05-13-2010 12:19 PM
I am in the process of setting up a new ASA 5520. I am at the point where my remote client can connect to the VPN (authenticate) and receives an IP address. But once connected the client has no access. Cannot even ping anything other than its own address. The ASA also cannot ping the host. A sniffer tells us that the client is making the requests outbound. I don't see them in the ASA 5520 log. I posted as much of the config as I feel comfortable posting. The addresses are not actual. Any help would be most appreciated. Thank you.
Outside interface 10.10.1.204/24
Inside interface 10.10.200.206/24
Client IP
10.10.200.130 IP
255.255.255.0
10.10.200.130 Gateway
05-13-2010 12:22 PM
Douglas,
Enter the command:
management-access inside
crypto isakmp nat-t
and try to PING the inside IP of the ASA from the VPN client when connected.
Also, check if the ''sh cryp ips sa' shows packets encrypted/decrypted.
Federico.
05-14-2010 04:28 AM
I ran the commands. I wanted to add that we are not using non routable IP space. I changed our real IP space to non-routable. Below is the output:
BUBBLEBASS# sh cryp ips sa
interface: Outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 10, local addr: 10.10.
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.200.131/255.255.255.255/0/0)
current_peer: 166.217.95.59, username: 1264069137@mil
dynamic allocated peer ip: 10.10.200.131
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.200.131/255.255.255.255/0/0)
current_peer: 166.217.95.59, username: 1264069137@com
dynamic allocated peer ip: 10.10.200.131
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.10.1.204/8700, remote crypto endpt.: 166.217.95.
path mtu 1500, ipsec overhead 110, media mtu 1500
current outbound spi: A5C48293
current inbound spi : B6F3D466
inbound esp sas:
spi: 0xB6F3D466 (3069432934)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, TCP-Encaps, }
slot: 0, conn_id: 57344, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28759
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00007BFF
outbound esp sas:
spi: 0xA5C48293 (2781119123)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={RA, Tunnel, TCP-Encaps, }
slot: 0, conn_id: 57344, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28759
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
05-14-2010 10:28 AM
Hi,
I don't know if this issue is related to what I had experienced. Once, I had the same situation, and the reason was that the customer was using the same subnet as we are within our company. When I changed subnet then I was able to connect to the servers within their network.
Regards,
Antonio
05-14-2010 10:34 AM
We control and own the whole class "b" address space. So we are pretty sure that nobody is using the space but us. Always a good thing to check out.
05-14-2010 11:04 AM
From troubleshooting today, I am thinking I have a routing issue. Could this be an issue of my routes?
DHCP pool starting at 10.10.200.130
Inside interface 10.10.200.6
Next hop inside 10.10.200.1
Outside Interface 10.10.1.204
Next hop outside 10.10.1.126 (Last interface on the network)
My routes:
route Outside 0.0.0.0 0.0.0.0 10.10.1.126 1
route Inside 10.10.0.0 255.255.0.0 10.10.200.1 1
route Outside 10.10.203.0 255.255.255.0 10.10.1.126 1
route Inside 0.0.0.0 0.0.0.0 10.10.200.1 tunneled
I can ping all next hope addresses from the console on the ASA. Thanks.
05-14-2010 11:56 AM
Douglas,
Sorry for not getting back to you in time.
You got it working now?
Federico.
05-14-2010 12:00 PM
Not yet. Can't get it work. Can only ping from the ASA to it's neighbors. Cannot ping anywhere from the connected VPN client.
05-14-2010 12:04 PM
I think the problem is this:
Your VPN pool is:
ip local pool RVPN_Pool 10.10.200.130-10.10.200.254 mask 255.255.255.128
And there's a route on the ASA:
route Inside 10.10.0.0 255.255.0.0 10.10.200.1 1
Add the following:
route outside 10.10.200.0 255.255.255.0 10.10.1.126
Federico.
05-14-2010 12:13 PM
BUBBLEBASS# config t
BUBBLEBASS(config)# route outside 10.10.200.0 255.255.255.0 10.10.1.126
ERROR: Cannot add route, connected route exists
BUBBLEBASS(config)#
BUBBLEBASS# show route
Gateway of last resort is 10.10.1.126 to network 0.0.0.0
C 10.10.1.0 255.255.255.0 is directly connected, Outside
S 10.10.32.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
S 10.10.203.130 255.255.255.255 [1/0] via 10.10.1.126, Outside
S 10.10.129.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
C 10.10.200.0 255.255.255.0 is directly connected, Inside <--------------Conflicts with this
S 10.10.203.0 255.255.255.0 [1/0] via 10.10.1.126, Outside
S 10.10.253.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.1.126, Outside
05-14-2010 12:18 PM
That's exactly the problem.
Your inside interface overlaps with the VPN pool.
To check if this is the problem, as a test you can do the following:
route outside 10.10.200.128 255.255.255.128 10.10.1.126
Let me know if it works.
Federico.
05-16-2010 01:53 AM
You should change your VPN pool to a subnet other than 10.10.200.X
Typically I'd used something completely out of the norm, something like 172.29.10.X (helps to minimise routing issues with some Wireless ISP's private NAT'ed address space) also removes DHCP addressing conflicts with the internal network
The VPN pool will show as a directly conected network therefore not require a route to be defined as the devices knows of it, as long as your default gateway for the internal network points to the ASA no additional routes will be required to be added to the internal routing
05-17-2010 05:25 AM
I changed my DHCP Pool to 10.10.203.0/24
Added a new route:
128.132.203.0 255.255.255.0 [1/0] via 128.132.1.126, Outside
The client now connects and gets an address in the new pool. My new route table:
C 10.10.1.0 255.255.255.0 is directly connected, Outside
S 10.10.32.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
S 10.10.203.130 255.255.255.255 [1/0] via 10.10.1.126, Outside <----------------------- My client
S 10.10.129.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
C 10.10.200.0 255.255.255.0 is directly connected, Inside
S 10.10.203.0 255.255.255.0 [1/0] via 10.10.1.126, Outside
S 10.10.253.0 255.255.255.0 [1/0] via 10.10.200.1, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.10.1.126, Outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.10.200.1, Inside tunneled
I feel like I am getting closer. I still have no connectivity. Since packets from my client 10.10.203.130 are sent via the outside VPN interface to my outside the firewall gateway (Cisco 6500 interface with 10.10.1.126), how do the packets return to the client? Our firewall indicates they are trying to come inbound from the outside. This would be causing my connectivity problem Which would be normal since 10.10.1.126 routes all traffic inbound through the firewall and then to the internal network. I thought traffic went through the VPN both directions?
05-20-2010 05:53 AM
Got it working. Reversed the route going to the outside for the DHCP pool. Added the inside to my EIGRP configurations and added an access list to allow traffic to the inside interface. Thanks for your assistance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: