Cisco VPN Client/ASA cannot route any traffic

shanemoss · ‎10-14-2013

Hi folks,

I'm having terrible trouble configuring a 5505 ASA for remote access. Its a while since I've done it but I don't remember it being so difficult. Basically, I've followed the Cisco article http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html
on how to set it up but when my Cisco VPN client successfully authenticates and connects I can't reach anywhere from the client. My remote pool is 192.168.10.0/24 and when I connect a look at the ASA route table shows a route to 192.168.10.1 (my client) via the external gateway next hop which must e wrong. I've seen lots of posts about others experienceing the saem issue but there's no clear solution. Surely someone else has come across this? Any assistance would eb greatly appreciated as I'll have no hair left soon!

Thanks. S.

shanemoss · ‎10-14-2013

Just to add to this, I have a very similar configuraton on an ASA running v7.1 with no problems. The ASA 5505 I'm having trouble with is running 8.2. Does anyone know what specicific to remote access has changed between these versions?

Patrick Moubarak · ‎10-14-2013

Hi Shane,

do you have a nat exempt entry?

nat (inside) 0 access-list nonat-inside

access-list nonat-inside permit ip INSIDE_NETWORK 255.255.255.0 192.168.10.0 255.255.255.0

Can you post your config?

Patrick

shanemoss · ‎10-17-2013

Hi Patrick,

Yes, I have NAT exempt rules in place though they may be wrong. I have;

access-list outside_nat0_outbound extended permit ip host 192.168.1.251 any

nat (outside) 0 access-list outside_nat0_outbound

This is the first address in the pool and I get it each time so this rule should work unless I'm missing something else.

The configuration is as follows, you will see that I have a number of remote access tunnel groups as I was experimenting with different configurations to no success. The one I'm really working on is the ragroup tunnel group;

ASA Version 8.2(5)

!

hostname firewall

domain-name bbb.aa

enable password 12345

passwd xyz encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 5.6.7.1 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name bbb.aa

access-list FromInside extended permit icmp host 192.168.1.251 any

access-list FromInside extended permit icmp any any

access-list FromInside extended permit ip any any

access-list FromOutside extended permit icmp host 192.168.10.1 any

access-list FromOutside extended permit icmp any any

access-list FromOutside extended deny ip any any

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list LAN2LAN extended permit ip 192.168.1.0 255.255.255.0 host 10.252.66.12

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 any

access-list outside_nat0_outbound extended permit ip host 192.168.1.251 any

access-list remote-access-2_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 100000

logging buffered notifications

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool rapool 192.168.1.251-192.168.1.254

ip local pool remote-access-pool 192.168.10.0-192.168.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0_outbound

nat (outside) 101 192.168.10.0 255.255.255.0

access-group FromInside in interface inside

access-group FromOutside in interface outside

route outside 0.0.0.0 0.0.0.0 5.6.7.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set SecondSet esp-3des esp-md5-hmac

crypto ipsec transform-set FirstSet esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set SecondSet

crypto dynamic-map dyn1 1 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map com 1 match address LAN2LAN

crypto map com 1 set peer 1.2.3.4

crypto map com 1 set transform-set FirstSet

crypto map com 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map com interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

telnet timeout 5

ssh 192.168.1.248 255.255.255.252 inside

ssh 192.168.1.250 255.255.255.254 inside

ssh 192.168.1.251 255.255.255.255 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh 109.8.8.8 255.255.255.255 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.250 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy remote-access internal

group-policy remote-access attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol IPSec

default-domain value bbb.aa

group-policy remote-access-2 internal

group-policy remote-access-2 attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value remote-access-2_splitTunnelAcl

default-domain value bbb.aa

username testuser password tGCH3d5WppJ/CSAL encrypted

username admin password xfNKUXpJuiL97ank encrypted

tunnel-group ragroup type remote-access

tunnel-group ragroup general-attributes

address-pool rapool

tunnel-group ragroup ipsec-attributes

pre-shared-key *****

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key *****

tunnel-group remote-access type remote-access

tunnel-group remote-access general-attributes

address-pool remote-access-pool

default-group-policy remote-access

tunnel-group remote-access ipsec-attributes

pre-shared-key *****

tunnel-group remote-access-2 type remote-access

tunnel-group remote-access-2 general-attributes

address-pool remote-access-pool

default-group-policy remote-access-2

tunnel-group remote-access-2 ipsec-attributes

pre-shared-key *****

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool remote-access-pool

tunnel-group test ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Patrick Moubarak · ‎10-17-2013

the ragroup is probably falling on the default group-policy; you need to point to the group-policy that has the split-tunnel configured and the correct address pool:

tunnel-group ragroup general-attributes

default-group-policy remote-access-2

address-pool remote-access-pool

you have the nat (inside) 0 configured so you don't need a nat (outside) 0 ...; please remove it.

After you connect, check the routes in VPN Client : Status > Statistics > Route Details

do you now see under secured routes: 192.168.1.0/24

also when you ping, in the Tunnel Details, do you see the Encrypted Packets/Decrypted packets counters increase?

please post a show crypto ipsec sa

Patrick