×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Issues with IPSec VPN Remote Access

Answered Question
Jan 24th, 2014
User Badges:

Dear Experts,


Kindly assist me with this Remote Access VPN issue.


I have configured IPSec Remote Access VPN, using the wizard. The remote client connects to the  Headquarters quite fine, obtains defined IP Address, sends packets and Bytes, BUT does not receive any Bytes nor decrypt any packet. Rather, the counter for discarded keeps rising.


What could be possibly responsible, or what other configuration needs to be done on the ASA for the connection to be completely functional?


It may help to state that Anyconnect VPN is configured on the same Outside Interface on the ASA, and it is still functional. Could that be the reason?


Anyconnect VPN is being used by Staff for Remote Access.



Kindly assist.


Thank you.

Correct Answer by Jouni Forss about 3 years 6 months ago

Hi,


So if I understand correctly you for example have an interface for LAN and WAN and naturally the destination networks which you want to reach through the VPN Client connection are all located behind the LAN interface.


In that case the NAT0 configuration with your newer software would look something like this


object-group network LAN-NETWORKS-VPN

network-object

network-object

network-object


object network VPN-POOL

subnet


nat (LAN,WAN) 1 source static LAN-NETWORKS-VPN LAN-NETWORKS-VPN destination static VPN-POOL VPN-POOL


Naturally the naming of interfaces and objects could be different. In this case its simply meant to illustrate the purpose of the object or the interface.


I am naturally not sure if the NAT0 configuration is the problem though I can't really say anything for certain as I can't see the configuration.



As to the other question,


I have not set up an ASA to use 2 WAN interfaces in such a way in production environments as in those cases customer usually has separate platforms for both or we might be hosting/providing the service for them.


I would imagine that there is ways to do this but the main problem is the routing. Essentially we know that VPN Client connections can come from pretty much any public source IP address and in that case we would need default route pointing towards the VPN interface since its not really practical to configure separate routes for the IP address where the VPN Client connections would come from.


Then when we consider that we would also need default route on the INTERNET link on the ASA we run to the problem as we can not have 2 default routes on the same device active at the same time.


Naturally with your software level you would be able to use the NAT to get the result you wanted.


In short the requirements would be the following

  • VPN interface has default route, INTERNET interface has a lower value default route
  • NAT0 configuration between LAN and VPN interface to make sure this traffic is forwarded between these interface without NAT
  • A special NAT configuration between LAN and INTERNET interfaces which would essentially forward all traffic out of the INTERNET interface (except for the VPN traffic which we manipulated in the earlier step)


The above things would essentially let the VPN interface have the default route which would mean that no matter what the source IP address of the VPN Client it should be able to communicate with the ASA.


The NAT0 configuration purposes would be to force the ASA to pass this traffic between the LAN and VPN (pools) for the VPN traffic.


The special NAT configuration would then match traffic coming from LAN towards ANY destination address and forward it to INTERNET interface. After that decision is made the traffic would follow the lower value default route out through that interface.


I would say this is not really the ideal situation and configuration to use in a productin environment. It creates potentially a complex NAT configuration as you are using it to manipulate traffic instead of letting the routing table make the choice in the first place.


Naturally there might be other options but I would have to test such setup before I can say anything more for certain.


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Fri, 01/24/2014 - 05:26
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I would look at the NAT0 configuration on the ASA first.


You will need a NAT0 configuration that specifies that the LAN networks will not be NATed when destined to the VPN user pool.


Are the SSL Client and IPsec Client using their own address pools for VPN?


- Jouni

sly007 Fri, 01/24/2014 - 05:33
User Badges:

Hello,


The various VPNs  Clients are using different POOLS for VPN connection.


As for the NAT0 configuration, please how do I configure that?

Jouni Forss Fri, 01/24/2014 - 05:38
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Depends on your ASAs software level. The NAT configuration format is different depending on the software level. Change happened in the jump from 8.2 to 8,3 (and newer) softwares.


Also the configuration depends on are there more than 1 interface behind which LAN networks are located where the VPN Clients need to connect to?


- Jouni

sly007 Fri, 01/24/2014 - 05:48
User Badges:

Hello,


Thank you so much for the prompt response, I sincerely do appreciate it.


I am currently using ASA 5520 with IOS image of 8.4(5), and asdm 7.0(2)


There is ONLY one Interface which the Remote Networks need to connect to, and that same Interface is what i use to connect to the Internet.


Just a quick one, (a little digression, please). Is it possible to dedicate one  (outside or WAN) interface for VPN connections and another (Outside or WAN)  interface dedicated for Internet connection?


Thank you once again.

Correct Answer
Jouni Forss Fri, 01/24/2014 - 06:19
User Badges:
  • Super Bronze, 10000 points or more

Hi,


So if I understand correctly you for example have an interface for LAN and WAN and naturally the destination networks which you want to reach through the VPN Client connection are all located behind the LAN interface.


In that case the NAT0 configuration with your newer software would look something like this


object-group network LAN-NETWORKS-VPN

network-object

network-object

network-object


object network VPN-POOL

subnet


nat (LAN,WAN) 1 source static LAN-NETWORKS-VPN LAN-NETWORKS-VPN destination static VPN-POOL VPN-POOL


Naturally the naming of interfaces and objects could be different. In this case its simply meant to illustrate the purpose of the object or the interface.


I am naturally not sure if the NAT0 configuration is the problem though I can't really say anything for certain as I can't see the configuration.



As to the other question,


I have not set up an ASA to use 2 WAN interfaces in such a way in production environments as in those cases customer usually has separate platforms for both or we might be hosting/providing the service for them.


I would imagine that there is ways to do this but the main problem is the routing. Essentially we know that VPN Client connections can come from pretty much any public source IP address and in that case we would need default route pointing towards the VPN interface since its not really practical to configure separate routes for the IP address where the VPN Client connections would come from.


Then when we consider that we would also need default route on the INTERNET link on the ASA we run to the problem as we can not have 2 default routes on the same device active at the same time.


Naturally with your software level you would be able to use the NAT to get the result you wanted.


In short the requirements would be the following

  • VPN interface has default route, INTERNET interface has a lower value default route
  • NAT0 configuration between LAN and VPN interface to make sure this traffic is forwarded between these interface without NAT
  • A special NAT configuration between LAN and INTERNET interfaces which would essentially forward all traffic out of the INTERNET interface (except for the VPN traffic which we manipulated in the earlier step)


The above things would essentially let the VPN interface have the default route which would mean that no matter what the source IP address of the VPN Client it should be able to communicate with the ASA.


The NAT0 configuration purposes would be to force the ASA to pass this traffic between the LAN and VPN (pools) for the VPN traffic.


The special NAT configuration would then match traffic coming from LAN towards ANY destination address and forward it to INTERNET interface. After that decision is made the traffic would follow the lower value default route out through that interface.


I would say this is not really the ideal situation and configuration to use in a productin environment. It creates potentially a complex NAT configuration as you are using it to manipulate traffic instead of letting the routing table make the choice in the first place.


Naturally there might be other options but I would have to test such setup before I can say anything more for certain.


- Jouni

sly007 Fri, 01/24/2014 - 10:14
User Badges:

Hello Jouni,


I must say I am very grateful to you. Through your patience and guidance, I was able to figure out what the problem was.


I mistakenly used part of the subnet for the Internal Network as the External-Pool.


From your examples, I saw the misake and corrected it.


Using the VPN, i can access the Internal Resources.


Thank you so much.

Actions

This Discussion