Re: Cisco VPN Client with Cisco ASA5520

VincentLong · ‎11-19-2010

Hi all,

I'm new to cisco VPN client. I had tried to use the Cisco ASDM 6.2 IP-sec VPN wizard to configured remote side to main office VPN with static IP address. After the wizard complete, i tried to connected using the Cisco VPN client ver. 5.0.07.0410 to connected. But the connection fail.

The connection is very simple. I want the mobile user to be able to use it laptop to access main office LAN network.

Please refer to the attach document for futher understanding.

Vikas Saxena · ‎11-19-2010

Vincent, just wondering if you see the VPN client log file. It clearly says that the group password is wrong.

Please correct the group passwod in the VPN Client and try again.

The configuration looks fine.

VincentLong · ‎11-19-2010

Thanks. Finally, i know what thing i do wrong. I'm connected now. But i was unable to ping the LAN ip of the firewall LAN interface.

C:\Users\netaxis>tracert 10.1.20.100

Tracing route to 10.1.20.100 over a maximum of 30 hops

1     *        *        *     Request timed out.
2     *        *        *     Request timed out.
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6     *        *        *     Request timed out.
7     *        *        *     Request timed out.
8     *        *        *     Request timed out.
9 ^C

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Cisco Systems VPN Adapter
   Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a047:be97:6c1e:f65f%21(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.80.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 486540698
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-76-49-4C-00-1A-4B-61-CD-E1

   DNS Servers . . . . . . . . . . . : 202.188.0.133
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Why the gateway don't have any IP address. Thanks.

Vikas Saxena · ‎11-19-2010

Enable NAT-T so, remove 'no' from 'no crypto isakmp nat-traversal' (just enter the command again without 'no') and check again.

Please post the output of show cry ipsec sa from the ASA. I want to see if the VPN Client is encrypting the traffic or not.

Please post a screen shot of VPNClient ->Statistics window.

I will suggest you to change the pool to /24.

Tracert is not a good idea to check VPN connectivity. Try pining some host on the LAN. Please make sure that the host on the LAN does not have any FW turned on which could be dropping the icmp requests.

From the GUI .jpg it seems you are on Windows 7 or Vista, please give an output of route print from the PC after the client connects.

VincentLong · ‎11-19-2010

I had enable the NAT-T. But the result still the same.

The ping result:

C:\Users\netaxis>ping 10.1.20.99

Pinging 10.1.20.99 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 10.1.20.99:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
C:\Users\netaxis>ping 10.1.20.100

Pinging 10.1.20.100 with 32 bytes of data:
Request timed out.

Ping statistics for 10.1.20.100:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Users\netaxis>ping 10.1.19.99

Pinging 10.1.19.99 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.19.99:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\netaxis>ping 10.1.20.98

Pinging 10.1.20.98 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.20.98:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\netaxis>

show cry ipsec sa output:

interface: Public
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr:

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.80.1/255.255.255.255/0/0)
      current_peer: , username: test01
      dynamic allocated peer ip: 10.1.80.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: /4500, remote crypto endpt.: /53819
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 3DDF40A2

    inbound esp sas:
      spi: 0x102D7022 (271413282)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 24576, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28429
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x3DDF40A2 (1038041250)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 24576, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28429
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Routr Print Result:

C:\Users\netaxis>route print
===========================================================================
Interface List
21...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter
12...00 1b 77 af 65 ae ......Intel(R) PRO/Wireless 3945ABG Network Connection
11...00 1a 4b 61 cd e1 ......Broadcom NetLink (TM) Gigabit Ethernet
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.102     20
         10.1.0.0      255.255.0.0         On-link         10.1.80.1    276
         10.1.0.0      255.255.0.0         10.1.0.1        10.1.80.1    100
        10.1.80.1 255.255.255.255         On-link         10.1.80.1    276
     10.1.255.255 255.255.255.255         On-link         10.1.80.1    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.102    276
    192.168.1.102 255.255.255.255         On-link     192.168.1.102    276
    192.168.1.254 255.255.255.255         On-link     192.168.1.102    100
    192.168.1.255 255.255.255.255         On-link     192.168.1.102    276
   218.208.72.122 255.255.255.255    192.168.1.254    192.168.1.102    100
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.102    276
        224.0.0.0        240.0.0.0         On-link         10.1.80.1    276
255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
255.255.255.255 255.255.255.255         On-link     192.168.1.102    276
255.255.255.255 255.255.255.255         On-link         10.1.80.1    276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
13     58 ::/0                     On-link
1    306 ::1/128                  On-link
13     58 2001::/32                On-link
13    306 2001:0:4137:9e76:c1a:2dbe:c3ca:75cf/128
                                    On-link
11    276 fe80::/64                On-link
21    276 fe80::/64                On-link
13    306 fe80::/64                On-link
13    306 fe80::c1a:2dbe:c3ca:75cf/128
                                    On-link
21    276 fe80::a047:be97:6c1e:f65f/128
                                    On-link
11    276 fe80::bd6c:1b6d:d353:6e7a/128
                                    On-link
1    306 ff00::/8                 On-link
13    306 ff00::/8                 On-link
11    276 ff00::/8                 On-link
21    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

C:\Users\netaxis>

I had attach the VPN client statistic. Thanks Vikas Saxena.

Vikas Saxena · ‎11-19-2010

It seems that the VPN client is encrypting traffic, sending it on the wire to the ASA, ASA is decrypting it but not encrypting anything back.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121

In the above output you have #pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121 exactly the same number as the VPN Client encrypt in the statistics. In the same image you have Decrypts as 0, on ASA #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

Lets take

C:\Users\netaxis>ping 10.1.20.99

Pinging 10.1.20.99 with 32 bytes of data:
Request timed out.
Request timed out.

as a sample host to test with.

When the VPN Client pool will be same as the inside subnet range then ASA will do proxy ARP for the VPN client ip address.

on this host if you do 'arp -a' you should have ASA LAN interface MAC address for 10.1.80.1 (VPN Client ip address).

You can also run:

'debug icmp trace' on the ASA to find out if the ASA is processing the ICMP packet from the VPN Client.

You can put a capture on the LAN interface to find out if the ASA is sending out the ICMP packet to the 10.1.20.99 host and if it is getting a reply from it or not.

access-list captcha permit icmp host 10.1.20.99 10.1.80.0 255.255.255.0

access-li captcha permit icmp 10.1.80.0 255.255.255.0 host 10.1.20.99

capture capLan access-list captcha interface LAN

start pining from the VPN Client:

then on ASA do

show capture capLan

post the output.

VincentLong · ‎11-19-2010

I had tried on what you suggest.

The ping and arp result:

C:\Users\netaxis>ping 10.1.20.99 -t

Pinging 10.1.20.99 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.1.20.99:
Packets: Sent = 14, Received = 0, Lost = 14 (100% loss),
Control-C
^C
C:\Users\netaxis>arp -a

Interface: 192.168.1.102 --- 0xb
Internet Address      Physical Address      Type
192.168.1.100         f0-7b-cb-66-2c-1b     dynamic
192.168.1.101         00-22-fa-44-8a-36     dynamic
192.168.1.103         00-22-fa-44-8a-36     dynamic
192.168.1.254         00-09-0f-17-50-1c     dynamic
192.168.1.255         ff-ff-ff-ff-ff-ff     static
224.0.0.22            01-00-5e-00-00-16     static
224.0.0.252           01-00-5e-00-00-fc     static
239.255.255.250       01-00-5e-7f-ff-fa     static
255.255.255.255       ff-ff-ff-ff-ff-ff     static

Interface: 10.1.80.1 --- 0x15
Internet Address      Physical Address      Type
10.1.19.99            00-09-0f-17-50-1c     dynamic
10.1.20.98            00-09-0f-17-50-1c     dynamic
10.1.20.99            00-09-0f-17-50-1c     dynamic
10.1.20.100           00-09-0f-17-50-1c     dynamic
10.1.255.255          ff-ff-ff-ff-ff-ff     static
224.0.0.22            01-00-5e-00-00-16     static
224.0.0.252           01-00-5e-00-00-fc     static

C:\Users\netaxis>

I had attach the acl hit result too. Please kindly refer. Thanks.

Vikas Saxena · ‎11-20-2010

The arp -a output should be from the remote host 10.1.20.99 rather the VPN client PC.

Please post the capture the way I mentioned in my earlier post.

It seems that the Client packet is not reaching to the destined host by the ASA. Capture will help.

VincentLong · ‎11-24-2010

I'm trying to arrange a PC inside the network for me to rdp inside and do the testing. By the way,

1. do i need to configure any access in my scenario?

2. the ike interface must be public? can it be private?

3. the ip address pools assign for VPN must be public interface ip? can it be internal ip?

4. any NAT needed to configure?

Vikas Saxena · ‎11-24-2010

Hello Vincent,

1. do i need to configure any access in my scenario?

Please elaborate on this question.

2. the ike interface must be public? can it be private?

It can be private, this depends upon your requirement. However, the crypto map and the crypto isakmp should go together and are directional. That means if you are coming from 'outside' then they should be on outside, if you are coming from inside then both should be on inside.

3. the ip address pools assign for VPN must be public interface ip? can
it be internal ip?

The ip address pool does not need to be public, you can assign private address range to it. Normally it should be a totally different subnet range then your inside network.

4. any NAT needed to configure?

You will need to configure NAT exempt for the inside traffic to talk to the VPN pool.

VincentLong · ‎11-25-2010

what i mean is do i need to configure any additional access list to allow or control the traffic? Thanks for your patient.