07-24-2008 12:08 PM
Definitely in need of some expert help on this one...
Attempting to set up VPN client access on an ASA 5520 that has been used only as a
firewall until now. The ASA was recently updated to Version 7.2(4).
Problem: Once connected, the VPN client cannot access anything. VPN client cannot
ping any address on internal networks, or even the inside interface of the ASA.
(hopefully) Relevant Details:
1) The tunnel appears to be up. The clients are local authenticated by the ASA and
are able to connect.
2) Per many other related posts, I ran a "sh crypto ipsec sa" to see the output: it
appears that packets are being decapsulated and decrypted, but NOT encapsulated or
encrypted (see output of "sh crypto ipsec sa" attached).
3) Per other related posts, we have added commands related to NAT reversal (crypto
isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000). These were in fact missing from our
configuration.
4) We have tried both TCP encapsulation and UDP encapsulation with experimental client
profiles: same result in both cases.
5) If I (attempt) ping to an internal IP address from the connected client, the
realtime ASA log entries show the setup and teardown of the ICMP requests from the
client to the internal target.
6) Packet capture on the internal address (the one we are attempting to ping from the
VPN client) shows that the ICMP request was received and answered. (See attached
capture).
7) Our objective is to create about 10 different VPN client profiles, each with
different combinations of access to Internal VLANs or DMZ VLANs. We have no
preferences for encryption type or method so long as it is secure and it works: That
said, feel free to recommend a different approach entirely.
We've tried everything we can think of, so any help and/or advice would be greatly
Sanitized configuration of ASA is also attached.
appreciated!!
Thanks!
Solved! Go to Solution.
07-26-2008 02:48 AM
add to the configuration
"icmp permit any inside"
do
"clear arp"
"clear xl"
"clear local-host"
try to ping from ASA 172.16.20.1
connect vpn client
try to ping from vpn client 172.16.20.1
show the output "sh route" "sh arp" "sh crypto ipsec sa"
from 6500
sh run int vlan 20
sh ip arp vlan 20
ping 172.16.20.1
07-26-2008 07:24 AM
Done.
1) ASA can ping 172.16.20.1 from Inside, no problem.
2) VPN client cannot ping 172.16.20.1 Still showing Decrypted = 0.
Requested ASA outputs attached.
Requested 6500 outputs below:
6509#sh run int vlan 20
Building configuration...
Current configuration : 62 bytes
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
end
6509#sh ip arp vlan 20
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.20.1 - 0015.2c19.d000 ARPA Vlan20
Internet 172.16.20.2 19 0012.d948.f207 ARPA Vlan20
6509#ping 172.16.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
07-26-2008 09:03 AM
it should be the last step :)
on 6509
ip route 172.16.100.0 255.255.255.0 172.16.20.2
and on ASA
no route inside 172.16.40.0 255.255.255.0 172.16.20.2
07-26-2008 10:15 AM
Aleksey, you are genius! It works!
Actually route inside 172.16.40.0 255.255.255.0 172.16.20.2 did not exist, so I'm guessing you meant "no route inside 172.16.40.0 255.255.255.0 172.16.20.1" and have removed this.
Question: Why remove the route inside 172.16.40.0 255.255.255.0 172.16.20.1 ? Is this because ASA Gi0/3 has 172.16.40.210 address? Gi0/3 is set to "management only" and is currently disabled.
07-26-2008 11:05 AM
Cool :)
I mean "route inside 172.16.40.0 255.255.255.0 172.16.20.2"
because according provided information on ASA you have
Result of the command: "show route"
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 111.222.167.1 to network 0.0.0.0
S 172.16.40.0 255.255.255.0 [1/0] via 172.16.20.2, inside
[1/0] via 172.16.20.1, inside
07-26-2008 11:48 AM
So we need in ASA BOTH:
route inside 172.16.40.0 255.255.255.0 172.16.20.2 and route inside 172.16.40.0 255.255.255.0 172.16.20.1 ?
07-26-2008 12:14 PM
you need only one
no route inside 172.16.40.0 255.255.255.0 172.16.20.2
route inside 172.16.40.0 255.255.255.0 172.16.20.1
07-26-2008 01:45 PM
Done, and this makes sense.
Many, Many thanks for your expert help!!!
09-29-2008 06:51 AM
Scott,
This is a great piece of troubleshooting and it helped me better understand the whole process.
One follow-up question:
Did you ever try turning on EIGRP?
Best,
Paul
10-06-2008 08:11 PM
Yes, I'm happy to say that we have EIGRP working nicely on our ASA 5520. It's good because it virtually eliminates routing as a variable. If something's not working, it's almost always an ACL or NAT issue now...
10-11-2008 05:51 AM
Scott,
Thanks for the confirmation. I give all your contributions to this thread a "5" from NYC.
Best,
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: