Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address

Using an ASA 5505 for firewall and VPN.  We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.

The devices complete the connection and authenticate fine, but then are unable to hit any internal resources.  Split tunneling seems to be working, as they can still hit outside resources.  Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24).  Even the NAT translation looks good in packet tracer.

I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.)  This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses.  Details:

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]

local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)

remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)

current_peer: [VPN CLIENT ADDRESS], username: vpnuser

dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]

dynamic allocated peer ip(ipv6): 0.0.0.0

#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16

#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0

#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#pkts no sa (send): 0, #pkts invalid sa (rcv): 0

#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

#pkts invalid prot (rcv): 0, #pkts verify failed: 0

#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

#pkts invalid pad (rcv): 0,

#pkts invalid ip version (rcv): 0,

#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

#pkts replay failed (rcv): 0

#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248

path mtu 1500, ipsec overhead 82(52), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 05BFAE20

current inbound spi : CF85B895

inbound esp sas:

spi: 0xCF85B895 (3481647253)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }

slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4373998/3591)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x000FFFFD

outbound esp sas:

spi: 0x05BFAE20 (96448032)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }

slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4373999/3591)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

 

Any ideas?  The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.

3 REPLIES
New Member

 I have what I believe to be

 I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.

It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address

 

New Member

The IP address of internal

The IP address of internal resource are inserted on VPNnonat access-list ? For example :

object network VPNnonat-192.168.255.0-dst
 subnet 192.168.255.0 255.255.255.0
exit
nat (INSIDE,OUTSIDE) source static VPNnonat-172.16.0.128-src VPNnonat-172.16.0.128-src destination static VPNnonat-192.168.255.0-dst VPNnonat-192.168.255.0-dst

where 192.168.255.0 is the ip pool of the remote client vpn

172.16.0.128 is the internal resources
 

New Member

My issue was resolve by

My issue was resolve by further reading and now a better understanding of what happens I had read a previous document on the web that headed me in the wrong direction. Sorry for any confusion

83
Views
0
Helpful
3
Replies