IPSEC VPN Setup on ASA 5510

Unanswered Question
May 13th, 2011

I know I'm missing something really simple here, but I'm a relative newbie to Cisco, so bear with me.

We're in the process of setting up an ASA 5510 as our main VPN appliance.

The Outside interface of the 5510 faces our DMZ, the Inside interface sits on our main network.  The 5510 uses radius for authentication going to a server on the same subnet for the authentication.  That works fine.  VPN client can connect to the 5510 and successfully authenticate.  Routes are pass through to the VPN client, no problem.  PC with VPN client can access internet (which is by design, it should use it's own internet connection), but cannot ping/access/trace over the tunnel at all.

My hunch is that this is a nat issue - but I am confused as to how the NAT should be configured - I've tried several configurations with no luck.

The VPN client is set to pull an ip address from the pool - 192.168.56.10 - 100.  The 5510 is sitting on a separate subnet (50.x/22).  This seems to work on the Cisco 1700 that it will be replacing just fine.  I mirrored routes and ACLs as well onto the new 5510.  No luck.  Client connects, authenticates, pulls an IP address and routes, but can't see anything on the inside of the 5510. 

Any thoughts would be appreciated. 

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Yudong Wu Fri, 05/13/2011 - 09:58

1. In general, you need bypass NAT for the vpn traffic to the client.

On ASA, you need add something similar like the following.

access-list nonat permit ip 192.168.50.0 255.255.252.0 192.168.56.0 255.255.255.0

nat (inside) 0 access-list nonat

2. check the routing and make sure the internal network know to send the packet to ASA if they need to reach 192.168.56.0

klombard@henryp... Fri, 05/13/2011 - 10:39

Tried that with no luck.  Still connecting, authenticating, pulling routes, but know traffic.  Checked the client - it isn't receiving any packets.  It's sending packets, showing some as encrypted, but most are bypassed.  Here's the config:

ASA Version 8.2(1)

!

hostname ASAVPN

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 255.255.255.240

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.50.5 255.255.252.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.48.0 255.255.252.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.36.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.52.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.53.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.54.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.66.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit host

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.64.0 255.255.255.0

access-list hpcovpn04_splitTunnelAcl standard permit 192.168.65.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.48.0 255.255.252.0 192.168.56.0 255.255.255.0

access-list nonat extended permit ip 192.168.48.0 255.255.252.0 192.168.56.0 255.255.255.0

pager lines 24

mtu Outside 1500

mtu Inside 1500

ip local pool DIAL-IN 192.168.56.10-192.168.56.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

nat (Inside) 0 access-list nonat

route Outside 0.0.0.0 0.0.0.0 12.54.190.17 1

route Inside 192.168.32.0 255.255.240.0 192.168.50.1 1

route Inside 192.168.52.0 255.255.252.0 192.168.48.5 1

route Inside 192.168.56.0 255.255.255.0 1

route Inside 192.168.64.0 255.255.255.0 192.168.50.2 1

route Inside 192.168.65.0 255.255.255.0 192.168.50.2 1

route Inside 192.168.66.0 255.255.255.0 192.168.48.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (Inside) host 192.168.xx.xx

timeout 5

key xxx

http server enable

http 192.168.48.0 255.255.252.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.48.0 255.255.252.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol webvpn

group-policy hpcovpn04 internal

group-policy hpcovpn04 attributes

dns-server value 192.168.xx.xx 192.168.xx.xx

vpn-tunnel-protocol IPSec l2tp-ipsec

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value hpcovpn04_splitTunnelAcl

default-domain value henrypratt.com

tunnel-group hpcovpn04 type remote-access

tunnel-group hpcovpn04 general-attributes

address-pool DIAL-IN

authentication-server-group RADIUS

default-group-policy ourpolicy

tunnel-group ourpolicy ipsec-attributes

pre-shared-key *

!

!

prompt hostname context

Cryptochecksum:beee0e013866150a3079f917676574fd

: end

Kevin Yudong Wu Fri, 05/13/2011 - 10:49

I am not sure why you have this entry.

route Inside 192.168.56.0 255.255.255.0 1

It should be route outside .......

You don't have any internal network which is overlapped with VPN client ip pool 192.168.56.x?

Issue a ping from client to an internal host and then check "show cry ipsec sa" to see if decrypt/encry count is incrementing?

Issue a ping from internal host to vpn client and then check "show cry ipsec sa" to see if decrypt/encry count is incrementing? also check vpn client statistics to see if encry/decry count incrementing as well.

klombard@henryp... Fri, 05/13/2011 - 11:02

Encrypting on the client is escalating, as is bypassed.  On the router, there's activing pinging from the client to internal, decrypt packets go up.  When going internal to client, no activity.  No errors.  No encryption or encapsulation on the 5510 and nothing received on the client. 

klombard@henryp... Fri, 05/13/2011 - 11:06

interface: Outside

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr:

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.56.10/255.255.255.255/0/0)

      current_peer: , username: xxxx

      dynamic allocated peer ip: 192.168.56.10

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: /10000, remote crypto endpt.: /10000

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: A08643E8

    inbound esp sas:

      spi: 0x3B849C45 (998546501)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  UDP-Encaps, }

         slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28585

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x003FFFFF

    outbound esp sas:

      spi: 0xA08643E8 (2693153768)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  UDP-Encaps, }

         slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28584

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Kevin Yudong Wu Fri, 05/13/2011 - 11:22

If you don't see encry count incrementing in "show cry ipsec sa" when you ping from internal host to vpn client, it indicated that the packet from internal host either did not reach ASA or it did not entry tunnel for some reason.

Do a packet capture on Inside interface to see if the packet reach inside interface

1. define a ACL

2. then use capture command to apply acl to inside interface.

If you don't see the packet in capture, you need check the routing to see why inside host did not forward packet to ASA.

If you do see the packet, use "packet-trace" command to see how ASA handle it after receiving it on inside interface.

klombard@henryp... Fri, 05/13/2011 - 11:32

Seems like when I do the packet trace, everything is being blocked by an implicit incoming rule on the Inside interface: 

Source: any Dest: any Service: ip Action:Deny

There is a rule just above that:

Source any Dest: any Service ip Action: Permit

klombard@henryp... Fri, 05/13/2011 - 11:34

I've tried putting rules above it to permit everything, but the packet still gets dropped and ASDM points to that rule as the problem.

klombard@henryp... Fri, 05/13/2011 - 11:39

ran a debug and saw this when the client connects:

Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This end is NOT behind a NAT device

klombard@henryp... Fri, 05/13/2011 - 11:42

With packet trace, I can go from the 192.168.50 network to the 192.168.56. network without a problem.  When I try to go to from the 192.168.56 network to anywhere on the internal network, the packet gets dropped by a rule.

klombard@henryp... Fri, 05/13/2011 - 11:17

When I ping from the 5510 to the vpn client (56.10), I get no response, but looking at the ipsec, there are encrypted packets sent.  I can ping the network fine from the 5510 on both sides.  I am noticing now that the vpn connection seems to drop after a few minutes.

klombard@henryp... Fri, 05/13/2011 - 11:43

With packet trace, I can go from the 192.168.50 network to the 192.168.56. network without a problem.  When I try to go to from the 192.168.56 network to anywhere on the internal network, the packet gets dropped by a rule.

Kevin Yudong Wu Fri, 05/13/2011 - 11:46

please run the capture on Inside interface first to confirm that the packet is received when you ping from a internal host to client.

klombard@henryp... Fri, 05/13/2011 - 11:51

ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.56.10   255.255.255.255 Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7b0000, priority=111, domain=permit, deny=true

        hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

------------
ASAVPN# packet input inside tcp 192.168.56.10 http 192.168.49.29 http detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.48.0    255.255.252.0   Inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7f6650, priority=111, domain=permit, deny=true
        hits=9, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
------------------------------
ASAVPN# packet input inside tcp 192.168.49.29 http 192.168.56.10 http detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.56.10   255.255.255.255 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac019928, priority=12, domain=permit, deny=false
        hits=3, user_data=0xa89f6e40, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true
        hits=191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
  match ip Inside 192.168.48.0 255.255.252.0 Outside 192.168.56.0 255.255.255.0
    NAT exempt
    translate_hits = 4, untranslate_hits = 29
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabfaa238, priority=6, domain=nat-exempt, deny=false
        hits=3, user_data=0xabd9c480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.48.0, mask=255.255.252.0, port=0
        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac01aba8, priority=0, domain=nat, deny=false
        hits=3, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Inside any Outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xabd9bb98, priority=0, domain=host, deny=false
        hits=137, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac00e338, priority=70, domain=encrypt, deny=false
        hits=2, user_data=0x2f37c, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xabf0ba20, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=2, user_data=0x31afc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.56.10, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true
        hits=449, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 577, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
---------------
ASAVPN# packet input outside tcp 192.168.49.29 http 192.168.56.10 http detaile$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.56.0    255.255.255.0   Outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7b0000, priority=111, domain=permit, deny=true
        hits=2, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
klombard@henryp... Fri, 05/13/2011 - 11:53

Not sure how to do the capture, but when I do a ping from internal to the client, the client receives encrypted packets.

Kevin Yudong Wu Fri, 05/13/2011 - 11:57

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Please use

packet input inside tcp 192.168.49.29 http 192.168.56.10 http detaile

We are troubleshoot the direction from internal host to vpn client.

accesss-list cap permit ip host 192.168.56.0 255.255.255.0

accesss-list cap permit ip 192.168.56.0 255.255.255.0 host

capture in access-list cap interface Inside

Then issue the ping from internal host to vpn client.

show capture in    << < will list the packet captured.

klombard@henryp... Fri, 05/13/2011 - 12:17

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac00ec78, priority=12, domain=capture, deny=false

        hits=4099, user_data=0xabf59c30, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f5c10, priority=1, domain=permit, deny=false

        hits=42154, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.56.10   255.255.255.255 Outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7f8420, priority=0, domain=permit-ip-option, deny=true

        hits=332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabfaa3a8, priority=12, domain=capture, deny=false

        hits=1, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

        src ip=192.168.49.29, mask=255.255.255.255, port=0

        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

  match ip Inside 192.168.48.0 255.255.240.0 Outside 192.168.56.0 255.255.255.0

    NAT exempt

    translate_hits = 2, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabdab5a8, priority=6, domain=nat-exempt, deny=false

        hits=1, user_data=0xac019ab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=192.168.48.0, mask=255.255.240.0, port=0

        dst ip=192.168.56.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip Inside any Outside any

    no translation group, implicit deny

    policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac01aba8, priority=0, domain=nat, deny=false

        hits=8, user_data=0xac01aae8, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 0 0.0.0.0 0.0.0.0

nat-control

  match ip Inside any Outside any

    no translation group, implicit deny

    policy_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xabd9bb98, priority=0, domain=host, deny=false

        hits=277, user_data=0xac01aae8, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xabfa9e58, priority=70, domain=encrypt, deny=false

        hits=1, user_data=0x32634, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=192.168.56.10, mask=255.255.255.255, port=0, dscp=0x0

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xabfa9940, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=1, user_data=0x34354, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=192.168.56.10, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xab7b1dd0, priority=0, domain=permit-ip-option, deny=true

        hits=534, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xac0197f8, priority=12, domain=capture, deny=false

        hits=0, user_data=0xabf59c30, cs_id=0xab7b4ed8, reverse, flags=0x0, protocol=0

        src ip=192.168.56.0, mask=255.255.255.0, port=0

        dst ip=192.168.49.29, mask=255.255.255.255, port=0, dscp=0x0

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 800, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

klombard@henryp... Fri, 05/13/2011 - 12:19

1 packet captured

   1: 11:12:44.525455 192.168.49.29.80 > 192.168.56.10.80: S 1864813813:1864813813(0) win 8192

1 packet shown

Captured packet showed up after I ran the packet trace.
Kevin Yudong Wu Fri, 05/13/2011 - 12:24

Ok, so the problem is that the packet did not reach ASA inside interface when internal host sent the traffic to vpn client.

You need check your internal network hop by hop to see why the packet is not forwarded to ASA.

klombard@henryp... Fri, 05/13/2011 - 12:49

Ok,

I added a route on another router and now I can ping between the vpn client and the internal network - but nothing else.   Can't view intranet, browse file shares, etc.

Kevin Yudong Wu Fri, 05/13/2011 - 14:50

Ok. at lease we made some progress.

If the server is pingable, vpn client does have the ip connectivity. You might need to check if DNS works o not.

From your configuration, you configured "default-group-policy ourpolicy" but I did not see any group-policy in the configuration with "ourpolicy".

After vpn client is UP, you can try if you can reach the internal server via DNS name.

Actions

This Discussion

Related Content