Solved: Remote access VPN client gets connected no access to LAN

asirajahmed · ‎11-12-2013

: Saved

:

ASA Version 8.6(1)2

!

hostname COL-ASA-01

domain-name dr.test.net

enable password i/RAo1iZPOnp/BK7 encrypted

passwd i/RAo1iZPOnp/BK7 encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.32.0.11 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.9.200.126 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

nameif failover

security-level 0

ip address 192.168.168.1 255.255.255.0 standby 192.168.168.2

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.2.11 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name dr.test.net

object network RAVPN

subnet 192.168.0.0 255.255.255.0

object network NETWORK_OBJ_192.168.200.0_24

subnet 192.168.200.0 255.255.255.0

object network NETWORK_OBJ_192.9.200.0_24

subnet 192.9.200.0 255.255.255.0

object-group network inside_network

network-object 192.9.200.0 255.255.255.0

object-group network Outside

network-object host 172.32.0.25

access-list RAVPN_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0

access-list test123 extended permit ip host 192.168.200.1 host 192.9.200.190

access-list test123 extended permit ip host 192.9.200.190 host 192.168.200.1

access-list test123 extended permit ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0

access-list test123 extended permit ip 192.9.200.0 255.255.255.0 object NETWORK_OBJ_192.9.200.0_24

pager lines 24

mtu management 1500

mtu outside 1500

mtu inside 1500

mtu failover 1500

ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24

route outside 0.0.0.0 0.0.0.0 172.32.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=KWI-COL-ASA-01.dr.test.net,O=KWI,C=US

crl configure

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.9.200.0 255.255.255.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 management

ssh 0.0.0.0 0.0.0.0 outside

ssh 66.35.45.128 255.255.255.192 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

group-policy RAVPN internal

group-policy RAVPN attributes

wins-server value 192.9.200.164

dns-server value 66.35.46.84 66.35.47.12

vpn-filter value test123

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test123

default-domain value dr.kligerweiss.net

username test password xxxxxxx encrypted

username admin password aaaaaaaaaaaa encrypted privilege 15

username vpntest password ddddddddddd encrypted

tunnel-group RAVPN type remote-access

tunnel-group RAVPN general-attributes

address-pool RAVPN

default-group-policy RAVPN

tunnel-group RAVPN ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly 2

subscribe-to-alert-group configuration periodic monthly 2

subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea

: end

COL-ASA-01#

Here is some capture done on the inside interface which may help too, I tried pointing the gateway to inside interface on the target device but I think this was a switch without ip route available on it I believe that is still sending packet back to Cisco inside interface

COL-ASA-01# sho cap test | in 192.168.200

25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request

29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137: udp 68

38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137: udp 68

56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137: udp 68

69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request

98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request

99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137: udp 68

108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137: udp 68

115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137: udp 68

116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request

COL-ASA-01#

Any help or pointers greatly appreciated, I am doing this config after a long gap on Cisco last time I was working it was all PIX so just need some expert eyes to let me know if I am missing something.

And Yes I do not have a Host in Inside network to test against, all I have is a switch which cannot route and ip default gateway is not helping too...

Jouni Forss · ‎11-13-2013

Hi,

The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.

You could try the following changes

tunnel-group RAVPN general-attributes

no address-pool RAVPN

no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0

ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0

tunnel-group RAVPN general-attributes

address-pool RAVPN

no nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24

In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.

object network LAN

subnet 192.168.200.0 255.255.255.0

object network VPN-POOL

subnet 192.168.201.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.

You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.

no nat (inside,outside) source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users

Hope this helps

Let me know if it works for you

- Jouni

View solution in original post

asirajahmed · ‎11-13-2013

I also noticed this on the access switch, I can see the Remote client IP address without MAC address which explains my damn switch is not routing back it is doing a ARP to the destination instead of sending the packet back to the ASA Inside interface, So I need to wait till I put in some physical host on the switch

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.9.200.18 0 0014.4f45.aba6 ARPA Vlan4000

Internet 192.168.200.254 - 6c41.6a6f.3544 ARPA Vlan2000

Internet 192.168.2.1 - 6c41.6a6f.3543 ARPA Vlan1000

Internet 192.168.2.29 23 0010.e03c.5d76 ARPA Vlan1000

Internet 192.9.200.126 9 4c00.821d.a717 ARPA Vlan4000

Internet 172.32.0.2 215 7cad.74e8.45d2 ARPA Vlan101

Internet 172.32.0.21 - 6c41.6a6f.3541 ARPA Vlan101

Internet 192.168.200.1 0 Incomplete ARPA

Internet 192.9.200.184 1 0004.961c.0a30 ARPA Vlan4000

Internet 192.9.200.190 - 6c41.6a6f.3545 ARPA Vlan4000

COL-SWT-01#

Jouni Forss · ‎11-13-2013

Hi,

The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.

You could try the following changes

tunnel-group RAVPN general-attributes

no address-pool RAVPN

no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0

ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0

tunnel-group RAVPN general-attributes

address-pool RAVPN

no nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24

In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.

object network LAN

subnet 192.168.200.0 255.255.255.0

object network VPN-POOL

subnet 192.168.201.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.

You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.

no nat (inside,outside) source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users

Hope this helps

Let me know if it works for you

- Jouni

asirajahmed · ‎11-13-2013

Hi Jauni,

Thanks for your time really appreciate it, I figured that out and already did change the pool to 192.168.100.0/24

The main reason that earlier pool wasn't working was this, my other collegue has configured a VLAN without my knowledge on the LAN switch this was done for some other reason.

COL-SWT-01#sh ip int br

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM administratively down down

Vlan101 172.32.0.21 YES NVRAM up up

Vlan255 unassigned YES NVRAM up up

Vlan1000 192.168.2.2 YES manual up up

Vlan2000 192.168.200.254 YES NVRAM up up

Vlan4000 192.9.200.190 YES NVRAM up up

FastEthernet0 unassigned YES NVRAM administratively down down

After I changed the pool it worked and later we ran into other trunking issues on a interface that was taken care off. Thanks for the commads though, it took me a while to figure that out with sh run | in 192.168.200 and all those little things.