Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

One-way traffic on a remote VPN (Cisco Client)

I have an ASA that I've set up for remote access.  The VPN group I'm using is "companyVPN".  The VPN client connects and I can see the Client-to-ASA traffic crossing the tunnel because the client shows packets being encrypted and the ASA shows them being decrypted.  However, the ASA never shows any traffic being encrypted on the tunnel in the outbound direction.  My inside network is 10.25.1.0/24 and the remote VPN DHCP pool is 10.251.0.0/24.  I've pasted the results of packet tracer below along with a sanitized version of the config. 

ASA# packet-tracer input inside tcp 10.25.1.30 5000 10.251.0.100 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 10.25.1.0 255.255.255.0 outside 10.251.0.0 255.255.255.0

    NAT exempt

    translate_hits = 5, untranslate_hits = 2384

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (x.x.x.x(outside int IP) [Interface PAT])

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:      

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (x.x.x.x(outside int IP) [Interface PAT])

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2889, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

--------------------------------------------------------------------------------------

interface Ethernet0/0

nameif outside

security-level 0

ip address XXXX 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.25.1.2 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.250.0.1 255.255.0.0

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone CENTRAL -6

clock summer-time CENTRAL recurring

dns domain-lookup inside

dns server-group company

name-server 10.25.1.31

domain-name company.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN remark *** BEGIN *** ALLOWS R.A. VPN USERS TO USE SPLIT TUNNELING ***

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN extended permit ip 10.1.20.0 255.255.255.0 any

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN extended permit ip 10.10.10.0 255.255.255.0 any

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN extended permit ip 192.168.50.0 255.255.255.0 any

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN extended permit ip 192.168.16.0 255.255.255.0 any

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN extended permit ip 172.30.0.0 255.255.255.0 any

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN extended permit ip 10.250.0.0 255.255.0.0 any

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN extended permit ip 10.25.1.0 255.255.255.0 any

access-list SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN extended permit ip any 10.25.1.0 255.255.255.0

access-list VPN_NAT remark *** BEGIN *** ALLOWS FOR VPN TRAFFIC TO CROSS THE TUNNELS WITHOUT NATTING ***

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 10.1.20.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 172.30.0.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.250.0.0 255.255.0.0 192.168.16.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 10.251.0.0 255.255.255.0

access-list companyVPN_splitTunnelAcl standard permit 10.25.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool VPN_DHCP 10.251.0.100-10.251.0.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit 10.5.0.0 255.255.0.0 inside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN_NAT

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 10.250.0.0 255.255.0.0

route outside 0.0.0.0 0.0.0.0 XXXXX 1

route inside 10.3.0.0 255.255.254.0 10.25.1.1 1

route inside 10.5.1.0 255.255.255.0 10.25.1.1 1

route inside 10.5.3.0 255.255.255.0 10.25.1.1 1

route inside 10.5.10.0 255.255.255.0 10.25.1.1 1

route inside 10.5.25.0 255.255.255.0 10.25.1.1 1

route inside 10.5.30.0 255.255.255.0 10.25.1.1 1

route inside 10.5.55.0 255.255.255.0 10.25.1.1 1

route inside 10.5.56.0 255.255.255.0 10.25.1.1 1

route inside 10.8.8.0 255.255.255.0 10.25.1.1 1

route inside 10.10.10.0 255.255.255.0 10.25.1.1 1

route inside 192.168.2.0 255.255.255.0 10.25.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server company_VPN_ACCESS protocol radius

aaa-server company_VPN_ACCESS (inside) host 10.25.1.31

key *****

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set VPN_TRANS_SET esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map VPN_CRYPTO_MAP 100 match address CryptoDHT

crypto map VPN_CRYPTO_MAP 100 set peer 12.46.43.66

crypto map VPN_CRYPTO_MAP 100 set transform-set ESP-3DES-SHA

crypto map VPN_CRYPTO_MAP 150 match address SRVA_WTFL

crypto map VPN_CRYPTO_MAP 150 set peer 64.57.236.130

crypto map VPN_CRYPTO_MAP 150 set transform-set VPN_TRANS_SET

crypto map VPN_CRYPTO_MAP 160 match address SRVA_CANQ

crypto map VPN_CRYPTO_MAP 160 set peer 68.179.54.193

crypto map VPN_CRYPTO_MAP 160 set transform-set VPN_TRANS_SET

crypto map VPN_CRYPTO_MAP 170 match address SEMI_DUNK

crypto map VPN_CRYPTO_MAP 170 set peer 12.157.35.98

crypto map VPN_CRYPTO_MAP 170 set transform-set VPN_TRANS_SET

crypto map VPN_CRYPTO_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map VPN_CRYPTO_MAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 3600

crypto isakmp ipsec-over-tcp port 10000 10001 10002 10003 10004 10005

telnet 0.0.0.0 0.0.0.0 outside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 30

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

default-idle-timeout 3600

svc enable

tunnel-group-list enable

group-policy PRODUCTION internal

group-policy PRODUCTION attributes

banner value This is a private facility. Individuals using this system expressly consents to monitoring. Unless you are so authorized, your continued access and any other use

dns-server value 10.25.1.31

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

webvpn

  url-list value PRODUCTION

  file-entry enable

  file-browsing enable

  url-entry disable

group-policy PROTOTYPE internal

group-policy PROTOTYPE attributes

banner value This is a private facility. Individuals using this system expressly consents to monitoring. Unless you are so authorized, your continued access and any other use

dns-server value 10.25.1.31

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

webvpn

  url-list value PROTOTYPE

  file-entry enable

  file-browsing enable

  url-entry disable

group-policy company_VPN_ACCESS internal

group-policy company_VPN_ACCESS attributes

banner value This is a private facility. Individuals using this system expressly consents to monitoring. Unless you are so authorized, your continued access and any other use

dns-server value 10.25.1.31

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN

default-domain value company.local

group-policy companyREMOTE internal

group-policy companyREMOTE attributes

dns-server value 10.25.1.31

vpn-tunnel-protocol IPSec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL_ACL_FOR_REMOTE_ACCESS_VPN

default-domain value company.LOCAL

group-policy companyVPN internal

group-policy companyVPN attributes

dns-server value 10.25.1.31

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value companyVPN_splitTunnelAcl

default-domain value company.local

tunnel-group companyREMOTE ipsec-attributes

pre-shared-key *****

tunnel-group companyVPN type remote-access

tunnel-group companyVPN general-attributes

address-pool VPN_DHCP

authentication-server-group company_VPN_ACCESS

default-group-policy companyVPN

tunnel-group companyVPN ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

: end

1 REPLY

One-way traffic on a remote VPN (Cisco Client)

please change your no-nat rule if you are putting on inside then source should be inside subnet and destination would be vpn pool.

if you are considering all the inside subnets

access-list VPN_NAT remark *** BEGIN *** ALLOWS FOR VPN TRAFFIC TO CROSS THE TUNNELS WITHOUT NATTING ***

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 10.1.20.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 172.30.0.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.250.0.0 255.255.0.0 192.168.16.0 255.255.255.0

access-list VPN_NAT extended permit ip 10.25.1.0 255.255.255.0 10.251.0.0 255.255.255.0

instead of this you can just use one line

nat (inside) 0 access-list VPN_NAT

where acl would be

access-list VPN_NAT extended permit ip any 10.251.0.0 255.255.255.0

Thanks

Ajay

415
Views
0
Helpful
1
Replies
CreatePlease to create content