cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2094
Views
0
Helpful
13
Replies

VPN Client connects but no connectivity.

Douglas Holmes
Level 1
Level 1

I am in the process of setting up a new ASA 5520.  I am at the point where my remote client can connect to the VPN (authenticate) and receives an IP address.  But once connected the client has no access.  Cannot even ping anything other than its own address.  The ASA also cannot ping the host.  A sniffer tells us that the client is making the requests outbound.  I don't see them in the ASA 5520 log. I posted as much of the config as I feel comfortable posting.  The addresses are not actual.  Any help would be most appreciated.  Thank you.

Outside interface 10.10.1.204/24

Inside interface 10.10.200.206/24

Client IP

10.10.200.130  IP

255.255.255.0

10.10.200.130 Gateway

13 Replies 13

Douglas,

Enter the command:

management-access inside

crypto isakmp nat-t

and try to PING the inside IP of the ASA from the VPN client when connected.

Also, check if the ''sh cryp ips sa' shows packets encrypted/decrypted.

Federico.

I ran the commands.  I wanted to add that we are not using non routable IP space.  I changed  our real IP space to non-routable.  Below is the output:

BUBBLEBASS# sh cryp ips sa
interface: Outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 10, local addr: 10.10.

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.200.131/255.255.255.255/0/0)
      current_peer: 166.217.95.59, username: 1264069137@mil
      dynamic allocated peer ip: 10.10.200.131

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.200.131/255.255.255.255/0/0)
      current_peer: 166.217.95.59, username: 1264069137@com
      dynamic allocated peer ip: 10.10.200.131

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.1.204/8700, remote crypto endpt.: 166.217.95.
      path mtu 1500, ipsec overhead 110, media mtu 1500
      current outbound spi: A5C48293
      current inbound spi : B6F3D466

    inbound esp sas:
      spi: 0xB6F3D466 (3069432934)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  TCP-Encaps, }
         slot: 0, conn_id: 57344, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28759
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00007BFF
    outbound esp sas:
      spi: 0xA5C48293 (2781119123)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  TCP-Encaps, }
         slot: 0, conn_id: 57344, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28759
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

antonio.rubio
Level 1
Level 1

Hi,

I don't know if this issue is related to what I had experienced.  Once, I had the same situation, and the reason was that the customer was using the same subnet as we are within our company.  When I changed subnet then I was able to connect to the servers within their network.

Regards,

Antonio

We control and own the whole class "b" address space.  So we are pretty sure that nobody is using the space but us.  Always a good thing to check out.

From troubleshooting today, I am thinking I have a routing issue.  Could this be an issue of my routes?

DHCP pool starting at 10.10.200.130

Inside interface 10.10.200.6

Next hop inside 10.10.200.1

Outside Interface 10.10.1.204

Next hop outside 10.10.1.126 (Last interface on the network)

My routes:

route Outside 0.0.0.0 0.0.0.0 10.10.1.126 1
route Inside 10.10.0.0 255.255.0.0 10.10.200.1 1
route Outside 10.10.203.0 255.255.255.0 10.10.1.126 1
route Inside 0.0.0.0 0.0.0.0 10.10.200.1 tunneled

I can ping all next hope addresses from the console on the ASA.  Thanks.

Douglas,

Sorry for not getting back to you in time.

You got it working now?

Federico.

Not yet.  Can't get it work.  Can only ping from the ASA to it's neighbors.  Cannot ping anywhere from the connected VPN client. 

I think the problem is this:
Your VPN pool is:
ip local pool RVPN_Pool 10.10.200.130-10.10.200.254 mask 255.255.255.128
And there's a route on the ASA:
route Inside 10.10.0.0 255.255.0.0 10.10.200.1 1

Add the following:
route outside 10.10.200.0 255.255.255.0 10.10.1.126

Federico.

BUBBLEBASS# config t
BUBBLEBASS(config)# route outside 10.10.200.0 255.255.255.0 10.10.1.126
ERROR: Cannot add route, connected route exists
BUBBLEBASS(config)#

BUBBLEBASS# show route

Gateway of last resort is 10.10.1.126 to network 0.0.0.0

C    10.10.1.0 255.255.255.0 is directly connected, Outside
S    10.10.32.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
S    10.10.203.130 255.255.255.255 [1/0] via 10.10.1.126, Outside
S    10.10.129.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
C    10.10.200.0 255.255.255.0 is directly connected, Inside  <--------------Conflicts with this
S    10.10.203.0 255.255.255.0 [1/0] via 10.10.1.126, Outside
S    10.10.253.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
S*   0.0.0.0 0.0.0.0 [1/0] via 10.10.1.126, Outside

That's exactly the problem.
Your inside interface overlaps with the VPN pool.


To check if this is the problem, as a test you can do the following:

route outside 10.10.200.128 255.255.255.128 10.10.1.126

Let me know if it works.

Federico.

tcording
Level 1
Level 1

You should change your VPN pool to a subnet other than 10.10.200.X

Typically I'd used something completely out of the norm, something like 172.29.10.X (helps to minimise routing issues with some Wireless ISP's private NAT'ed address space) also removes DHCP addressing conflicts with the internal network


The VPN pool will show as a directly conected network therefore not require a route to be defined as the devices knows of it, as long as your default gateway for the internal network points to the ASA no additional routes will be required to be added to the internal routing

I changed my DHCP Pool to 10.10.203.0/24

Added a new route:

128.132.203.0 255.255.255.0 [1/0] via 128.132.1.126, Outside

The client now connects and gets an address in the new pool.  My new route table:

C    10.10.1.0 255.255.255.0 is directly connected, Outside
S    10.10.32.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
S    10.10.203.130 255.255.255.255 [1/0] via 10.10.1.126, Outside <----------------------- My client
S    10.10.129.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
C    10.10.200.0 255.255.255.0 is directly connected, Inside
S    10.10.203.0 255.255.255.0 [1/0] via 10.10.1.126, Outside
S    10.10.253.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
S*   0.0.0.0 0.0.0.0 [1/0] via 10.10.1.126, Outside
S    0.0.0.0 0.0.0.0 [255/0] via 10.10.200.1, Inside tunneled

I feel like I am getting closer.  I still have no connectivity.  Since packets from my client 10.10.203.130 are sent via the outside VPN interface to my outside the firewall gateway (Cisco 6500 interface with 10.10.1.126), how do the packets return to the client?  Our firewall indicates they are trying to come inbound from the outside.  This would be causing my connectivity problem  Which would be normal since 10.10.1.126 routes all traffic inbound through the firewall and then to the internal network.  I thought traffic went through the VPN both directions?

Got it working.  Reversed the route going to the outside for the DHCP pool.  Added the inside to my EIGRP configurations and added an access list to allow traffic to the inside interface.  Thanks for your assistance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: