Solved: Re: VPN Clients cannot access any internal address - Page 2

goodwinscottns · ‎07-24-2008

Definitely in need of some expert help on this one...

Attempting to set up VPN client access on an ASA 5520 that has been used only as a

firewall until now. The ASA was recently updated to Version 7.2(4).

Problem: Once connected, the VPN client cannot access anything. VPN client cannot

ping any address on internal networks, or even the inside interface of the ASA.

(hopefully) Relevant Details:

1) The tunnel appears to be up. The clients are local authenticated by the ASA and

are able to connect.

2) Per many other related posts, I ran a "sh crypto ipsec sa" to see the output: it

appears that packets are being decapsulated and decrypted, but NOT encapsulated or

encrypted (see output of "sh crypto ipsec sa" attached).

3) Per other related posts, we have added commands related to NAT reversal (crypto

isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000). These were in fact missing from our

configuration.

4) We have tried both TCP encapsulation and UDP encapsulation with experimental client

profiles: same result in both cases.

5) If I (attempt) ping to an internal IP address from the connected client, the

realtime ASA log entries show the setup and teardown of the ICMP requests from the

client to the internal target.

6) Packet capture on the internal address (the one we are attempting to ping from the

VPN client) shows that the ICMP request was received and answered. (See attached

capture).

7) Our objective is to create about 10 different VPN client profiles, each with

different combinations of access to Internal VLANs or DMZ VLANs. We have no

preferences for encryption type or method so long as it is secure and it works: That

said, feel free to recommend a different approach entirely.

We've tried everything we can think of, so any help and/or advice would be greatly

Sanitized configuration of ASA is also attached.

appreciated!!

Thanks!

a.alekseev · ‎07-26-2008

add to the configuration

"icmp permit any inside"

do

"clear arp"

"clear xl"

"clear local-host"

try to ping from ASA 172.16.20.1

connect vpn client

try to ping from vpn client 172.16.20.1

show the output "sh route" "sh arp" "sh crypto ipsec sa"

from 6500

sh run int vlan 20

sh ip arp vlan 20

ping 172.16.20.1

goodwinscottns · ‎07-26-2008

Done.

1) ASA can ping 172.16.20.1 from Inside, no problem.

2) VPN client cannot ping 172.16.20.1 Still showing Decrypted = 0.

Requested ASA outputs attached.

Requested 6500 outputs below:

6509#sh run int vlan 20

Building configuration...

Current configuration : 62 bytes

!

interface Vlan20

ip address 172.16.20.1 255.255.255.0

end

6509#sh ip arp vlan 20

Protocol Address Age (min) Hardware Addr Type Interface

Internet 172.16.20.1 - 0015.2c19.d000 ARPA Vlan20

Internet 172.16.20.2 19 0012.d948.f207 ARPA Vlan20

6509#ping 172.16.20.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

a.alekseev · ‎07-26-2008

it should be the last step :)

on 6509

ip route 172.16.100.0 255.255.255.0 172.16.20.2

and on ASA

no route inside 172.16.40.0 255.255.255.0 172.16.20.2

goodwinscottns · ‎07-26-2008

Aleksey, you are genius! It works!

Actually route inside 172.16.40.0 255.255.255.0 172.16.20.2 did not exist, so I'm guessing you meant "no route inside 172.16.40.0 255.255.255.0 172.16.20.1" and have removed this.

Question: Why remove the route inside 172.16.40.0 255.255.255.0 172.16.20.1 ? Is this because ASA Gi0/3 has 172.16.40.210 address? Gi0/3 is set to "management only" and is currently disabled.

a.alekseev · ‎07-26-2008

Cool :)

I mean "route inside 172.16.40.0 255.255.255.0 172.16.20.2"

because according provided information on ASA you have

Result of the command: "show route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 111.222.167.1 to network 0.0.0.0

S 172.16.40.0 255.255.255.0 [1/0] via 172.16.20.2, inside

[1/0] via 172.16.20.1, inside

goodwinscottns · ‎07-26-2008

So we need in ASA BOTH:

route inside 172.16.40.0 255.255.255.0 172.16.20.2 and route inside 172.16.40.0 255.255.255.0 172.16.20.1 ?

a.alekseev · ‎07-26-2008

you need only one

no route inside 172.16.40.0 255.255.255.0 172.16.20.2

route inside 172.16.40.0 255.255.255.0 172.16.20.1

goodwinscottns · ‎07-26-2008

Done, and this makes sense.

Many, Many thanks for your expert help!!!

pmccubbin · ‎09-29-2008

Scott,

This is a great piece of troubleshooting and it helped me better understand the whole process.

One follow-up question:

Did you ever try turning on EIGRP?

Best,

Paul

goodwinscottns · ‎10-06-2008

Yes, I'm happy to say that we have EIGRP working nicely on our ASA 5520. It's good because it virtually eliminates routing as a variable. If something's not working, it's almost always an ACL or NAT issue now...

pmccubbin · ‎10-11-2008

Scott,

Thanks for the confirmation. I give all your contributions to this thread a "5" from NYC.

Best,

Paul