Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote VPN client issue

Hi ,

I have created the ipsec remote vpn in cisco ASA . The client are able to connect with the firewall & vpn client also received the IP address from the pool assigned in the fiewall, but clients are not able to access the servers behind the ASA & the servers are in same subnet as ASA inside interface.

Kindly check the attached configuration related to the VPN.

Thanks in advance.

25 REPLIES

Remote VPN client issue

Please change the POOL ip range should not be same as configured for LAN.

Thanks

Ajay

New Member

Remote VPN client issue

thanks for reply but my vpn client pool  is 192.168.2.0/24 & local lan pool is 10.0.0.0 255.255.255.0

what need to be change

Remote VPN client issue

Sorry for that missunderstood your question. Configuration looks Ok .

When client connect what is your output for show crypto ipsec sa ?

Also please run this and post the output.

packet-tracer input outside tcp 192.168.2.1 1024 10.0.0.1 80 detailed.

Thanks

Ajay

New Member

Remote VPN client issue

Thanks Ajay

I will soon provide the output of above given command.

New Member

Re: Remote VPN client issue

Hi Ajay

kindly check the output of given below command

FW# packet-tracer input inside icmp 192.168.2.2 8 0 10.0.0.8

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.255.255.0 inside

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

10.0.0.8 is the inside L3 switch directly coonected to inside interface of the firewall & having the static route 192.168.2.0

255.255.255.0 10.0.0.1

Thanks

Remote VPN client issue

I am just shocked to see these four entries below on the production FW.

access-list 101 extended permit ip any any
access-list out extended permit ip any any

access-group out in interface outside
access-group 101 in interface inside

Dame.

anyway, lets get back to real problem.

Please remove these below highlighted entries.


vpn-group-policy VPN
vpn-tunnel-protocol IPSec

Those servers in question a gateway address is the FW's inside IP address ? Please confirm.

Does your FW connects to inside on L3 switch ? If answer is yes.  Please make sure you have a static route on the that switch as below.

ip route 192.168.2.0 255.255.255.0 10.0.0.1

Let me know the result

Thanks

Rizwan Rafeek

New Member

Remote VPN client issue

Hi Rizwan,

Thanks for your reply but i need to know why the given below commands need to be deleted

vpn-group-policy VPN

vpn-tunnel-protocol IPSec

yes server's default gateway is firewall's inside interface.

My firewall inside interface also connected to L3 switch & i have also added the static route in the L3 switch already but still not able to reach the internal resouces.

Remote VPN client issue

"Thanks for your reply but i need to know why the given below commands need to be deleted"

Those two highlighted commands are not part of the remote access vpn and are not required.

Those servers in question a default-gateway address is the FW's inside IP address or L3 "interface Vlan" address on the L3-Switch? Please confirm.

New Member

Remote VPN client issue

The default gateway of server's are firewall inside interface IP not L3 switch vlan interface.

Thanks

Re: Remote VPN client issue

The switch in question is configured for the given vlan (i.e. firewall inside vlan) in layer2 mode, then servers' default gateway being the FW's inside address is perfectly fine and it should work, in this scenario there should not be "interface vlan" ip-address is used as default-gateway on the servers.

However if your switch in qusetion is configured for the vlan (i.e. firewall inside vlan) in layer3 mode i.e. with "interface vlan" and its ip address must be the default-gateway address for the servers.  Not the FW's inside ip-address as default-gateway, because your switch is a L3 switch in order the switch to route traffic, you must use its "interface vlan" ip address as default-gateway on the Servers.

I hope that make sense to you.

thanks

Rizwan Rafeek

New Member

Re: Remote VPN client issue

ok i will configure one PC having default gateway L3 switch interface vlan IP & then check the traffic.

I will revert you back soon

Thanks for your quick reply.

Re: Remote VPN client issue

Did that help to resolve your problem?

New Member

Re: Remote VPN client issue

I have done the above procedure but not able to ping internal resources.

Thanks for the reply

Remote VPN client issue

Please forward the output from below command.

packet-tracer input inside icmp 192.168.2.1 8 0 10.0.0.X

Please replace the X with a valid host IP in your side network segment.

New Member

Remote VPN client issue

Pls check the below output:-

kindly check the output of given below command

FW# packet-tracer input inside icmp 192.168.2.2 8 0 10.0.0.8

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.255.255.0 inside

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (rpf-violated) Reverse-path verify failed

10.0.0.8 is the inside L3 switch directly coonected to inside interface of the firewall & L3 switch have the static route 192.168.2.0 255.255.255.0 10.0.0.1

Thanks

Remote VPN client issue

Can you please copy on the forum, your current running config on the FW.

New Member

Remote VPN client issue

whole configuration not possible, but can provide access-list & nat 0 commands

Remote VPN client issue

you can remove all security contend from the config and post it.

Do you have a enable "ip verify reverse-path" on the interfaces?

New Member

Remote VPN client issue

yes this command is enable on both inside & outside interface

Remote VPN client issue

Remove them from both interfaces.

and remove these as well.

access-list 101 extended permit ip any any

access-list out extended permit ip any any

access-group out in interface outside

access-group 101 in interface inside

I have never seen anything like these four lines, it defeat the purpose of the firewall.

Remote VPN client issue

Have you tried to remove these lines and test it?

New Member

Remote VPN client issue

I have tried the above given steps but still not able to reach the internal servers

Remote VPN client issue

I will try to simulate on my lab PIX515E running version 8.3 which is pretty much same syntax version as your FW. Will post your result. I am just puzzled with your ASA results.

Thanks

Rizwan Rafeek.

Remote VPN client issue

hello Rakesh,


I did the test with Layer2 switch when default-gateway is pointing to FW's inside address on hosts on the inside network and tested on Layer3 switch as well, when default-gateway is poining to SVI interfave on the layer3 switch and in both cases it was successful.

If you are still experince the problem, my recommendation is to delete your current vpn config and configure it from scratch from the config I posted on the forum.

Thanks

Rizwan Rafeek

Re: Remote VPN client issue

hello Rakesh,

As promised I tested your config on my PIX515E running latest version and it was successful.

---------------

pixfirewall# show run

: Saved

:

PIX Version 8.0(4)28

!

hostname pixfirewall

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.0.111 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

boot system flash:/pix804-28.bin

ftp mode passive

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list splitTunnelAcl extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 192.168.2.1-192.168.2.6 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-61557.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 10.0.0.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Firstset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map mymap 200 set transform-set Firstset

crypto dynamic-map mymap 200 set reverse-route

crypto map out_map 100 ipsec-isakmp dynamic mymap

crypto map out_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy VPN internal

group-policy VPN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splitTunnelAcl

username rafeek password m3apWYb4PDcs1Vtq encrypted privilege 0

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool vpnpool

default-group-policy VPN

tunnel-group VPN ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5a044b6bca89c5cf1da552bbf46cb4a4

: end

pixfirewall# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms

pixfirewall#

1439
Views
0
Helpful
25
Replies