Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
0
Helpful
6
Replies

No traffic over remote access VPN between iPhone and ASA 5505

cgblount1
Level 1
Level 1

‎05-15-2014 07:07 AM - edited ‎02-21-2020 07:38 PM

This has been driving me mad for days now so any guidance would save me pulling out the remainder of my hair. I have searched the posts here and in other places and tried all the advice offered but have failed to make any progress.

I have an ASA-5505 which has been reset to factory defaults. I have configured the required 2 interfaces and set up a simple local user authenticated IPsec VPN. The VPN establishes fine from an iPhone5 to the ASA but I am unable to browse to a web server on the inside LAN. The routing table shows that the return route to the iPhone has been created when the tunnel established and if I run a ping from the web server to the VPN supplied IP address of the iPhone it hits the inside of the ASA so the basic routing seems to be all OK.

I have ACL's that as far as I can see say any traffic for any source is permitted in and out of both inside and outside interfaces.

The outside interface of the ASA has a public ip address passed through to it from a Virgin Media SuperHUB.

 

Output from sh crypto sa (below) shows encaps and decaps increasing

 

I guess is going to be an ACL somewhere but my Cisco knowledge has run out at this point - Oh and yes I did turn on ASDM to help me with the config

 

Any help would be greatly appreciated

 

Regards

 

Colin 

 

MDM-ASA# sh ipsec sa
interface: Outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 82.xxx.xxx.214

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.30.50/255.255.255.255/0/0)
      current_peer: 31.99.161.129, username: test
      dynamic allocated peer ip: 10.10.30.50

      #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
      #pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 82.xxx.xxx.214/0, remote crypto endpt.: 31.99.161.129/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0497140C
      current inbound spi : F2CF6DB6

inbound esp sas:
      spi: 0xF2CF6DB6 (4073680310)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, IKEv1, }
         slot: 0, conn_id: 90112, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3484
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0000007F 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0497140C (77009932)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, IKEv1, }
         slot: 0, conn_id: 90112, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 3484
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-15-2014 07:27 AM

Have you setup NAT exemption for the return traffic to the VPN client (10.10.30.50 in the example you provided or the address pool it's coming from)?

0 Helpful

cgblount1
Level 1
Level 1
In response to Marvin Rhoads

‎05-15-2014 08:32 AM

Hi Marvin

 

I haven't any NAT set up as I thought I wouldn't need it. I am happy for the 10.10.30 address to stray across my LAN and I have a route in the LAN to send that traffic back to the inside interface of the ASA.

 

Is this not going to work?

 

Thanks

 

Colin

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cgblount1

‎05-15-2014 08:50 AM

Most ASA setups have a global or dynamic NAT for the outside interface as they are used as edge firewalls and not only VPN headends. When you add in a remote access or site-site VPN you typically need to exempt the VPN addresses from that NAT setup.

If you don't have any NAT at all it can be made to work although that would be an unusual setup.

0 Helpful

cgblount1
Level 1
Level 1
In response to Marvin Rhoads

‎05-15-2014 09:00 AM

That's what I was thinking. I have another device as an edge firewall in that network.

 

Here is the whole config (sanitis(z)ed) in case this help someone to help me.

 

Many thanks

 

Colin

 

ASA Version 9.1(3) 
!
hostname MDM-ASA
domain-name sample.demo

xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit tcp any4 any4

names
ip local pool iOS 10.10.30.50-10.10.30.75 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 10
 shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 99
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
interface Vlan1
 nameif Inside-22
 security-level 100
 ip address 192.168.22.132 255.255.255.0 
!
interface Vlan99
 nameif Outside
 security-level 0
 ip address 82.xxx.xxx.214 255.255.255.240 
!
boot system disk0:/asa913-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name sample.demo
object network iOS-Devices
 subnet 10.10.30.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object icmp
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any4 any4 
access-list Inside-22_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any4 any4 log debugging 
access-list Inside-22_access_out extended permit object-group DM_INLINE_PROTOCOL_2 any4 any4 
access-list iOS-Access-places standard permit 192.168.22.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu Inside-22 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Inside-22_access_in in interface Inside-22
access-group Inside-22_access_out out interface Inside-22
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 82.xxx.xxx.209 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.22.0 255.255.255.255 Inside-22
http 192.168.22.0 255.255.255.0 Inside-22
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.22.0 255.255.255.0 Inside-22
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.22.101
 dns-server value 192.168.22.101
 default-domain value sample.local
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-filter value iOS-Access-places
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec 
 split-tunnel-policy tunnelall
 split-tunnel-network-list value iOS-Access-places
username test password oFJjANE3QKoA206w encrypted
username ********* password ************* encrypted privilege 15
tunnel-group iOS1 type remote-access
tunnel-group iOS1 general-attributes
 address-pool iOS
 default-group-policy GroupPolicy1
tunnel-group iOS1 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d386e0bbef2f1d5c6a4b4884384631dc
: end
no asdm history enable

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cgblount1

‎05-15-2014 09:10 AM

That helps.

Have you given your inside core a route to the subnet that covers your VPN pool (10.10.30.0/24)?

I assume you are only trying to reach services in the IOS-Access-Places (192.168.22.0/24 subnet) that you have filtered.

I would normally use the

split-tunnel-policy tunnelspecified

..vs "tunnelall" that you have setup (but that shouldn't cause your problem).

0 Helpful

cgblount1
Level 1
Level 1
In response to Marvin Rhoads

‎05-15-2014 09:58 AM

Yes that I understand and have used in the past. It is a requirement of this project that all traffic from the iPhones is sent via the tunnel the phone is configured to dial on demand and there is a catch all there meaning that all traffic outbound will bring up the tunnel.

 

Thanks for the comment though

 

Colin

0 Helpful
Customers Also Viewed These Support Documents