Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA Clients connects to VPN but no route inside, need some help?

Hello Everyone...!

I have a Cisco ASA running IOS Version 8.0(4) everyone in my company connects good throug the VPN Clients connect, but they don´t have routing.

I´m wondering why the connnect to the VPN and then don´t have any traffic inside.

Need some tips..

28 REPLIES
Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hello,

As per the problem description, I understand that you can connect via VPN client , however you can not access anything on inside?

Please let me know if the problem description is correct.

Also for better understanding of the issue,please answer the following questions:-

[1]What is the VPN client that you are using?

[2]Are the nat translations in place on ASA?

[3]Have you configured split tunnel?Is the internal network included in it?

It would be great if you can attach the 'sh tech' output of ASA.

Thanks,

Shilpa

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

Shilpa answering  your questions:

As per the problem description, I understand that you can connect via VPN client , however you can not access anything on inside? YES

[1]What is the VPN client that you are using?  Cisco System VPN Client Version 5.0.04.0300

[2]Are the nat translations in place on ASA?  yes I have a couple of NATs working in a several rules.

[3]Have you configured split tunnel?Is the internal network included in it? The Slipt Tunneling is checked on the Network List as INherit, that means the whole network

If there a specific part of show tech that you want to see?

Thanks for your help

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hi ,

Please paste the running config of the ASA here. You can remove the sensitive IP information.

Thanks,

Namit

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hi,

I would like to check if you have nat exempt for the traffic on the inside network to the pool ip address of the client.If it is not configured then configure

the same and check if you are able to connect.

Also once you are connected, you should be able to see the route for reaching your client ip is via outside interface. This can be done by issuing"sh route".

Thanks,

Shilpa

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

Guys here is the running.. config

thanks for your help

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hi,

Once connected via VPN, the host  which you are trying to access is connected directly to the ASA or is there any device present in between the inside host and the ASA.

If yes, make sure that you should have route on that device for the pool ip address pointing towards the ASA's inside ip.

Thanks,

Shilpa

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

The Core Switch is attached directly to the ASA Inside Interface, but even the Core I can´t Access is like the whole trafffic is not routed.

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hi,

After getting connected to the ASA via, try to ping the ASA's inside ip address and let me know if you are able to ping.

Add the following commands:-

[1]sysopt connection permit-vpn

[2]management access inside

Let me know if you able to ping

[1]the ASA's inside ip address

[2]Any host on the inside

When you say whole traffic is not routed, can please explain it briefly.

Thanks,

Shilpa

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

I didi the above commands but nothing happen.

When you say whole traffic is not routed, can please explain it briefly.

Answer: My first hop after the inside asa´s  interface is the CORE Switch, I´m trying to ping it but it doesn´t work. If i can´t  get into the first hop how for sure I won´t be able to get into the rest of the network.

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hi,

Please provide the details of the tunnel you are trying to establish. Which tunnel-group ?

Regards,

Namit

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

once connected via vpn give the following command on asa and pkease pasete it

show crypto ipsec sa peer

show vpn-sessiondb remote

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hi ,

Please paste a screenshot of the route details on the VPN Client. The route details can be viewed at Status > Statistics > Route Details. I just want to confirm whether the VPN Client is getting the correct routes. Also I see that the tunnel-group in use is XXXX and the policy associated with it is clientes. Please provide me the details of this group-policy. An output of "show run all group-policy clientes" will be helpful.

Regards,

Namit

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

try the following

icmp permit any inside

i see you have logging buffered deb thats good

clear logging buffered

managemant-access inside

from the client

ping insid einterface ip

show logg | in

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

also once you are connectde through the vpn

give show route command and verify that you see a static route to the vpn cient ip pointing to outside interface

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

Nothing  Happen with this...

Fw(config)# icmp permit any inside

Fw(config)# sh logg | in 10.XX.XX.0

But no output

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Fw(config)# sh logg | in 10.XX.XX.0

thios would be incorrect

Fw(config)# sh logg | in 10.XX.XX.13 something like this or just leave it at xx do not enter the last octet

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

Here we go with the sceenshoots of the stats.

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hi ,

Thanks a ton for the outputs. It clearly shows from the statistics on the VPN Client and the outputs on the ASA that the ASA is receiving the packets across the tunnel decrypting but the replies are not being encrypted. Please paste the output of the following command

packet-tracer input inside icmp 8 0 < IP address from the remote pool assigned to the PC connected to VPN>

Thanks,

Namit

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

as the packet tracer says it being dropped in nat rules

please past eyour nat rules

show run nat


show run global

sh run static

sh access-list

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

Hi ,

Do your remote pool subnet and the subnet for the internal network for the ASA overlap ? I mean is it something like that the remote pool is 192.168.1.1-192.168.1.25 and the internal subnet on the ASA is 192.168.1.0/24.

Thanks,

Namit

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

After a while of troubleshooting with my networking  team, we found that the packet is drop it at the end .

Now we need to find out why is doing that.

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected

Cisco Employee

Re: Cisco ASA Clients connects to VPN but no route inside, need

did you make any changes to the rules in firewall bcoz i see the packet tracer outputs look to be different

also have you verifed that the vpn pool ip and the internal network ip do not overlap

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

no i didnt a change...anything I will delete the conection profile and I will doit again.

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

How Come...!!!! This is a Black Magic...!!!!!!

I made a fullbackup of JUN2010 and the problem persist.....!!! What!!!!!!!

New Member

Re: Cisco ASA Clients connects to VPN but no route inside, need

FOR THE RECORDS HERE IS THE ANSWER.....!!!!

I made a new IP-Pool with a diferent network  avoiding use the same IP Addressing of my Inside Network and applying it to the Group Policy. This is the only change that i made to the firewall.

In the Core SW I made a static route of the new network with the Inside Firewall Interface as a gateway of the last resort.

and Done it works!!!!

2534
Views
0
Helpful
28
Replies