Solved: ASA RA VPN, iPad, PC

scott.bridges · ‎08-15-2013

Hello,

I apologize if this has already been asked. If you see a thread asking this same question, please link.

I am currently overseas and wish to setup my home (US) ASA 5505 with two VPN profiles; one full tunnel, one split tunnel. This would enable me to connect from either my PC or iPad and access my things at home (split-tunnel), or reach websites sourcing from my US address (full-tunnel).

I would prefer to go about this configuration via CLI as I am not too familiar with the GUI.

My first question is just a basic: What am I going for? Remote Access VPN with multiple groups? AnyConnect? Eazy VPN? I'm not sharp on the ASA platform, so any help would be appreciated. I would very much like to use the iPad's built in IPSEC VPN option (labeled "Cisco").

Thanks for any help

-Scott

ASA 5505 9.1(1)

Marius Gunnerud · ‎08-17-2013

Do you mean to give your VPN users internet access while using full tunneling? then yes you would to do a NAT and also allow the ASA to send traffic out the same interface it was received on.

network object VPN

subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

scott.bridges · ‎08-17-2013

I've been messing with the configuration and this is what I have. I am able to successfully authenticate via my iPad and obtain an IP from the vpnPool. However, I can only ping the inside interface IP (192.168.0.250), nothing else.

Right now I'm focusing on the Full Tunnel (hairpin) configuration. I know I'm missing something with NAT, but I'm not sure what...

ip local pool vpnPool 192.168.0.210-192.168.0.220 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.250 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
 no pim
!
boot system disk0:/asa911-k8.bin
!
access-list outsideIN extended permit icmp any4 any4 object-group DM_INLINE_ICMP_1 
!
asdm image disk0:/asdm-711-52.bin
!
nat (inside,outside) source static VPN-SOURCE VPN-SOURCE destination static VPN-DESTINATION-1 VPN-DESTINATION-1
nat (inside,outside) source static VPN-SOURCE VPN-SOURCE destination static VPN-DESTINATION-2 VPN-DESTINATION-2
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group outsideIN in interface outside
!
dynamic-access-policy-record DfltAccessPolicy


crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
!
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 4.2.2.6 4.2.2.2 interface inside
dhcpd domain local.lan interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
webvpn
 anyconnect-essentials
group-policy Full_Tunnel internal
group-policy Full_Tunnel attributes
 vpn-tunnel-protocol ssl-clientless
group-policy Split_Tunnel internal
group-policy Split_Tunnel attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  smart-tunnel tunnel-policy tunnelspecified homeNetwork
username scott password .. encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnPool
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group groupFullTunnel type remote-access
tunnel-group groupFullTunnel general-attributes
 address-pool vpnPool
 default-group-policy Full_Tunnel
tunnel-group groupFullTunnel ipsec-attributes
 ikev1 pre-shared-key *****
!

Excuse all the random config. I made the mistake of trying the wizard. I prefer CLI.
Side note, can I remove those 'crypto ikev policty' statements?

Thanks for any help

Marius Gunnerud · ‎08-17-2013

One thing is that you will have connection issues because the VPN pool is on the same subnet as the inside network. The inside network will think it is directly connected and never send the traffic to the ASA to be routed to the VPN. To get around this you could either subnet the current IP allocation or assign a comletely separate subnet to the VPN (192.168.1.0/24 for example).

As for the NAT I am uncertain what you mean by VPN-SOURCE and VPN-DESTINATION. If the VPN-SOURCE is the VPN IP and VPN-DESTINATION is the LAN then the NAT statement is backwards and should read something like this:

nat (inside,outside) source static VPN-DESTINATION-1 VPN-DESTINATION-1 destination static VPN-SOURCE VPN-SOURCE

--
Please remember to select a correct answer and rate helpful posts

kmccourt · ‎08-17-2013

You need to exempt the VPN clients from NAT. Try adding:

object network lan-subnet

subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source static lan-subnet lan-subnet destination static lan-subnet lan-subnet

If that doesn't work have a look at this pdf guide -

http://www.vpntracker.com/cms_components/media/vpnt/VPNT_Interop_Howtos/1101/CiscoASA.pdf

It's for a Mac IPsec client but I've found that the configuration works perfectly well with the iPhone/iPad built-in Cisco IPsec client connecting to an ASA5505. The CLI commands are at the end of the document.

scott.bridges · ‎08-17-2013

Thank you for the replies.

You're right in that I should have a different subnet for the vpnPool. I changed it to this:

ip local pool vpnPool 192.168.1.200-192.168.1.220 mask 255.255.255.0

I also added the following lines based on second reply:

object network vpn-subnet
 subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static vpn-subnet vpn-subnet destination static vpn-subnet vpn-subnet

When I connect, I now obtain the new pool of IP's, but I'm in the same spot as before. I can ping the inside interface IP, but that's it.

Marius, those VPN-SOURCE objects are defined for a site-to-site VPN I've been playing with. I shouldn't have included that in this effort, my apologies.

I now get the following log message when I connect to the VPN and try to ping:

5

Aug 17 2013

14:10:03

305013

192.168.1.200

LOCAL

192.168.0.252

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.1.200(LOCAL\scott) dst inside:192.168.0.252 (type 8, code 0) denied due to NAT reverse path failure

It's obvious a NAT issue, I'm just unsure of the solution...

Thanks again for the help

kmccourt · ‎08-17-2013

It is not necessary to have a different subnet but if you do then I think the statement should be:

nat (inside,outside) source static lan-subnet lan-subnet destination static vpn-subnet vpn-subnet

Look at the linked document I sent - it breaks down the process into steps that I think are easy to follow.

scott.bridges · ‎08-17-2013

Thank you. Very helpful PDF and it really outlines it for you. I like that only the subject configuration is shown.

I can now connect with my iPad and ping internal IP's, which is a lot further than where I was.

Now I just need to figure out the hairpin part. Allowing my iPad to use my Firewalls connection as it's source.

Is this also a simple NAT config?

Marius Gunnerud · ‎08-17-2013

Do you mean to give your VPN users internet access while using full tunneling? then yes you would to do a NAT and also allow the ASA to send traffic out the same interface it was received on.

network object VPN

subnet 192.168.1.0 255.255.255.0

nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

--
Please remember to select a correct answer and rate helpful posts

scott.bridges · ‎08-17-2013

Sweet! That was it. I can now browse from my iPad with my home ASA as the source.

Thank both of you much for the help! I really need to read up on NAT; it's always been my weak point. The syntax is boggling.

Thanks again