Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA RA VPN problem

Hi,

I am setting up a IPSec remote access on an ASA (7.2.2).

I am running into one strange issue.

There is a 192.168.1.0/24 network on the Inside interface (EDC-INT)

There is a 192.168.16.0/24 network on the DMZ interface (DMZ)

The VPN pool is 192.168.10.0/24 (EDC-EXT). NAT is disabled for RA VPN pool and also ?sysopt connections permit-vpn? command is enabled.

After connecting from my VPN client, when I ping some device on the DMZ network, I am not able to reach it. Please find the ICMP trace below. It shows that the echo request comes from EDC-EXT to DMZ. But for some reason, echo reply is sent from the DMZ to EDC-INT (inside interface). Why would ASA decide that the 192.168.10.0/24 network should go to Inside interface?

******************************************************

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ:192.168.16.103 ID=1280 seq=2816 len=32

ICMP echo reply from DMZ:192.168.10.103 to EDC-INT:192.168.10.40 ID=1280 seq=2816 len=32

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ: 192.168.10.103 ID=1280 seq=3072 len=32

ICMP echo reply from DMZ: 192.168.10.103 to EDC-INT:192.168.10.40 ID=1280 seq=3072 len=32

Routing table

***********************************************

C 20x.x0.x.1x 255.255.255.128 is directly connected, EDC-EXT

S 192.168.10.40 255.255.255.255 [1/0] via 206.80.2.129, EDC-EXT

C 172.31.32.0 255.255.255.252 is directly connected, Failover

C 172.31.31.0 255.255.255.252 is directly connected, State

C 127.0.0.0 255.255.0.0 is directly connected, cplane

C 192.168.16.0 255.255.255.0 is directly connected, DMZ

C 192.168.1.0 255.255.255.0 is directly connected, EDC-INT

S 192.168.32.0 255.255.255.0 [1/0] via 192.168.1.6, EDC-INT

S* 0.0.0.0 0.0.0.0 [1/0] via 20x.x0.x.1x, EDC-EXT

S 192.168.32.0 255.255.240.0 [1/0] via 192.168.1.6, EDC-INT

RA VPN Configuration

*********************************************

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 10.50.0.0 255.255.0.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0

access-list EDC-ADMIN_splitTunnelAcl standard permit 192.168.32.0 255.255.240.0

access-list EDC-INT_nat0_outbound line 8 extended permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list EDC-INT_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

ip local pool Adminvpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

group-policy EDC-ADMIN internal

group-policy EDC-ADMIN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value EDC-ADMIN_splitTunnelAcl

dns-server value 192.168.1.60

default-domain value xyz.com

tunnel-group EDC-ADMIN type ipsec-ra

tunnel-group EDC-ADMIN general-attributes

default-group-policy EDC-ADMIN

address-pool Adminvpnpool

tunnel-group EDC-ADMIN ipsec-attributes

pre-shared-key xyz

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map EDC-EXT_dyn_map 60 set pfs group2

crypto dynamic-map EDC-EXT_dyn_map 60 set transform-set ESP-3DES-SHA

*************************************************

Looking forward to a early response. Please help.

Regards,

Suresh

3 REPLIES
New Member

Re: ASA RA VPN problem

Hi,

There was a mistake in the ICMP trace. Please find the updated ICMP trace below.

Regards,

Suresh

******************************************************

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ:192.168.16.103 ID=1280 seq=2816 len=32

ICMP echo reply from DMZ:192.168.16.103 to EDC-INT:192.168.10.40 ID=1280 seq=2816 len=32

ICMP echo request from EDC-EXT:192.168.10.40 to DMZ: 192.168.16.103 ID=1280 seq=3072 len=32

ICMP echo reply from DMZ: 192.168.16.103 to EDC-INT:192.168.10.40 ID=1280 seq=3072 len=32

Gold

Re: ASA RA VPN problem

this is probably a nat issue.

you need a command like the following:

nat (dmz) 0 access-list nat0_acl

nat0_acl will match any traffic going to your vpn pool from your dmz.

New Member

Re: ASA RA VPN problem

Hi,

I do have nat exempt for the vpn pool.

These are the NAT statements:

nat (DMZ) 0 access-list EDC-INT_nat0_outbound

nat (EDC-INT) 0 access-list EDC-INT_nat0_outbound

nat (EDC-INT) 10 0.0.0.0 0.0.0.0

static (EDC-INT,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

Regards,

Suresh

600
Views
0
Helpful
3
Replies
CreatePlease to create content