Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

remote vpn and site to site vpn remote vpn users unable to access local network

As per below config remote vpn and site to site vpn remote vpn users unable to access local network please suggest me any config required  

 

Local server ip 192.168.215.4 not able to ping this server remote vpn connectivity working fine but local network not able to ping from vpn users. 

 

ASA Version 8.2(2)
!
hostname 
domain-name kunchevrolet
enable password r8xwsBuKsSP7kABz encrypted
passwd r8xwsBuKsSP7kABz encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 pppoe client vpdn group dataone
 ip address pppoe
!
interface Ethernet0/1
 nameif inside
 security-level 50
 ip address 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
 nameif Internet
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
 domain-name kunchevrolet
same-security-traffic permit intra-interface
object-group network GM-DC-VPN-Gateway
object-group network net-local
access-list sptnl extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.215.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Internet 1500
ip local pool vpn_users 192.168.2.1-192.168.2.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http x.x.x.x 255.255.255.252 outside
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65500 set transform-set myset
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
crypto map ASA-01 10 set peer 221.135.138.130
crypto map ASA-01 10 set transform-set myset
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 28800
telnet 192.168.215.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group dataone request dialout pppoe
vpdn group dataone localname bb4027654187_scdrid
vpdn group dataone ppp authentication chap
vpdn username bb4027654187_scdrid password ***** store-local
dhcp-client client-id interface Internet
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11-192.168.215.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
 enable outside
 tunnel-group-list enable
group-policy kun internal
group-policy kun attributes
 vpn-simultaneous-logins 8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value kunchevrolet
username test password P4ttSyrm33SV8TYp encrypted
username kunauto password bSHrKTGl8PUbvus/ encrypted privilege 15
username kunauto attributes
 vpn-group-policy kun
 vpn-tunnel-protocol IPSec
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
 address-pool vpn_users
 default-group-policy kun
tunnel-group vpngroup webvpn-attributes
 group-alias vpngroup enable
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *****
tunnel-group test type remote-access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto#

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi, Looking at the

Hi,

 

Looking at the configuration , there is an access-list present for nat exemption:-

access-list nonat extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0

But this is not applied in the nat statements.

Please apply the following command for nat exemption to be applied:-

nat (inside) 0 access-list nonat

 

Regards,

Dinesh Moudgil
 


P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

6 REPLIES
Cisco Employee

Hi, Looking at the

Hi,

 

Looking at the configuration , there is an access-list present for nat exemption:-

access-list nonat extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0

But this is not applied in the nat statements.

Please apply the following command for nat exemption to be applied:-

nat (inside) 0 access-list nonat

 

Regards,

Dinesh Moudgil
 


P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

New Member

Thanks for your replayAs per

Thanks for your replay

As per this command nat (inside) 0 access-list nonat applied from firewall i able to ping but trough vpn client connected we are not able to ping local server 192.168.215.4 

(config)# ping 192.168.215.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.215.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
kunauto(config)#

Cisco Employee

Please run continuous pings

Please run continuous pings from  VPN client for 192.168.215.4 and run the following command:-

  • capture cap_test interface inside match ip host  192.168.215.4 host <vpn-clients-assigned-ip>

Send the output of "show capture cap_test"

  • Run "packet-tracer input inside icmp 192.168.215.4 8 0  <vpn-clients-assigned-ip> detailed "
  • Output of "show vpn-sessiondb detal filter name <username>"

 Please refer this link for more details on captures:-
https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm

 

Regards,
Dinesh Moudgil

New Member

Please find the below report

Please find the below report

 show capture cap_test

20 packets captured

   1: 04:26:57.419274 192.168.2.2 > 192.168.215.4: icmp: echo request
   2: 04:27:01.932858 192.168.2.2 > 192.168.215.4: icmp: echo request
   3: 04:27:06.933347 192.168.2.2 > 192.168.215.4: icmp: echo request
   4: 04:27:11.931897 192.168.2.2 > 192.168.215.4: icmp: echo request
   5: 04:27:16.934064 192.168.2.2 > 192.168.215.4: icmp: echo request
   6: 04:27:21.931378 192.168.2.2 > 192.168.215.4: icmp: echo request
   7: 04:27:26.930371 192.168.2.2 > 192.168.215.4: icmp: echo request
   8: 04:27:31.932370 192.168.2.2 > 192.168.215.4: icmp: echo request
   9: 04:27:36.939023 192.168.2.2 > 192.168.215.4: icmp: echo request
  10: 04:27:41.931882 192.168.2.2 > 192.168.215.4: icmp: echo request
  11: 04:27:46.933850 192.168.2.2 > 192.168.215.4: icmp: echo request
  12: 04:27:51.930142 192.168.2.2 > 192.168.215.4: icmp: echo request
  13: 04:27:56.930615 192.168.2.2 > 192.168.215.4: icmp: echo request
  14: 04:28:01.930142 192.168.2.2 > 192.168.215.4: icmp: echo request
  15: 04:28:06.930860 192.168.2.2 > 192.168.215.4: icmp: echo request
  16: 04:28:11.930844 192.168.2.2 > 192.168.215.4: icmp: echo request
  17: 04:28:16.931561 192.168.2.2 > 192.168.215.4: icmp: echo request
  18: 04:28:21.929105 192.168.2.2 > 192.168.215.4: icmp: echo request
  19: 04:28:26.929593 192.168.2.2 > 192.168.215.4: icmp: echo request
  20: 04:28:31.429497 192.168.2.2 > 192.168.215.4: icmp: echo request
20 packets shown
kunauto# run
kunauto# run pa
kunauto# pack
kunauto# packet-tracer in
kunauto# packet-tracer input ins
kunauto# packet-tracer input inside ic
kunauto# packet-tracer input inside icmp 192.168.215.4 8 0 192.168.2.2

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.2.2     255.255.255.255 outside

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
  match ip inside 192.168.215.0 255.255.255.0 outside 192.168.2.0 255.255.255.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 358
Additional Information:

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip inside any outside any
    dynamic translation to pool 1 (59.90.214.144 [Interface PAT])
    translate_hits = 524205, untranslate_hits = 98146
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip inside any outside any
    dynamic translation to pool 1 (59.90.214.144 [Interface PAT])
    translate_hits = 524205, untranslate_hits = 98146
Additional Information:

Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 546896, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

kunauto#

Cisco Employee

As in the capture cap_test,

As in the capture cap_test, we can see the packets are coming from VPN client to the server, so client's configuration is good.
You will have to check the routes on devices between ASA and server so that any packet destined to 192.168.2.0 is sent to ASA's inside interface .

Either the devices in between or server is missing the route for 192.168.2.0 vpn client subnet.

 

Regards,

Dinesh Moudgil

 

New Member

kunauto# show vpn-sessiondb

kunauto# show vpn-sessiondb detail remote

Session Type: IPsec Detailed

Username     : kunauto                Index        : 29
Assigned IP  : 192.168.2.2            Public IP    : x.x.x.x
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : 3DES                   Hashing      : SHA1
Bytes Tx     : 0                      Bytes Rx     : 6000
Pkts Tx      : 0                      Pkts Rx      : 100
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : kun                    Tunnel Group : vpngroup
Login Time   : 04:25:52 IST Sun May 18 2014
Duration     : 0h:09m:22s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKE Tunnels: 1
IPsecOverNatT Tunnels: 1

IKE:
  Tunnel ID    : 29.1
  UDP Src Port : 17421                  UDP Dst Port : 4500
  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
  Encryption   : 3DES                   Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 85844 Seconds
  D/H Group    : 2
  Filter Name  :
  Client OS    : WinNT                  Client OS Ver: 5.0.07.0410

IPsecOverNatT:
  Tunnel ID    : 29.2
  Local Addr   : 0.0.0.0/0.0.0.0/0/0
  Remote Addr  : 192.168.2.2/255.255.255.255/0/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28229 Seconds
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 6180
  Pkts Tx      : 0                      Pkts Rx      : 103

NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 571 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :

247
Views
0
Helpful
6
Replies