.3.75.64 255.255.255.192 any

*****************

global (Internet) 101 interface

nat (VLAN_ZZZ) 101 10.3.74.64 255.255.255.192

nat (VLAN_YYY) 101 10.3.75.64 255.255.255.192

static (VLAN_ZZZ,DNA_Internet) interface 10.3.74.69 netmask 255.255.255.255     That is the ZZZ device company they are using has VPN client

*******************


route Internet 0.0.0.0 0.0.0.0 1.2.3.4 1          Default route to our internet address

**********************

access-group Internet_access_in_1 in interface Internet
access-group VLAN_ZZZ_access_in in interface VLAN_ZZZ
access-group VLAN_YYY_access_in in interface VLAN_YYY


****************

Thank a lot for your time.

Correct Answer
busterswt Thu, 12/03/2009 - 19:12

Just tossing this out there, but I have a feeling that since you've implemented the static NAT translation and are now using the interface IP for both the static NAT and the PAT, the global NAT xlate entry (created by initiating traffic from 10.3.74.69) is 'overriding' the PAT xlate entry. So in a sense return inbound traffic is being caught by the global xlate entry and thus being directed to the wrong server in VLAN_ZZZ.

Do you have the ability to use a unique public IP address for either the static NAT entry or the global entry, other than the interface ip?

James

billetj09 Thu, 12/03/2009 - 23:36

Hello,

So I have made a change based on what you've said :

static (VLAN_ZZZ,DNA_Internet) 1.2.3.5 10.3.74.69 netmask 255.255.255.255

1.2.3.5 being another public IP address, not the one from the interface.

Now I am waiting the feedback from the company.

Thank you

Actions

This Discussion