I am fairly new to VPN's so I'm having a bit of difficulty configuring a VPN. I have a router outside of an ASA. The router is doing the NATting as well as the VPN server. I'm able to connect to the VPN, but cannot talk to subnets inside of the local LAN once I'm connected. I think I'm missing something on the firewall itself. Is there any examples of this type of configuration out here on the net? I can't find anything. Can somebody please help me out?
Any firewall statements that would allow this traffic in would be very helpful. Thanks guys!
You have a router terminating the VPN and behind an ASA correct?
If so.... the ASA should allow all ports/IPs that you need to access.
The router itself should include the local LAN as part of the VPN traffic, have NAT-T enabled and not be blocking any traffic.
Also the router should be exempting from NAT the local LAN subnet.
The ASA should allow the ports needed because as far as the ASA is aware, there's no VPN.
Thanks for the reply. I get what you are saying, but would you have an example of the config statements? I thought NAT-T was enabled by default on newer IOS's. I have a 2921 router connected to an ASA 5510.
Router --------- ASA ---------- LAN
Outside router interface 66.110.x.x
Inside router interface 192.168.100.1
Outside ASA interface 192.168.100.2
Inside ASA interface 10.255.0.1
Layer 3 Switch
Layer three connectivity to ASA 10.255.0.2
First things first, we need routes on the ASA and the router to send VPN traffic across without any blocks.
Consider the following scenario,
X---ASA -- Y -- Router 1 --- VPN Tunnel -- Router/ASA --- Z
X is the network/subnet behind the ASA.
Y is network connecting the ASA and the Router
Z is the remote network at the end of the tunnel.
Now, we need a route on the ASA pointing traffic to the network Z to Router 1.
You need proper NAT statements if any, and also the firewall rules, ACL's and other stuff properly set up on the ASA to provide connectivity.
If you could provide us a sanitised copy of the configuration on the ASA and the 2921 we shall review it and see if we are missing anything.
Hope this helps.
Thanks again. Attached are the configs of both the router and ASA. I'm not sure how to implement the NAT-T. I thought it was enabled by default on newer routers and IOS's. Also, not sure if I should exclude the router internal IP from NAT in the ACL. I'm so confused right now.
So, I think I got it to work. At least for the first connection. I can see the packets encrypt and decrypt, I can access other machines on other internal subnets, but after I disconnect from the VPN and reestablish a new VPN on the same machine. I get a new conn-id with a new IP address (172.25.1.2 instead of 172.25.1.1), but I am not able to ping any machines on the internal subnets anymore. From the client it show the packets being encrypted, but not decrypted. It only happens after I disconnect from that very first connection after I rebuild the VPN server. To make it work again I have to completely remove the VPN server and rebuild it.
any insight? It’s gotta be something simple.
If I get this topology correct it is :
VPNClient--------internet--------router(doing nat)---------ASA-----------Local Lan
You are able to connect to the router but can not ping the local lan. Let me know if my understanding of this problem is wrong.
I checked your configuration of the router and it seems you do not have nat bypass configured for the local pool:
Your present nat configuration:
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 remark *** Permit only Inside Subnets ***
access-list 1 permit 172.20.0.0 0.0.255.255
access-list 1 permit 10.4.4.0 0.0.0.255
Your local pool
ip local pool SDM_POOL_1 10.10.100.1 10.10.100.254
I've added the commands, and thanks for explaining it to me. It's still not working though.
What I meant at the end was that. When I build the VPN Server for the first time; the very first VPN client connects fine and can access the internal subnets. It works as advertised, but... any subsequent connections do not work. When I pull up the statistics on the VPN client software it shows the pings being enrypted, but not decrypted, see attachment.
If I get this correctly, you are trying to connect from a remote site to this router, you can get only one client working then if you run another client (while the previous client is still connected and working) you are able to connect but can not reach the remote lan?
Can you post show crypto ipsec sa from the router while both the clients are connected.
Can you post show ip inter brief when both the clients are connect?
Not quite. I am connecting Remote users using VPN client software to a router set up as the VPN server. I can only connect with the very first client after the server is built. After that very first client disconnects from the VPN, any subsequent clients who connects to the VPN cannot access internal LANs.
This needs thorough checking and repros, I suggest to open up a ticket with Cisco TAC.
Can you change the configuration style from DVTI to dynamic crypto maps?
I think I found the reason, because this configuration style is DVTI, as soon as one client is getting connected the DVTI is pushing a default route in the ip routing table (normal behavior) because you do not have split tunnel configured. Please see :
Understanding & Configuring DVTI:
Try configuring a split tunnel, or change the configuration to classic dynamic crypto maps.