Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN CLIENT CAN'T ACCESS INSIDE NETWORK

hi,

Please find below the following configuration of my firewall.


ASA Version 7.2(3)

!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
  mtu VPN-TEST 1500

same-security-traffic permit inter-interface

access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST

ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside

icmp permit any inside
icmp permit any VPN-TEST

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  90
crypto isakmp ipsec-over-tcp port 10000

group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes

My vpn users connect and get the ip from the pool. but from there, they don seem to go further into the inside network. I am very new to this, and i am sure i have missed some detail.

Please advice.

Hassan

Everyone's tags (4)
21 REPLIES
New Member

Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

Hi Hassan,

Hope you are doing good, I checked the configuration that you have attached to the forum and it looks fine to me.

Please check some more settings on the ASA

1) The VPN pool should be exempted from nat

EX- access-list vpn-pool per ip 192.168.96.0 255.255.255.0 any

nat (inside) 0 access-list vpn-pool (This configuration will exempt the vpn pool to get natted when the reply packets hits the inside interface)

2) On the client end open command prompt and see issue "Route Print" and make sure it has a route 0.0.0.0 0.0.0.0 pointing to ip address of the vpn adapter

3)  Open vpn client click on status>statitics and make sure that the encrypt count is increasing when you are passing the traffic through the tunnel.

please issue show crypto ipsec sa on the ASA and see its decaps are increasing.

4) We can also configure captures on the ASA to see the packet flow


you need to issue following commands for that.

access-list capture per ip host host

access-list capture per ip host host host

capture vpn access-list capture interface inside

you can see the output by issuing show cap vpn

Please update the output of the steps

Below is the link which has the steps to configure remote vpn on the ASA

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Regards

Ashish

New Member

Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

Thank you for the update.

I have implemented the steps you have mentioned. But still. This time the route print shows all the routes to 192.168.96.1. This is the same IP which is assigned to the vpn adapter.

I still do not have any clue.

please advice.

By the way the encrypt traffic is increasing through the tunnel as you have asked to check.

New Member

Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

Hello Hassan,

Can you confirm that you are routing the pool range of 192.168.96.1-192.168.96.14 back out to your firewall on your internal network?

thanks,

Jason

New Member

@JASON ---- Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

thanks for your reply..Well i dont have routes for 192.168.96.0.

Please advice.

New Member

Re: @JASON ---- Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

You will need to have at least that pool range routed back to your firewall.  Otherwise, when the VPN users come in and pick up an address out of that pool and are routed inside to access your internal applications there isn't a return route for them and they get nothing...  You should try routing the pool range to your firewall and test again.  Also, are you using both the inside and managment interfaces to connect internally?

New Member

Re: @JASON ---- Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

well here is my output

ASA Version 7.2(3)

!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
  mtu VPN-TEST 1500


!
interface GigabitEthernet0/1
description local lan
nameif inside
security-level 100
ip address 192.168.93.249 255.255.255.0


same-security-traffic permit inter-interface

access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST

ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside

icmp permit any inside
icmp permit any VPN-TEST

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  90
crypto isakmp ipsec-over-tcp port 10000

group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes

The inside interface is back to back connected with our LAYER3SW on 192.168.93.250

This LAYER3SW is also connected to the 192.168.100.0 network.

The VPN users need to access this 100.0 subnet.

so my scenario is

VPNUSERS                                          VPN INTERFACE                                                               INSIDE INTERFACE                             L3SW

COMING FROM               IN TO                      ASA                               OUT FROM                                   ASA                                 TO      (which is connected

INTERNET                                                                                                                                                                                                        to 100.0 network) 

                                                                    192.168.92.1                                                                    192.168.93.249                                   192.168.93.250

   

On the L3SW i have the following route

192.168.96.0 [1/0] via 192.168.93.249

please advice

New Member

Re: @JASON ---- Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

Your ASA needs a route to get to the 192.168.100.x network also.

New Member

Re: @JASON ---- Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

This is my route on the ASA

192.168.100.0 255.255.255.0 [1/0] via 192.168.93.250, inside

New Member

Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

Hi hassan,

Thanks for an update,

Just want to confirm the topology with you again

VPN client====IPSEC VPN===ASA---N1

OR

VPN client ====IPSEC VPN===ASA---Router---N1

In first case you just need the server to have correct gateway as ASA

In second case , You need to add a route on the router for the pool network (192.168.96.0) gateway as ASA

Please attach the output of show cry ipsec sa and captures which i asked you to do in my previous update.

New Member

@ashish ----- updates of the captures.

0.0.0.0 0.0.0.0 [255/0] via 192.168.92.1, VPN-TEST tunneled

The above is my gateway for my ip pool. 192.168.92.1 is the interface allowing VPN incoming sessions.

Just to summarize.

ASA VPN INTERFACE =  192.168.92.1

ASA VPN POOL = 192.168.96.1 - 192.168.96.14

ASA INSIDE INTERFACE = 192.168.93.249 -----CONNECTED TO------ 192.168.93.250 CISCO 3750

DESTINATION SUBNET TO REACH FROM VPN POOL IS = 192.168.100.0/30

ASA : HERE there is already a route present  for 192.168.100.0 via 192.168.93.250

CISCO 3750 : HERE there is already a route present for vpn pool (192.168.96.0) via 192.168.93.249 in the 3750

show crypto ipsec sa

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

the numbers stay zero when connect and start the ping request.

show cap vpn

FW# sh cap vpn
0 packet captured
0 packet shown

this also stays zero when i connect and initiate a ping request.

i think something is not happening between the vpn pool and the vpn interface as there is no activity.

please advice.

hassan

New Member

Re: @ashish ----- updates of the captures.

Hi Hassen

Thanks for an update,

Can you please configure one more capture on the ASA

Right now we can't see any decaps on the ASA, so we need to make sure that ASA is getting ESP or UDP 4500 packets from the client

Please follow the following steps

1. open www.whatismyip.com on the clients end.

2. Make a note of the public ip address of the client

3 configure one more access-list

access-list test-new per ip host host

capture cap-public access-list test-new interface outside

try to ping the same host again from the VPN client and take the output of show cap cap-public

Is it happening with all clients or only few..?

Regards

Ashish

New Member

Re: @ashish ----- updates of the captures again.

FW# sh capture
capture vpn type raw-data access-list capture interface inside [Capturing - 0 bytes]
capture cap-public type raw-data access-list test-new interface outside [Capturing - 0 bytes]

i still have no clue as to why the hell my vpn pool client can't access the inside network....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

New Member

Re: @ashish ----- updates of the captures again.

Hi Hassan,

Then in that case it seems that some device on the upstream is blocking esp or udp 4500 packets as in the captures we can't see any packets hitting the ASA from clients public ip address. The ports may be blocked on the clients end as well in the outbound direction. In your previous updates you have mentioned that the you can see the number of encaps are increasing on the VPN clients end. Correct me if i am wrong.

Please try to connect to the ASA from someother place and test the connectivity to the internal network. This is just to isolate client's end issue.

Regards

Ashish

New Member

Re: @ashish ----- updates of the captures again.

well i will have to check the upstream if ipsec over tcp port 10000 is allowed.

But if it wasnt then why does it connect. It shouldnt connect in the first place.
Moreover i noticed the following in my vpn client log after connection.

63     18:24:15.515  12/01/10  Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 1: code 87
Destination 192.168.93.255
Netmask 255.255.255.255
Gateway 192.168.96.9
Interface 192.168.96.9

64     18:24:15.515  12/01/10  Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a85dff, Netmask: ffffffff, Interface: c0a86009, Gateway: c0a86009.

what is it complaining about ?

New Member

Re: @ashish ----- updates of the captures again.

Negotiation of ISAKMP happens on udp 500 or 4500(If there is any natting device between client and ASA), But when the tunnel comes up the data becomes ESP (IP 50). So if any device between client and asa allows udp 500 but blocks ESP, the tunnel will come up on udp ports, but when client will try to pass some traffic through the tunnel it will become ESP and will get routed to public ip address of the ASA. But if that esp packet is blocked somewhere in between the ASA will never recieve the packets.

There are some device which doesn't do nat for the ESP packets. Currently NAT traversal is already enabled on the ASA so the tunnel may come up udp 4500

So make sure that udp 4500 and esp are not blocked between the client and ASA.

Regards

Ashish

New Member

Re: @ashish ----- client status.

Cisco Employee

Re: @ashish ----- client status.

Can you please share the latest full config of your ASA.

New Member

Re: @Jennifer....VPN CLIENT CAN'T REACH INSIDE NETWORK

Hello jennifer.

Glad to hear from you.

Well i have enclosed the vpn client status screenshot after connecting.

Please note my vpn clients connect and then then cannot reach my servers in

the INSIDE network.

well here is my ASA config output

==============================================

ASA Version 7.2(3)

!

interface Management0/0

nameif VPN-TEST

security-level 0

ip address 192.168.92.1 255.255.255.252

  mtu VPN-TEST 1500

!

interface GigabitEthernet0/1

description local lan

nameif inside

security-level 100

ip address 192.168.93.249 255.255.255.0

same-security-traffic permit inter-interface

access-list corpvpnsiem_splitTunnelAcl standard permit any

access-list VPN-TEST_access_in extended permit ip any any

access-group VPN-TEST_access_in in interface VPN-TEST

ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240

ip verify reverse-path interface inside

icmp permit any inside

icmp permit any VPN-TEST

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA

crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map

crypto map VPN-TEST_map interface VPN-TEST

crypto isakmp enable VPN-TEST

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  90

crypto isakmp ipsec-over-tcp port 10000

group-policy corpvpnsiem internal

group-policy corpvpnsiem attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1

username siecorpvpn password Zp283iAZlCNs9TWt encrypted

username root password lPtjCRUHSIvUjngf encrypted privilege 15

tunnel-group corpvpnsiem type ipsec-ra

tunnel-group corpvpnsiem general-attributes

address-pool local-pool

default-group-policy corpvpnsiem

tunnel-group corpvpnsiem ipsec-attributes

192.168.100.0 255.255.255.0 1/0 via 192.168.93.250, inside

=============================================================

Just to summarize.

ASA VPN INTERFACE =  192.168.92.1

ASA VPN POOL = 192.168.96.1 - 192.168.96.14

ASA INSIDE INTERFACE = 192.168.93.249 -----CONNECTED TO------ 192.168.93.250 CISCO 3750
DESTINATION SUBNET TO REACH FROM VPN POOL IS = 192.168.100.0/30


ASA : HERE there is already a route present  for 192.168.100.0 via 192.168.93.250
CISCO 3750 : HERE there is already a route present for vpn pool (192.168.96.0) via 192.168.93.249 in the 3750

Please advice.

Hassan

New Member

Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

guys i am waiting for an update....please.. i need help in this.......

New Member

Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

I apologize if you already answered this in earlier posts but can your ASA ping the servers that the VPN clients are trying to access? Also, have you tried actually specifying the 192.168.100.x/24 network in the split tunnel access-list to see if that works. I see that you are permitting any but worth a try at this point.

New Member

Re: VPN CLIENT CAN'T ACCESS INSIDE NETWORK

Hi Hassan,

Did you check the connectivity from a different location.

Regards

Ashish

7765
Views
5
Helpful
21
Replies
CreatePlease login to create content