cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14523
Views
5
Helpful
22
Replies

VPN CLIENT CAN'T ACCESS INSIDE NETWORK

ccsoofficelan
Level 1
Level 1

hi,

Please find below the following configuration of my firewall.


ASA Version 7.2(3)

!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
  mtu VPN-TEST 1500

same-security-traffic permit inter-interface

access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST

ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside

icmp permit any inside
icmp permit any VPN-TEST

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  90
crypto isakmp ipsec-over-tcp port 10000

group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes

My vpn users connect and get the ip from the pool. but from there, they don seem to go further into the inside network. I am very new to this, and i am sure i have missed some detail.

Please advice.

Hassan

22 Replies 22

ajhaldiy
Level 1
Level 1

Hi Hassan,

Hope you are doing good, I checked the configuration that you have attached to the forum and it looks fine to me.

Please check some more settings on the ASA

1) The VPN pool should be exempted from nat

EX- access-list vpn-pool per ip 192.168.96.0 255.255.255.0 any

nat (inside) 0 access-list vpn-pool (This configuration will exempt the vpn pool to get natted when the reply packets hits the inside interface)

2) On the client end open command prompt and see issue "Route Print" and make sure it has a route 0.0.0.0 0.0.0.0 pointing to ip address of the vpn adapter

3)  Open vpn client click on status>statitics and make sure that the encrypt count is increasing when you are passing the traffic through the tunnel.

please issue show crypto ipsec sa on the ASA and see its decaps are increasing.

4) We can also configure captures on the ASA to see the packet flow


you need to issue following commands for that.

access-list capture per ip host host

access-list capture per ip host host host

capture vpn access-list capture interface inside

you can see the output by issuing show cap vpn

Please update the output of the steps

Below is the link which has the steps to configure remote vpn on the ASA

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Regards

Ashish

Thank you for the update.

I have implemented the steps you have mentioned. But still. This time the route print shows all the routes to 192.168.96.1. This is the same IP which is assigned to the vpn adapter.

I still do not have any clue.

please advice.

By the way the encrypt traffic is increasing through the tunnel as you have asked to check.

jkl1972
Level 4
Level 4

Hello Hassan,

Can you confirm that you are routing the pool range of 192.168.96.1-192.168.96.14 back out to your firewall on your internal network?

thanks,

Jason

thanks for your reply..Well i dont have routes for 192.168.96.0.

Please advice.

You will need to have at least that pool range routed back to your firewall.  Otherwise, when the VPN users come in and pick up an address out of that pool and are routed inside to access your internal applications there isn't a return route for them and they get nothing...  You should try routing the pool range to your firewall and test again.  Also, are you using both the inside and managment interfaces to connect internally?

well here is my output

ASA Version 7.2(3)

!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
  mtu VPN-TEST 1500


!
interface GigabitEthernet0/1
description local lan
nameif inside
security-level 100
ip address 192.168.93.249 255.255.255.0


same-security-traffic permit inter-interface

access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST

ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside

icmp permit any inside
icmp permit any VPN-TEST

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  90
crypto isakmp ipsec-over-tcp port 10000

group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes

The inside interface is back to back connected with our LAYER3SW on 192.168.93.250

This LAYER3SW is also connected to the 192.168.100.0 network.

The VPN users need to access this 100.0 subnet.

so my scenario is

VPNUSERS                                          VPN INTERFACE                                                               INSIDE INTERFACE                             L3SW

COMING FROM               IN TO                      ASA                               OUT FROM                                   ASA                                 TO      (which is connected

INTERNET                                                                                                                                                                                                        to 100.0 network) 

                                                                    192.168.92.1                                                                    192.168.93.249                                   192.168.93.250

   

On the L3SW i have the following route

192.168.96.0 [1/0] via 192.168.93.249

please advice

Your ASA needs a route to get to the 192.168.100.x network also.

This is my route on the ASA

192.168.100.0 255.255.255.0 [1/0] via 192.168.93.250, inside

apply a return traffic ( statitic route )  to the vpn subnet  back to the next hop ( inside asa interface ) 

 apply this command on the router directly connected behind the ASA

ajhaldiy
Level 1
Level 1

Hi hassan,

Thanks for an update,

Just want to confirm the topology with you again

VPN client====IPSEC VPN===ASA---N1

OR

VPN client ====IPSEC VPN===ASA---Router---N1

In first case you just need the server to have correct gateway as ASA

In second case , You need to add a route on the router for the pool network (192.168.96.0) gateway as ASA

Please attach the output of show cry ipsec sa and captures which i asked you to do in my previous update.

0.0.0.0 0.0.0.0 [255/0] via 192.168.92.1, VPN-TEST tunneled

The above is my gateway for my ip pool. 192.168.92.1 is the interface allowing VPN incoming sessions.

Just to summarize.

ASA VPN INTERFACE =  192.168.92.1

ASA VPN POOL = 192.168.96.1 - 192.168.96.14

ASA INSIDE INTERFACE = 192.168.93.249 -----CONNECTED TO------ 192.168.93.250 CISCO 3750

DESTINATION SUBNET TO REACH FROM VPN POOL IS = 192.168.100.0/30

ASA : HERE there is already a route present  for 192.168.100.0 via 192.168.93.250

CISCO 3750 : HERE there is already a route present for vpn pool (192.168.96.0) via 192.168.93.249 in the 3750

show crypto ipsec sa

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

the numbers stay zero when connect and start the ping request.

show cap vpn

FW# sh cap vpn
0 packet captured
0 packet shown

this also stays zero when i connect and initiate a ping request.

i think something is not happening between the vpn pool and the vpn interface as there is no activity.

please advice.

hassan

Hi Hassen

Thanks for an update,

Can you please configure one more capture on the ASA

Right now we can't see any decaps on the ASA, so we need to make sure that ASA is getting ESP or UDP 4500 packets from the client

Please follow the following steps

1. open www.whatismyip.com on the clients end.

2. Make a note of the public ip address of the client

3 configure one more access-list

access-list test-new per ip host host

capture cap-public access-list test-new interface outside

try to ping the same host again from the VPN client and take the output of show cap cap-public

Is it happening with all clients or only few..?

Regards

Ashish

FW# sh capture
capture vpn type raw-data access-list capture interface inside [Capturing - 0 bytes]
capture cap-public type raw-data access-list test-new interface outside [Capturing - 0 bytes]

i still have no clue as to why the hell my vpn pool client can't access the inside network....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Hi Hassan,

Then in that case it seems that some device on the upstream is blocking esp or udp 4500 packets as in the captures we can't see any packets hitting the ASA from clients public ip address. The ports may be blocked on the clients end as well in the outbound direction. In your previous updates you have mentioned that the you can see the number of encaps are increasing on the VPN clients end. Correct me if i am wrong.

Please try to connect to the ASA from someother place and test the connectivity to the internal network. This is just to isolate client's end issue.

Regards

Ashish

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: