01-24-2012 09:56 AM
Hi ,
I have created the ipsec remote vpn in cisco ASA . The client are able to connect with the firewall & vpn client also received the IP address from the pool assigned in the fiewall, but clients are not able to access the servers behind the ASA & the servers are in same subnet as ASA inside interface.
Kindly check the attached configuration related to the VPN.
Thanks in advance.
01-24-2012 10:39 AM
Please change the POOL ip range should not be same as configured for LAN.
Thanks
Ajay
01-24-2012 10:58 AM
thanks for reply but my vpn client pool is 192.168.2.0/24 & local lan pool is 10.0.0.0 255.255.255.0
what need to be change
01-24-2012 11:11 AM
Sorry for that missunderstood your question. Configuration looks Ok .
When client connect what is your output for show crypto ipsec sa ?
Also please run this and post the output.
packet-tracer input outside tcp 192.168.2.1 1024 10.0.0.1 80 detailed.
Thanks
Ajay
01-25-2012 08:45 AM
Thanks Ajay
I will soon provide the output of above given command.
01-27-2012 09:32 AM
Hi Ajay
kindly check the output of given below command
FW# packet-tracer input inside icmp 192.168.2.2 8 0 10.0.0.8
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.255.0 inside
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
10.0.0.8 is the inside L3 switch directly coonected to inside interface of the firewall & having the static route 192.168.2.0
255.255.255.0 10.0.0.1
Thanks
01-24-2012 11:21 AM
I am just shocked to see these four entries below on the production FW.
access-list 101 extended permit ip any any
access-list out extended permit ip any any
access-group out in interface outside
access-group 101 in interface inside
Dame.
anyway, lets get back to real problem.
Please remove these below highlighted entries.
vpn-group-policy VPN
vpn-tunnel-protocol IPSec
Those servers in question a gateway address is the FW's inside IP address ? Please confirm.
Does your FW connects to inside on L3 switch ? If answer is yes. Please make sure you have a static route on the that switch as below.
ip route 192.168.2.0 255.255.255.0 10.0.0.1
Let me know the result
Thanks
Rizwan Rafeek
01-25-2012 08:43 AM
Hi Rizwan,
Thanks for your reply but i need to know why the given below commands need to be deleted
vpn-group-policy VPN
vpn-tunnel-protocol IPSec
yes server's default gateway is firewall's inside interface.
My firewall inside interface also connected to L3 switch & i have also added the static route in the L3 switch already but still not able to reach the internal resouces.
01-25-2012 09:00 AM
"Thanks for your reply but i need to know why the given below commands need to be deleted"
Those two highlighted commands are not part of the remote access vpn and are not required.
Those servers in question a default-gateway address is the FW's inside IP address or L3 "interface Vlan" address on the L3-Switch? Please confirm.
01-25-2012 09:40 AM
The default gateway of server's are firewall inside interface IP not L3 switch vlan interface.
Thanks
01-25-2012 10:10 AM
The switch in question is configured for the given vlan (i.e. firewall inside vlan) in layer2 mode, then servers' default gateway being the FW's inside address is perfectly fine and it should work, in this scenario there should not be "interface vlan" ip-address is used as default-gateway on the servers.
However if your switch in qusetion is configured for the vlan (i.e. firewall inside vlan) in layer3 mode i.e. with "interface vlan" and its ip address must be the default-gateway address for the servers. Not the FW's inside ip-address as default-gateway, because your switch is a L3 switch in order the switch to route traffic, you must use its "interface vlan" ip address as default-gateway on the Servers.
I hope that make sense to you.
thanks
Rizwan Rafeek
01-25-2012 10:50 AM
ok i will configure one PC having default gateway L3 switch interface vlan IP & then check the traffic.
I will revert you back soon
Thanks for your quick reply.
01-27-2012 07:12 AM
Did that help to resolve your problem?
01-27-2012 09:24 AM
I have done the above procedure but not able to ping internal resources.
Thanks for the reply
01-27-2012 09:38 AM
Please forward the output from below command.
packet-tracer input inside icmp 192.168.2.1 8 0 10.0.0.X
Please replace the X with a valid host IP in your side network segment.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: