VPN connects but no remote lan access

Unanswered Question
Jun 24th, 2010

Hi there,

I was setting up an remote access VPN on ASA 5520. The client could be able to connect, both isakmp sa and ipsec sa have established. But the client  cannot access remote lan resources.

1. nat 0 has added.

2. Reverse-route checked. Could see a static route to client on ASA.

3. Status checked on client. With a continus ping, encrypted packet was increasing. Packet sniffer shows only traffic out, no packets in.

4. Added a static route on the router connect to ASA for the client address pool. Ping test results: .....

5. Ping on ASA to client, results: ?????

I've stucked on it for three days, does anyone could help me out of this?

Thanks in advance.

Best regards,

Victor

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Fri, 06/25/2010 - 01:31

Victor,

Please enable management-access inside (if inside is your inside interface) and ping the inside interface of ASA.

You will also need to add coresponding "icmp permit ..." entry to allow pings.

At the same time please inspect "show crypto ipsec sa" to see if decapsulations and encapsulations are increasing.

Marcin

edit:

spidermanchar Fri, 06/25/2010 - 03:02

Victor,

Please enable management-access inside (if inside is your inside interface) and ping the inside interface of ASA.

You will also need to add coresponding "icmp permit ..." entry to allow pings.

At the same time please inspect "show crypto ipsec sa" to see if decapsulations and encapsulations are increasing.

Marcin

======================================

Marcin,

Thanks for your reply.

show crypto ipsec sa shows des and en packets are both 0 !!!

Let me introduce more about the environment:

Test PC---- ASA ---L2L VPN-----ASA (RA VPN server) ------Test server

There is already an L2L tunnel running on two office. I configurated remote access VPN server on one side and tried to test the client in another side.

I could see the dec and en packets increasing on L2L tunnel while the RA tunnel is 0. Tested from internet for the RA VPN works.

But I still don't understand why the traffic all goes under L2L, none packet run under RA tunnel. The peer (vpn client side)have the same address, why only one tunnel is working?

Thanks,

Victor

Marcin Latosiewicz Fri, 06/25/2010 - 04:13

Victor,

Just to confirm.

You are connecting from site1 to RA server in side 2, site1 has already l2l tunnel with site2.

So you have a L2L tunnel spcifying

site1 subnet to site 2 subnet should be encrypted. Both subnets are inside.

Normally RA vpn should connect to public IP address of site 2. So unless there's a crypto SA covering this on site 1 it should not be a problem.

OK so let's talk subnets.

What is encrypted in L2L , what is the subnet used by RA client etc etc.

spidermanchar Sun, 06/27/2010 - 22:39

Marcin,

The subnes encrypted in L2L is 172.16.0.0 --10.23.0.0, the RA clients is in 10.16.0.0 network and were giving 192.168.254.0 network by the server on side 2.

I found a crypto sa on side 1 that the local ident and remote ident are the public IP address of two sides, I don't understand it, I think this is the problem? What is the usage of the crypto sa?

Thanks,

Victor

spidermanchar Wed, 06/30/2010 - 01:01

Hi Marcin,

The subnes encrypted in L2L is 172.16.0.0 --10.23.0.0, the RA clients is in

10.16.0.0 network and were giving 192.168.254.0 network by the server on

side 2.

I found a crypto sa on side 1 that the local ident and remote ident are the

public IP address of two sides, I don't understand it, I think this is the

problem? What is the usage of the crypto sa?

Thanks,

Victor

2010/6/25 mlatosie

victor ma,

>

A new message was posted in the Discussion thread "VPN connects but no

remote lan access":

>

https://supportforums.cisco.com/message/3126713#3126713

>

Author : Marcin Latosiewicz

Profile : https://supportforums.cisco.com/people/mlatosie

>

Message:

Marcin Latosiewicz Wed, 06/30/2010 - 08:33

Victor,

Indeed typical L2L tunnel does not require public IP addresses to be put into the tunnel (unless some management considerations....?).

We can remove them on bothe sides and re-test right?

Marcin

spidermanchar Wed, 06/30/2010 - 23:44

Marcin,

Sorry, I made a mistake, no, there isn't only ipsec sa with site 1 and site 2 public IPs. Only lan addresses. It's site 1 and site 3's public IPs shows in the ipsec sa.

But still, my question is, why public IPs?

Could you check below settings and let me know your thought.

sh crypto ipsec sa shows:

crypto map tag: crymap, seq num 50, local addr 1.1.1.1

access-list oo_temp_crymap50 permit ip host 1.1.1.1 3.3.3.3

local ident 1.1.1.1/255.255.255.255

remote ident 3.3.3.3/255.255.255.255

current_peer: 3.3.3.3

pkts encaps: 0

pkts decaps: 0

local crypto endpt:1.1.1.1, remote crypto endtp:3.3.3.3

sh run shows:

crypto map crymap 50 match address k1

crypto map crymap 50 set connection-type originate-only

crypto map crymap 50 set peer 2.2.2.2 3.3.3.3  ---- Try 2 peers? If first fail, then the second? Am I right here?

crypto map crymap 50 set transform-set ESP-AES-SHA

access-list k1 extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0

Thanks,

Victor

Marcin Latosiewicz Thu, 07/01/2010 - 04:08

Victor,

access-list oo_temp_crymap50

Indeed normally I would have not expected to have public IPs there, maybe it's a quesion of multiple peers (another thing I probably didn't do since my ccie)

Can you paste me whole "show crypto ipsec sa peer ..." ?

Regarding multiple peers, it will cycle between the two AFAIR:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238774

Marcin

spidermanchar Thu, 07/01/2010 - 19:30

Hi Marvin,

I sent you private message about this, please have a check. I changed the real IP addresses and map names. But should be the same for trouble shooting.

Thanks,

Victor

Actions

This Discussion