Solved: remote vpn and site to site vpn remote vpn users unable to access local network

tnrs_tnrs · ‎05-17-2014

As per below config remote vpn and site to site vpn remote vpn users unable to access local network please suggest me any config required

Local server ip 192.168.215.4 not able to ping this server remote vpn connectivity working fine but local network not able to ping from vpn users.

ASA Version 8.2(2)
!
hostname
domain-name kunchevrolet
enable password r8xwsBuKsSP7kABz encrypted
passwd r8xwsBuKsSP7kABz encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group dataone
ip address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
ip address 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
ip address dhcp setroute
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name kunchevrolet
same-security-traffic permit intra-interface
object-group network GM-DC-VPN-Gateway
object-group network net-local
access-list sptnl extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.215.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Internet 1500
ip local pool vpn_users 192.168.2.1-192.168.2.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http x.x.x.x 255.255.255.252 outside
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65500 set transform-set myset
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
crypto map ASA-01 10 set peer 221.135.138.130
crypto map ASA-01 10 set transform-set myset
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
telnet 192.168.215.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group dataone request dialout pppoe
vpdn group dataone localname bb4027654187_scdrid
vpdn group dataone ppp authentication chap
vpdn username bb4027654187_scdrid password ***** store-local
dhcp-client client-id interface Internet
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11-192.168.215.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable outside
tunnel-group-list enable
group-policy kun internal
group-policy kun attributes
vpn-simultaneous-logins 8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value kunchevrolet
username test password P4ttSyrm33SV8TYp encrypted
username kunauto password bSHrKTGl8PUbvus/ encrypted privilege 15
username kunauto attributes
vpn-group-policy kun
vpn-tunnel-protocol IPSec
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpn_users
default-group-policy kun
tunnel-group vpngroup webvpn-attributes
group-alias vpngroup enable
tunnel-group vpngroup ipsec-attributes
pre-shared-key *****
tunnel-group test type remote-access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto#

Dinesh Moudgil · ‎05-17-2014

Hi,

Looking at the configuration , there is an access-list present for nat exemption:-

access-list nonat extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0

But this is not applied in the nat statements.

Please apply the following command for nat exemption to be applied:-

nat (inside) 0 access-list nonat

Regards,

Dinesh Moudgil

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎05-17-2014

Hi,

Looking at the configuration , there is an access-list present for nat exemption:-

access-list nonat extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0

But this is not applied in the nat statements.

Please apply the following command for nat exemption to be applied:-

nat (inside) 0 access-list nonat

Regards,

Dinesh Moudgil

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

tnrs_tnrs · ‎05-18-2014

Thanks for your replay

As per this command nat (inside) 0 access-list nonat applied from firewall i able to ping but trough vpn client connected we are not able to ping local server 192.168.215.4

(config)# ping 192.168.215.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.215.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
kunauto(config)#

Dinesh Moudgil · ‎05-18-2014

Please run continuous pings from VPN client for 192.168.215.4 and run the following command:-

capture cap_test interface inside match ip host 192.168.215.4 host <vpn-clients-assigned-ip>

Send the output of "show capture cap_test"

Run "packet-tracer input inside icmp 192.168.215.4 8 0 <vpn-clients-assigned-ip> detailed "
Output of "show vpn-sessiondb detal filter name <username>"

Please refer this link for more details on captures:-
https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

tnrs_tnrs · ‎05-18-2014

Please find the below report

show capture cap_test

20 packets captured

1: 04:26:57.419274 192.168.2.2 > 192.168.215.4: icmp: echo request
2: 04:27:01.932858 192.168.2.2 > 192.168.215.4: icmp: echo request
3: 04:27:06.933347 192.168.2.2 > 192.168.215.4: icmp: echo request
4: 04:27:11.931897 192.168.2.2 > 192.168.215.4: icmp: echo request
5: 04:27:16.934064 192.168.2.2 > 192.168.215.4: icmp: echo request
6: 04:27:21.931378 192.168.2.2 > 192.168.215.4: icmp: echo request
7: 04:27:26.930371 192.168.2.2 > 192.168.215.4: icmp: echo request
8: 04:27:31.932370 192.168.2.2 > 192.168.215.4: icmp: echo request
9: 04:27:36.939023 192.168.2.2 > 192.168.215.4: icmp: echo request
10: 04:27:41.931882 192.168.2.2 > 192.168.215.4: icmp: echo request
11: 04:27:46.933850 192.168.2.2 > 192.168.215.4: icmp: echo request
12: 04:27:51.930142 192.168.2.2 > 192.168.215.4: icmp: echo request
13: 04:27:56.930615 192.168.2.2 > 192.168.215.4: icmp: echo request
14: 04:28:01.930142 192.168.2.2 > 192.168.215.4: icmp: echo request
15: 04:28:06.930860 192.168.2.2 > 192.168.215.4: icmp: echo request
16: 04:28:11.930844 192.168.2.2 > 192.168.215.4: icmp: echo request
17: 04:28:16.931561 192.168.2.2 > 192.168.215.4: icmp: echo request
18: 04:28:21.929105 192.168.2.2 > 192.168.215.4: icmp: echo request
19: 04:28:26.929593 192.168.2.2 > 192.168.215.4: icmp: echo request
20: 04:28:31.429497 192.168.2.2 > 192.168.215.4: icmp: echo request
20 packets shown
kunauto# run
kunauto# run pa
kunauto# pack
kunauto# packet-tracer in
kunauto# packet-tracer input ins
kunauto# packet-tracer input inside ic
kunauto# packet-tracer input inside icmp 192.168.215.4 8 0 192.168.2.2

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.2 255.255.255.255 outside

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip inside 192.168.215.0 255.255.255.0 outside 192.168.2.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 358
Additional Information:

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (59.90.214.144 [Interface PAT])
translate_hits = 524205, untranslate_hits = 98146
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (59.90.214.144 [Interface PAT])
translate_hits = 524205, untranslate_hits = 98146
Additional Information:

Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 546896, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

kunauto#

Dinesh Moudgil · ‎05-18-2014

As in the capture cap_test, we can see the packets are coming from VPN client to the server, so client's configuration is good.
You will have to check the routes on devices between ASA and server so that any packet destined to 192.168.2.0 is sent to ASA's inside interface .

Either the devices in between or server is missing the route for 192.168.2.0 vpn client subnet.

Regards,

Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

tnrs_tnrs · ‎05-18-2014

kunauto# show vpn-sessiondb detail remote

Session Type: IPsec Detailed

Username : kunauto Index : 29
Assigned IP : 192.168.2.2 Public IP : x.x.x.x
Protocol : IKE IPsecOverNatT
License : IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 6000
Pkts Tx : 0 Pkts Rx : 100
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : kun Tunnel Group : vpngroup
Login Time : 04:25:52 IST Sun May 18 2014
Duration : 0h:09m:22s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

IKE Tunnels: 1
IPsecOverNatT Tunnels: 1

IKE:
Tunnel ID : 29.1
UDP Src Port : 17421 UDP Dst Port : 4500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 85844 Seconds
D/H Group : 2
Filter Name :
Client OS : WinNT Client OS Ver: 5.0.07.0410

IPsecOverNatT:
Tunnel ID : 29.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 192.168.2.2/255.255.255.255/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28229 Seconds
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 0 Bytes Rx : 6180
Pkts Tx : 0 Pkts Rx : 103

NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 571 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :