Cisco ASA Clients connects to VPN but no route inside, need some help?

Unanswered Question
Oct 4th, 2010
User Badges:

Hello Everyone...!


I have a Cisco ASA running IOS Version 8.0(4) everyone in my company connects good throug the VPN Clients connect, but they don´t have routing.

I´m wondering why the connnect to the VPN and then don´t have any traffic inside.


Need some tips..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Shilpa Gupta Mon, 10/04/2010 - 06:34
User Badges:
  • Cisco Employee,

Hello,


As per the problem description, I understand that you can connect via VPN client , however you can not access anything on inside?


Please let me know if the problem description is correct.


Also for better understanding of the issue,please answer the following questions:-


[1]What is the VPN client that you are using?


[2]Are the nat translations in place on ASA?


[3]Have you configured split tunnel?Is the internal network included in it?



It would be great if you can attach the 'sh tech' output of ASA.


Thanks,

Shilpa

zafnath Mon, 10/04/2010 - 07:11
User Badges:

Shilpa answering  your questions:


As per the problem description, I understand that you can connect via VPN client , however you can not access anything on inside? YES




[1]What is the VPN client that you are using?  Cisco System VPN Client Version 5.0.04.0300


[2]Are the nat translations in place on ASA?  yes I have a couple of NATs working in a several rules.


[3]Have you configured split tunnel?Is the internal network included in it? The Slipt Tunneling is checked on the Network List as INherit, that means the whole network


If there a specific part of show tech that you want to see?


Thanks for your help

Namit Agarwal Mon, 10/04/2010 - 07:14
User Badges:
  • Cisco Employee,

Hi ,


Please paste the running config of the ASA here. You can remove the sensitive IP information.


Thanks,


Namit

Shilpa Gupta Mon, 10/04/2010 - 07:23
User Badges:
  • Cisco Employee,

Hi,


I would like to check if you have nat exempt for the traffic on the inside network to the pool ip address of the client.If it is not configured then configure


the same and check if you are able to connect.


Also once you are connected, you should be able to see the route for reaching your client ip is via outside interface. This can be done by issuing"sh route".


Thanks,


Shilpa

zafnath Mon, 10/04/2010 - 07:45
User Badges:

Guys here is the running.. config

thanks for your help

Shilpa Gupta Mon, 10/04/2010 - 08:00
User Badges:
  • Cisco Employee,

Hi,


Once connected via VPN, the host  which you are trying to access is connected directly to the ASA or is there any device present in between the inside host and the ASA.


If yes, make sure that you should have route on that device for the pool ip address pointing towards the ASA's inside ip.


Thanks,


Shilpa

zafnath Mon, 10/04/2010 - 08:13
User Badges:

The Core Switch is attached directly to the ASA Inside Interface, but even the Core I can´t Access is like the whole trafffic is not routed.

Shilpa Gupta Mon, 10/04/2010 - 08:28
User Badges:
  • Cisco Employee,

Hi,


After getting connected to the ASA via, try to ping the ASA's inside ip address and let me know if you are able to ping.


Add the following commands:-

[1]sysopt connection permit-vpn


[2]management access inside



Let me know if you able to ping



[1]the ASA's inside ip address


[2]Any host on the inside


When you say whole traffic is not routed, can please explain it briefly.


Thanks,


Shilpa

zafnath Mon, 10/04/2010 - 09:18
User Badges:

I didi the above commands but nothing happen.


When you say whole traffic is not routed, can please explain it briefly.

Answer: My first hop after the inside asa´s  interface is the CORE Switch, I´m trying to ping it but it doesn´t work. If i can´t  get into the first hop how for sure I won´t be able to get into the rest of the network.

Namit Agarwal Mon, 10/04/2010 - 08:44
User Badges:
  • Cisco Employee,

Hi,


Please provide the details of the tunnel you are trying to establish. Which tunnel-group ?


Regards,

Namit

Jitendriya Athavale Mon, 10/04/2010 - 08:53
User Badges:
  • Cisco Employee,

once connected via vpn give the following command on asa and pkease pasete it


show crypto ipsec sa peer



show vpn-sessiondb remote

Namit Agarwal Mon, 10/04/2010 - 09:15
User Badges:
  • Cisco Employee,

Hi ,


Please paste a screenshot of the route details on the VPN Client. The route details can be viewed at Status > Statistics > Route Details. I just want to confirm whether the VPN Client is getting the correct routes. Also I see that the tunnel-group in use is XXXX and the policy associated with it is clientes. Please provide me the details of this group-policy. An output of "show run all group-policy clientes" will be helpful.


Regards,

Namit

Jitendriya Athavale Mon, 10/04/2010 - 09:22
User Badges:
  • Cisco Employee,

try the following


icmp permit any inside


i see you have logging buffered deb thats good

clear logging buffered


managemant-access inside


from the client


ping insid einterface ip



show logg | in

Jitendriya Athavale Mon, 10/04/2010 - 09:23
User Badges:
  • Cisco Employee,

also once you are connectde through the vpn


give show route command and verify that you see a static route to the vpn cient ip pointing to outside interface

zafnath Mon, 10/04/2010 - 09:32
User Badges:

Nothing  Happen with this...


Fw(config)# icmp permit any inside

Fw(config)# sh logg | in 10.XX.XX.0


But no output

Jitendriya Athavale Mon, 10/04/2010 - 09:35
User Badges:
  • Cisco Employee,

Fw(config)# sh logg | in 10.XX.XX.0


thios would be incorrect


Fw(config)# sh logg | in 10.XX.XX.13 something like this or just leave it at xx do not enter the last octet

Namit Agarwal Mon, 10/04/2010 - 09:41
User Badges:
  • Cisco Employee,

Hi ,


Thanks a ton for the outputs. It clearly shows from the statistics on the VPN Client and the outputs on the ASA that the ASA is receiving the packets across the tunnel decrypting but the replies are not being encrypted. Please paste the output of the following command


packet-tracer input inside icmp 8 0 < IP address from the remote pool assigned to the PC connected to VPN>


Thanks,

Namit

Jitendriya Athavale Mon, 10/04/2010 - 16:56
User Badges:
  • Cisco Employee,

as the packet tracer says it being dropped in nat rules


please past eyour nat rules


show run nat


show run global


sh run static


sh access-list

Namit Agarwal Mon, 10/04/2010 - 22:04
User Badges:
  • Cisco Employee,

Hi ,


Do your remote pool subnet and the subnet for the internal network for the ASA overlap ? I mean is it something like that the remote pool is 192.168.1.1-192.168.1.25 and the internal subnet on the ASA is 192.168.1.0/24.


Thanks,


Namit

zafnath Tue, 10/05/2010 - 08:08
User Badges:

After a while of troubleshooting with my networking  team, we found that the packet is drop it at the end .

Now we need to find out why is doing that.


Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected

Jitendriya Athavale Tue, 10/05/2010 - 08:14
User Badges:
  • Cisco Employee,

did you make any changes to the rules in firewall bcoz i see the packet tracer outputs look to be different


also have you verifed that the vpn pool ip and the internal network ip do not overlap

zafnath Tue, 10/05/2010 - 09:28
User Badges:

no i didnt a change...anything I will delete the conection profile and I will doit again.

zafnath Tue, 10/05/2010 - 13:23
User Badges:

How Come...!!!! This is a Black Magic...!!!!!!


I made a fullbackup of JUN2010 and the problem persist.....!!! What!!!!!!!

zafnath Wed, 10/13/2010 - 13:30
User Badges:

FOR THE RECORDS HERE IS THE ANSWER.....!!!!


I made a new IP-Pool with a diferent network  avoiding use the same IP Addressing of my Inside Network and applying it to the Group Policy. This is the only change that i made to the firewall.

In the Core SW I made a static route of the new network with the Inside Firewall Interface as a gateway of the last resort.


and Done it works!!!!

Actions

This Discussion