08-07-2010 10:24 AM
Hello everyone,
I tried to search for an answer to this question but I couldn't find the answer. So here it goes:
I configured the VPN on the ASA, I can get a client to connect to the ASA just fine, however I can't ping any interfaces on the ASA or on the inside LAN. I'm giving VPN clients IP's of 192.168.60.x/24 and the inside network is 192.168.1.x/24. I got this to work the last time I configured an ASA but I forgot all the things I did. I'm sure it's something small. Any help is greatly appreciated.
ASA Version 7.2(4)
!
hostname max
domain-name default.domain.invalid
enable password xxxxxxx encrypted
passwd xxxxx encrypted
names
name 192.168.1.3 Xbox description IP address for Xbox
!
interface Vlan1
description Default internal vlan on max
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
description Internet vlan on max
nameif Internet
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
description DMZ vlan on max
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.100.100.1 255.0.0.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Xbox_port tcp-udp
description TCP-UDP 3074
port-object eq 3074
object-group service Xbox_port_2 udp
description UDP port 88
port-object eq 88
object-group network Internal_Networks
network-object 10.0.0.0 255.255.255.0
network-object 10.1.0.0 255.255.255.0
network-object 172.16.0.0 255.255.255.0
network-object 10.20.0.0 255.255.255.0
network-object 10.30.0.0 255.255.255.0
access-list Internet_access_in extended permit udp any interface Internet eq 3074 inactive
access-list Internet_access_in extended permit tcp any interface Internet eq 3074 inactive
access-list Internet_access_in extended permit udp any interface Internet eq 88 inactive
access-list inside_access_in extended permit ip any any
access-list acl-outside extended permit icmp any any echo-reply
access-list acl-outside extended permit icmp any any unreachable
access-list acl-outside extended permit icmp any any traceroute
access-list acl-outside extended permit icmp any any time-exceeded
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks
access-list nonat extended permit ip any 192.168.60.0 255.255.255.240
access-list Split_Tunnel_List remark The network behind the ASA
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 10000
logging buffered critical
logging asdm informational
logging debug-trace
mtu inside 1500
mtu Internet 1500
mtu DMZ 1500
ip local pool VPN_Client_IP_Pool 192.168.60.2-192.168.60.11 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any Internet
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group acl-outside in interface Internet
!
router ospf 1
router-id 192.168.1.1
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
redistribute static subnets
default-information originate
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Internet_dyn_map 20 set pfs group1
crypto dynamic-map Internet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map
crypto map Internet_map interface Internet
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 76.10.192.197 255.255.255.255 Internet
ssh timeout 30
console timeout 0
dhcpd auto_config Internet
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
tftp-server inside 192.168.1.2 /asaconfig
group-policy darin.personal internal
group-policy xxxxxx attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value default.domain.invalid
username xxxxx password xxxxxxx encrypted privilege 0
username xxxxxx attributes
vpn-group-policy xxxxxx
username xxxxx password xxxxxxx encrypted privilege 15
tunnel-group xxxxxx type ipsec-ra
tunnel-group xxxxxx general-attributes
address-pool VPN_Client_IP_Pool
default-group-policy xxxxxxxx
tunnel-group xxxxxxxxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
08-07-2010 11:33 AM
Hello Darin,
Could you add below line to your outside acl and test again. Hope it can help you.
access-list acl-outside extended permit icmp any any echo
Ufuk Guler
08-07-2010 11:53 AM
Hello,
I added the line but it didn't help. Besides, I don't want to enable ping for the entire outside interface but full access to the inside network. I'm beginning to think that I need to set my ASA as the default gateway for VPN clients. It's not defined when I connect.
08-07-2010 12:12 PM
Hi Darin,
Could you enable icmp inspection and try it again. Just add "inspect icmp" command under "class inspection_default" section. At the same time i think that you are able to access local resource via vpn, except icmp. isn't it?
policy-map global_policy
class inspection_default
inspect icmp
Ufuk Guler
08-07-2010 06:17 PM
Nope I can't access any inside resources through the VPN at all. Ping, telnet, ssh, nothing. I'm thinking I might need a NAT statement in there somewhere.
08-07-2010 06:30 PM
Hello,
Can you please post the latest configuration here (x out all the public IP addresses).
Regards,
NT
08-07-2010 07:13 PM
ASA Version 7.2(4)
!
hostname max
domain-name default.domain.invalid
enable password xxxx encrypted
passwd xxxx encrypted
names
name 192.168.1.3 Xbox description IP address for Xbox
!
interface Vlan1
description Default internal vlan on max
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
description Internet vlan on max
nameif Internet
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
description DMZ vlan on max
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.100.100.1 255.0.0.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec You are logged into Max's firewall
banner login Max's firewall
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Xbox_port tcp-udp
description TCP-UDP 3074
port-object eq 3074
object-group service Xbox_port_2 udp
description UDP port 88
port-object eq 88
object-group network Internal_Networks
network-object 10.0.0.0 255.255.255.0
network-object 10.1.0.0 255.255.255.0
network-object 172.16.0.0 255.255.255.0
network-object 10.20.0.0 255.255.255.0
network-object 10.30.0.0 255.255.255.0
access-list Internet_access_in extended permit udp any interface Internet eq 3074 inactive
access-list Internet_access_in extended permit tcp any interface Internet eq 3074 inactive
access-list Internet_access_in extended permit udp any interface Internet eq 88 inactive
access-list inside_access_in extended permit ip any any
access-list acl-outside extended permit icmp any any echo-reply
access-list acl-outside extended permit icmp any any unreachable
access-list acl-outside extended permit icmp any any traceroute
access-list acl-outside extended permit icmp any any time-exceeded
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks
access-list Split_Tunnel_List remark The network behind the ASA
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list nonat-in extended permit ip 192.168.1.0 255.255.255.0 object-group Internal_Networks
pager lines 24
logging enable
logging buffer-size 10000
logging buffered critical
logging asdm informational
logging debug-trace
mtu inside 1500
mtu Internet 1500
mtu DMZ 1500
ip local pool VPN_Client_IP_Pool 192.168.60.2-192.168.60.11 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any Internet
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
nat (inside) 0 access-list nonat-in
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group acl-outside in interface Internet
!
router ospf 1
router-id 192.168.1.1
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
redistribute static subnets
default-information originate
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Internet_dyn_map 20 set pfs group1
crypto dynamic-map Internet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map
crypto map Internet_map interface Internet
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x 255.255.255.255 Internet
ssh timeout 30
console timeout 0
dhcpd auto_config Internet
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
tftp-server inside 192.168.1.2 /asaconfig
group-policy darin.personal internal
group-policy darin.personal attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value default.domain.invalid
username darin.miller password xxxx encrypted privilege 0
username darin.miller attributes
vpn-group-policy darin.personal
username darin password xxxx encrypted privilege 15
tunnel-group darin.personal type ipsec-ra
tunnel-group darin.personal general-attributes
address-pool VPN_Client_IP_Pool
default-group-policy darin.personal
tunnel-group darin.personal ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxx
: end
08-07-2010 07:22 PM
Hello,
You are correct. The nonat rule is incorrect. Please add the following
lines:
access-list nonat-in extended permit ip object-group Internal_Networks 192.168.60.0 255.255.255.0
access-list nonat-in extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
management-access inside
Hope this helps.
Regards,
NT
Message was edited by: Nagaraja Thanthry
08-07-2010 07:25 PM
-
08-08-2010 08:58 PM
Nope, didn't work. I was able to connect, and this time my VPN-client's ipconfig listed 192.168.60.1 as the default gateway.
08-09-2010 01:13 AM
What I need is to be able to have my home LAN (192.168.1.0/24) the Secured Route and everything else goes through my local LAN.
08-09-2010 03:37 AM
I reset everything to the original way I had it and ran a packet trace:
max# pac input internet icmp 192.168.60.2 0 8 192.168.1.2 det
Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x39d6bf8, priority=12, domain=punt, deny=false
hits=12667, user_data=0x4299570, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x39f1fa0, priority=1, domain=permit, deny=false
hits=6376931, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl-outside in interface Internet
access-list acl-outside extended permit icmp any any echo-reply
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3a793e8, priority=12, domain=permit, deny=false
hits=6, user_data=0x3a78038, cs_id=0x0, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x39f4828, priority=0, domain=permit-ip-option, deny=true
hits=12341, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x42a06e0, priority=79, domain=punt, deny=true
hits=9, user_data=0x3637180, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.60.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3a6f5d8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=9, user_data=0x7d1d6c, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.60.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x39f3ba0, priority=66, domain=inspect-icmp-error, deny=false
hits=75, user_data=0x39f3ad0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x41892e0, priority=0, domain=host-limit, deny=false
hits=55, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 Internet any
dynamic translation to pool 1 (75.187.60.114 [Interface PAT])
translate_hits = 46, untranslate_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4256e30, priority=1, domain=nat-reverse, deny=false
hits=53, user_data=0x4256c90, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.1.0, mask=255.255.255.0, port=0, dscp=0x0
Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
08-09-2010 01:49 PM
OK check this out. I got my hands on a previous config I did for a customer. I found out that IT WAS a NAT statement that was missing, so I added these 3 statements:
nat (inside) 0 access-list LAN_nat0_outbound
access-list LAN_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
So, now VPN clients can ping the 192.168.1.0/24 internal network and vice versa, but VPN clients still can't telnet into devices in the 192.168.1.0/24 subnet. I'm guessing PAT is needed but where?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: