Start Free Trial

asked on

ASA 5510 VPN DMZ

Greetings all,

I've looked around and have not found an answer. So please help :)

I have an ASA 5510 with IOS 8.2
It has 3 interfaces which I'm using : External, Internal, DMZ

All's working fine now, with local LAN behind Internal, browsing, ftp, etc. Local LAN has 192.168.1.0

I'm using the ASA for a Site-to-Site VPN: also working. This VPN allows the remote site to connect to our segment behind the DMZ int.

Also, the ASA is our RA box, with users VPN-ing into it to get access to the LAN behind the Internal int.

I'm tasked with adding another VPN access - this time cisco VPN clients are required to access one server behind the DMZ int.

Have worked with http://www.petenetlive.com/KB/Article/0000071.htm as a guide. Step by step instructions were followed, and yet I couldn't get access to that server.

At first I got the "Reverse-path verify failed" error on packet-tracer, which I've temporarily rectified by removing the "ip verify reverse-path interface DMZ" line

Right now I'm getting the "Flow is denied by configured rule". Checking which access rule is dropping the packets, its the DMZ implicit rule which denies packets coming from source any to destination any with ip service.

I have the proper route command, the proper nat0 config set, and yet I run into this issue.

Please help.

Relevant config is attached. And, thanks for looking

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0

interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 172.16.2.1 255.255.255.0

access-list dmz_nat0_outbound extended permit ip host 192.168.9.1 172.16.200.0 255.255.255.0

access-list Client1 standard permit host 192.168.9.1

ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.254 mask 255.255.255.0

nat-control

nat (dmz) 0 access-list dmz_nat0_outbound
route dmz 192.168.9.1 255.255.255.255 172.16.2.2 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

group-policy Client1 internal
group-policy Client1 attributes
 dns-server value 192.168.1.2 192.168.1.6
 vpn-filter value Client1
 vpn-tunnel-protocol IPSec
 default-domain value company.prv

username Client1 password xxxxxxxxx encrypted privilege 0
username Client1 attributes
 vpn-group-policy Client1
 service-type remote-access

tunnel-group Client1 type remote-access
tunnel-group Client1 general-attributes
 address-pool Restricted_VPN_IP_Pool
 default-group-policy Client1
tunnel-group Client1 ipsec-attributes
 pre-shared-key *

Open in new window

just remove the vpn-filter value Client1 from the group policy and see

ASKER

I need that filter, but for testing, I've removed it - no luck. Still the same error

type the command : sysopt connection permit-vpn

kindly provide your whole config

ASKER

I've already made sure that I had that in. Whole config might take some time

Any specific areas you interested in?

ASKER

MY concern stems from the fact that I have a site-to-site already in place. And this new requirement is on top of that. Could the previous be blocking my current?

are you using the packet tracer to get the error

if not give the packet tracer output for the traffic between vpn pool and DMZ

with out seeing the whole config , I can't conclude on your point

ASKER

asafirewall#packet-tracer input dmz tcp 172.16.200.1 3389 192.168.9.1 3389 detail

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8476560, priority=12, domain=capture, deny=false
hits=13241, user_data=0xd8476a90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0a238, priority=1, domain=permit, deny=false
hits=11750, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.9.1 255.255.255.255 dmz

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0ac78, priority=111, domain=permit, deny=true
hits=15, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASKER

Please ask for specific areas. The asa config is a large amount to prime before posting.

kindly provide the full config

from where you generated the traffic ? DMZ to VPN users or vice versa

ASKER

It's from VPN users to DMZ

ASKER

At the expense of being monotonous, please ask for specific areas of the config - ACLs, cryptos, routes etc.

ASKER

Does it have to do with the interface security levels?

ASKER

Here's the whole config. Hope you can help now.

The IPs are real now.So please ask away:

hostname asafirewall
domain-name company.prv
names
name 172.16.1.0 VPNUsers
name 10.0.0.197 CO01-SMTP
name 10.0.0.194 CO01-DNS
name 10.0.0.203 COM01
name 10.0.0.202 COMAS011B
name 161.168.228.14 CLMAS012c
name 161.168.228.13 CLMAS012a
name 161.165.202.14 CLMAS012d
name 161.165.202.13 CLMAS012b
name 10.0.0.253 COIS0101
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name company.prv
object-group service COAS2 tcp
port-object range 4080 4080
port-object range 5080 5080
object-group service ExchangeAccess tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq imap4
object-group service Phones udp
port-object range 16400 16999
port-object eq 2427
object-group network CLMAS012
network-object CLMAS012b 255.255.255.255
network-object CLMAS012d 255.255.255.255
network-object CLMAS012a 255.255.255.255
network-object CLMAS012c 255.255.255.255
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.197 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.195 object-group ExchangeAccess
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.200 eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp object-group CLMAS012 host xxx.xxx.xxx.202 object-group COAS2 log
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 object-group COAS2
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.204 object-group Phones
access-list outside_access_in remark For IP phones
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 VPNUsers 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 102 standard permit 192.168.96.0 255.255.224.0
access-list 102 standard permit 10.0.0.0 255.255.255.0
access-list cvpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list cvpnclient_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_31 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.2.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_20 extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
access-list DMZ_access_out extended permit tcp 10.20.28.0 255.255.252.0 host 192.168.98.1 eq telnet
access-list DMZ_access_out extended permit icmp 10.20.28.0 255.255.252.0 192.168.98.0 255.255.255.240
access-list DMZ_access_out extended deny ip 10.20.28.0 255.255.252.0 any
access-list TAC extended permit ip host 1.1.1.1 host 2.2.2.2
access-list TESTVPN_splitTunnelAcl standard permit host 192.168.99.5
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap errors
logging history warnings
logging asdm informational
logging host inside COIS0101
logging host inside 192.168.100.9
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool CiscoVPN 172.16.2.1-172.16.2.254 mask 255.255.255.0
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.254 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface folink Ethernet0/3
failover link folink Ethernet0/3
failover interface ip folink 192.168.253.1 255.255.255.252 standby 192.168.253.2
no monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo dmz
icmp permit any echo-reply dmz
asdm image disk0:/asdm-625-53.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) xxx.xxx.xxx.195 COM01 netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.194 CO01-DNS netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.197 CO01-SMTP netmask 255.255.255.255 dns
static (inside,outside) 192.168.98.2 192.168.98.2 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.202 COMAS011B netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.204 10.0.0.152 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.200 COIS0101 netmask 255.255.255.255
access-group outside_access_in in interface outside
!
router ospf 1
network xxx.xxx.xxx.192 255.255.255.192 area 0
log-adj-changes
!
route outside 10.20.28.0 255.255.252.0 xxx.xxx.xxx.193 1
route dmz 192.168.98.0 255.255.255.240 172.16.253.1 1
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host COIS0101
timeout 60
key xxxxxx
aaa-server XauthVPN protocol radius
aaa-server XauthVPN (inside) host 192.168.100.2
timeout 60
key xxxxxxxx
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 dmz
snmp-server host dmz 192.168.100.9 community XXXXXX
no snmp-server location
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change fru-insert fru-remove
auth-prompt prompt Welcome to the company Internet
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-none
crypto ipsec transform-set company esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map users 11 set transform-set ESP-3DES-SHA
crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto dynamic-map users 31 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer yyy.yyy.yyy.150
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map remote 65535 ipsec-isakmp dynamic users
crypto map remote interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 200.9.49.66 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.100.4 source inside prefer
ntp server 192.168.100.2 source inside prefer
webvpn
group-policy 1 internal
group-policy 1 attributes
dns-server value 192.168.100.4 192.168.100.2
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
default-domain value company.prv
group-policy mygroup internal
group-policy mygroup attributes
vpn-idle-timeout 30
group-policy bvftun internal
group-policy cvpnclient internal
group-policy cvpnclient attributes
dns-server value 192.168.100.2 192.168.100.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cvpnclient_splitTunnelAcl
default-domain value company.prv
group-policy TESTVPN internal
group-policy TESTVPN attributes
dns-server value 192.168.100.2 192.168.100.6
vpn-filter value TESTVPN_splitTunnelAcl
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTVPN_splitTunnelAcl
default-domain value company.prv
username TESTVPN password XXXXXXXXX encrypted privilege 0
username TESTVPN attributes
vpn-group-policy TESTVPN
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-group RADIUS
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group mygroup type remote-access
tunnel-group mygroup general-attributes
authentication-server-group RADIUS
default-group-policy mygroup
tunnel-group 1 type remote-access
tunnel-group 1 general-attributes
address-pool CiscoVPN
authentication-server-group RADIUS
authorization-server-group RADIUS
default-group-policy 1
tunnel-group 1 ipsec-attributes
pre-shared-key *
tunnel-group cvpnclient type remote-access
tunnel-group cvpnclient general-attributes
address-pool CiscoVPN
authentication-server-group RADIUS
default-group-policy cvpnclient
tunnel-group cvpnclient ipsec-attributes
pre-shared-key *
tunnel-group yyy.yyy.yyy.150 type ipsec-l2l
tunnel-group yyy.yyy.yyy.150 general-attributes
default-group-policy bvftun
tunnel-group yyy.yyy.yyy.150 ipsec-attributes
pre-shared-key *
tunnel-group TESTVPN type remote-access
tunnel-group TESTVPN general-attributes
address-pool Restricted_VPN_IP_Pool
default-group-policy TESTVPN
tunnel-group TESTVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.0.203
prompt hostname context

ASKER

Any luck?

smvrrajasekaran

just remove the match address command on your dynamic crypto map entries and try..i dont think its required. i believe seq no 31 on your dynamic crypto is for your remote access vpn.

Kindly let me know.

ASKER

I need those matches:

crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto map remote 20 match address outside_cryptomap_20

No, 31 is for my other vpn users.The one I'm interested in is group-policy TESTVPN internal

ASKER

Don't mean to rush you, but do you think we could solve this today? I've got a deadline that I'd very much like to meet. Thanks for your help so far.

in your full config there is no entry like

access-list dmz_nat0_outbound extended permit ip host 192.168.9.1 172.16.200.0 255.255.255.0

route dmz 192.168.9.1 255.255.255.255 172.16.2.2 1

i hope there is no acess-list applied on your DMZ interface.

ASKER

I had edited the initial entries, but the pasted config is correct and I do have the corresponding lines:

access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1

Also, the packet tracer is dying at an implict deny rule on the DMZ int. see pics
1.JPG
2.JPG

vpn-filter value TESTVPN_splitTunnelAcl

just remove the above command and do a trace , just for testing

ASKER

same trace, same result

type the below command and see

access-list DMZ_access_out extended permit ip host 192.168.99.5 host 172.16.200.1

access-group DMZ_access_out in int DMZ

also change your split acl to

no access-list TESTVPN_splitTunnelAcl standard permit host 192.168.99.5
access-list TESTVPN_splitTunnelAcl extended permit host 192.168.99.5 host 172.16.200.0 255.255.255.0

also tell me this 172.16.200.1 is reachable from your ASA

ASKER

You mean:

access-list AMP_Tools_splitTunnelAcl extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0

?

172.16.200.1 is not pingable from the ASA. It's an IP the client gets once connected
3.JPG

ASKER

Still the same

ASKER

Anything else I can try? - that would help you decipher this?

access-list AMP_Tools_splitTunnelAcl , what is this ?
please share the actual configs , otherwise it will create too much confusions

client is now connected or not ?
how you are doing the packet race with out connecting the client ?

DOES 192.168.99.5 is REACHABLE FROM asa ?

ASKER

ok those are the actual configs now. Sorry about trying to sanitize my configs

client connects to the VPn alright, no issues, get the IP from the pool 172.16.200.X

doing the packet trace form the packet tracer on the ASA

No the 99.5 is not reachable from the ASA, it's behind a couple of switches.

first we need to make 99.5 reachable ,

ASKER

my bad, I meant not pingable. A diff admin handles the switches. icmp's blocked.

can you do RDP to 99.5 from the DMZ lan . I just want to make sure connectivity is there or not

ASKER

no I can't

coz 3389 port is using for RDP.

ok any other PC in DMZ that we can test from VPN, ( atleast PING )
if so change the FW config accoridingly

ASKER

I'm coordinating with the other admin ans we'll try to wireshark it

ASKER

we're going to start in a couple of mins. But, while we're doing that - is there anything on the ASA config that might be preventing that communication? Just to make sure.

ok lets make the connection up to 99.5

ASKER

you're sure that there's nothing on the asa's side preventing this, right?

access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.2.0 255.255.255.0

ASKER

I'm sorry, I don't understand. You're saying that that access-list is preventing the 172.16.200.0 network communicating with 192.168.99.5?

sorry by mistake I added the above line please ignore that

then add the below command
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0

try ?

just add the above command and see its working or not ?

just enable the logging buffere on the firewall and give me the log output while tranfering packets from client to 99.5

ASKER

the outside_cryptomap_dyn_11access-list is for another VPN group, accessing a server on the inside

I need one accessing the server on the dmz

its ok just add it and see its working or not ?

any way 99.5 should reachable from DMZ network to work things properly
did you solve that ?

same-security-traffic permit intra-interface

ASKER

I'm sorry, I was away trying out the wireshark, Just popped back in and saw DanJ's comment

Could you elaborate? Is that the only command I need?

i dont think that command will help you , any way try .
did you try my work around

The ouptout of packet-tracer shows the input and output interface is the same (dmz).

input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz

By default the asa will not permit the traffic that enters one interface to exit the same interface. That command would allow you to do that.

since your vpn client are from outside please select interface as outside and then try the packet tracer
instead of doing packet tracer, try from the actual client machine

ASKER

same-security-traffic permit intra-interface

is not an option due to security concerns.

if I select the outside interface, I get the "Reverse-path verify failed" error. From the actual machine vpning in, running wireshark gets me nothing

ASKER

As I understand it, when the vpn clients connect to my asa, my external interface takes care of setting up a session with them. It then assigns them an IP and drops them inside the asa. It's from there that they need to traverse past the dmz int and get to the other side of the int.

So, I think DanJ is correct in analyzing the packet trace. Anything else that I can do to get this to work.

Remember that the site-to-site tunnel is working

then add the below command
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0

did you try this

ASKER

Tried it, nothing

give me the show log output ,after enabling the logging

99.5 is reachbale or still not from the DMZ network ? why cant you try some other PC that has PING reply enabled.

ASKER

because it's the switch which has ping disabled. all the devices are behind the switch

ASKER

PLEASE help!!!

give me your show log output

ASKER

I'm sure this isn't what you want

show log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level errors, facility 20, 775267971 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777334953 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820437542 messages logged

please respond quickly ,as the time is running out

fisrt you have to enable the logging

conf t
loggin enable
logging buffere 7

I prefer you have to try the connectivity test from the actual vpn client .

ASKER

ok, ran those commands and tried vpn-ing in, connected, then tried rdp-ing into 192.168.99.5

then give me the log output

ASKER

asafirewall# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 11875 messages logged
Trap logging: level errors, facility 20, 775268310 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777335350 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820453768 messages logged
:00:00 bytes 413
Jul 20 2010 14:25:39: %ASA-7-609001: Built local-host outside:214.252.124.32
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601426 for outside:214.252.124.32/80 (214.252.124.32/80) to inside:LOGSERVER/45953 (214.136.89.200/45953)
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601427 for outside:65.54.51.28/443 (65.54.51.28/443) to inside:LOGSERVER/45954 (214.136.89.200/45954)
Jul 20 2010 14:25:39: %ASA-6-302016: Teardown UDP connection 532601425 for outside:4.2.2.2/53 to inside:COMPANYAP01-DNS/2787 duration 0:00:00 bytes 161
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601428 for outside:161.168.214.15/443 (161.168.214.15/443) to inside:LOGSERVER/45955 (214.136.89.200/45955)
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601429 for outside:161.168.214.15/443 (161.168.214.15/443) to inside:LOGSERVER/45957 (214.136.89.200/45957)
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601430 for outside:65.54.81.177/80 (65.54.81.177/80) to inside:LOGSERVER/45959 (214.136.89.200/45959)
Jul 20 2010 14:25:39: %ASA-6-302014: Teardown TCP connection 532601339 for outside:65.54.81.177/80 to inside:LOGSERVER/45432 duration 0:00:16 bytes 15836 TCP FINs
Jul 20 2010 14:25:39: %ASA-6-302014: Teardown TCP connection 532601340 for outside:65.54.81.177/80 to inside:LOGSERVER/45433 duration 0:00:16 bytes 7947 TCP FINs
J 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:74.86.214.201 duration 0:00:09
Jul 20 2010 14:25:41: %ASA-7-711002: Task ran for 3 msec, Process = ssh, PC = 8b9ac8c, Traceback =
Jul 20 2010 14:25:41: %ASA-7-711002: Task ran for 3 msec, Process = ssh, PC = 8b9ac8c, Traceback = 0x08B9AC8C 0x08B9F32D 0x08B9F57F 0x08B9F653 0x08870CB4 0x08B16E19 0x08B1623B 0x08878A6F 0x08871C20 0x08948384 0x08948441 0x08871A97 0x08871B01 0x08879AC6
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:69.147.112.160
Jul 20 2010 14:25:41: %ASA-6-302013: Built outbound TCP connection 532601438 for outside:69.147.112.160/80 (69.147.112.160/80) to inside:LOGSERVER/46019 (214.136.89.200/46019)
Jul 20 2010 14:25:41: %ASA-6-302016: Teardown UDP connection 532600374 for outside:207.171.179.1/53 to inside:COMPANYAP01-DNS/55095 duration 0:02:03 bytes 47
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:207.171.179.1 duration 0:02:03
Jul 20 2010 14:25:41: %ASA-6-302013: Built outbound TCP connection 532601439 for outside:161.168.214.15/443 (161.168.214.15/443) to inside:LOGSERVER/46023 (214.136.89.200/46023)
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601427 for outside:65.54.51.28/443 to inside:LOGSERVER/45954 duration 0:00:02 bytes 2744 TCP FINs
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:65.54.51.28 duration 0:00:03
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532599985 for outside:214.27.70.120/80 to inside:LOGSERVER/40859 duration 0:02:41 bytes 12727 TCP Reset-O
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:214.27.70.120 duration 0:02:41
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601428 for outside:161.168.214.15/443 to inside:LOGSERVER/45955 duration 0:00:02 bytes 0 TCP FINs
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601436 for outside:174.129.210.179/80 to inside:LOGSERVER/46011 duration 0:00:00 bytes 1021 TCP FINs
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:174.129.210.179 duration 0:00:00
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:208.65.145.76
Jul 20 2010 14:25:41: %ASA-6-302013: Built inbound TCP connection 532601440 for outside:208.65.145.76/59638 (208.65.145.76/59638) to inside:COMPANYAP01-SMTP/25 (214.136.89.197/25)
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:66.96.140.21
Jul 20 2010 14:25:41: %ASA-6-302015: Built inbound UDP connection 532601441 for outside:66.96.140.21/8441 (66.96.140.21/8441) to inside:COMPANYAP01-DNS/53 (214.136.89.194/53)
asafirewall# :25:41: %ASA-6-302016: Teardown UDP connection 532601441 fo
asafirewall# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 12014 messages logged
Trap logging: level errors, facility 20, 775268310 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777335351 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820453844 messages logged
10 14:25:43: %ASA-6-302014: Teardown TCP connection 532601458 for outside:153.2.229.56/443 to inside:LOGSERVER/46076 duration 0:00:00 bytes 5225 TCP FINs
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:153.2.229.56 duration 0:00:00
Jul 20 2010 14:25:43: %ASA-6-302013: Built outbound TCP connection 532601464 for outside:153.2.224.60/443 (153.2.224.60/443) to inside:LOGSERVER/46091 (214.136.89.200/46091)
Jul 20 2010 14:25:43: %ASA-6-302014: Teardown TCP connection 532601432 for outside:115.248.72.9/2848 to inside:COMPANYAP01-SMTP/25 duration 0:00:03 bytes 0 TCP FINs
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:115.248.72.9 duration 0:00:03
Jul 20 2010 14:25:43: %ASA-6-302014: Teardown TCP connection 532601462 for outside:62.67.50.29/80 to inside:LOGSERVER/5990 duration 0:00:00 bytes 11188 TCP FINs
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:62.67.50.29 duration 0:00:00
Jul 20 2010 14:25:43: %ASA-7-609001: Built local-host outside:82.228.240.131
Jul 20 2010 14:25:43: %ASA-6-302013: Built inbound TCP connection 532601465 for outside:82.228.240.131/12896 (82.228.240.131/12896) to inside:COMPANYAP01-SMTP/25 (214.136.89.197/25)
Jul 20 2010 14:25:44: %ASA-6-302014: Teardown TCP connection 532601465 for outside:82.228.240.131/12896 to inside:COMPANYAP01-SMTP/25 duration 0:00:00 bytes 0 TCP FINs
Jeardown TCP connection 532600616 for outside:207.114.197.86/80 to inside:LOGSERVER/14972 duration 0:01:38 bytes 870 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600598 for outside:65.55.18.18/80 to inside:LOGSERVER/15034 duration 0:01:40 bytes 1304 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600608 for outside:199.93.34.126/80 to inside:LOGSERVER/15030 duration 0:01:39 bytes 1006 TCP FINs
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600697 for outside:72.14.204.149/80 to inside:LOGSERVER/15162 duration 0:01:33 bytes 671 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600564 for outside:65.55.17.26/80 to inside:LOGSERVER/15047 duration 0:01:43 bytes 39761 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532601473 for outside:65.54.81.185/80 to inside:LOGSERVER/5996 duration 0:00:00 bytes 0 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601469 for outside:66.235.133.14/80 (66.235.133.14/80) to inside:LOGSERVER/46134 (214.136.89.200/46134)
Jul 20 2010 14:25:45: %ASA-7-609001: Built local-host outside:207.114.197.85
Jul 20 2010 14:25:45: %ASA-6-302015: Built outbound UDP connection 532601470 for outside:207.114.197.85/53 (207.114.197.85/53) to inside:COMPANYAP01-DNS/57523 (214.136.89.194/57523)
Jul 20 2010 14:25:45: %ASA-7-609001: Built local-host outside:214.176.177.83
Jul 20 2010 14:25:45: %ASA-6-302015: Built outbound UDP connection 532601471 for outside:214.176.177.83/53 (214.176.177.83/53) to inside:COMPANYAP01-DNS/49185 (214.136.89.194/49185)
Jul 20 2010 14:25:45: %ASA-6-302016: Teardown UDP connection 532601470 for outside:207.114.197.85/53 to inside:COMPANYAP01-DNS/57523 duration 0:00:00 bytes 104
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:207.114.197.85 duration 0:00:00
Jul 20 2010 14:25:45: %ASA-6-302016: Teardown UDP connection 532601471 for outside:214.176.177.83/53 to inside:COMPANYAP01-DNS/49185 duration 0:00:00 bytes 168
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:214.176.177.83 duration 0:00:00
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532601466 for outside:178.223.144.240/2189 to inside:COMPANYAP01-SMTP/25 duration 0:00:01 bytes 0 TCP FINs
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:178.223.144.240 duration 0:00:01
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601472 for outside:65.54.81.185/80 (65.54.81.185/80) to inside:LOGSERVER/5981 (214.136.89.200/5981)
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601473 for outside:65.54.81.185/80 (65.54.81.185/80) to inside:LOGSERVER/5996 (214.136.89.200/5996)

ASKER

yOU DO REALISE

ASKER

Sorry, you do realize that I'm on my company's firewall, and that I have hundreds of connections at the same time, would you much rather I filter my real time logs for you?

thsts good , in ASDM you just filter it and run the test again

ASKER

ok, so client gets ip from pool, but no traffic when I try to rdp into 192.168.99.5

see pics
4.JPG
5.JPG

ASKER

I'm baffled

give me the tracert to 99.5 from client pc

and the vpn client -->statistics-->route

give me show crypto ipsec sa for the vpn client output from firewall as well

ASKER

tracert results

1. * * * request timed out
2. * * * request timed out
3. * * * request timed out
4. * * * request timed out

Route details:

Local Lan routes: Empty

Secured routes:

0.0.0.0 0.0.0.0

ASKER

asafirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: XXX.XXX.XXX.XXX

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.200.1/255.255.255.255/0/0)
current_peer: 69.211.136.71, username: user1
dynamic allocated peer ip: 172.16.200.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: XXX.XXX.XXX.XXX/4500, remote crypto endpt.: 69.211.136.71/52465
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 8FFE12AF

inbound esp sas:
spi: 0x282E3932 (674117938)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 585728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 27985
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8FFE12AF (2415792815)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 585728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 27984
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

is the config pasted is the running one or manuplated one , except password ,public ip.

if not provide me the running config of your fw

ASKER

pasted config is running config

is there a problem with the vpn client? routes and all

what i can see is there is no packets going through the tunnel . if there is any firewall cleint running on the vpn client , just disable it and then reconnect the vpn client and then do a trace route

if its a windows pC , you should disbale widows firewall too

ASKER

No antivirus, no firewall on that test laptop

ASKER

windows firewall also turned off

is it a windows pC , then disable the windows built in firewall

also give me the tunne l detail from the client , duting the test

did you add the below command
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0

kindly give me your current running config

ASKER

Tunnel details

client: 172.16.200.1
server: XXX.XXX.XXX.XXX

bytes sent /received: 0
packets encrypted,decrypted, bypasssed: 0
packets discarded: 220

connection info:
entry: companyvpn
time: 5mins

crypto:
encryption: 128bit AES
authentication: HMAC-SHA1

transport:
transparent tunnelling: active on udp port 4500
local lan: disabled
compression: none

ASKER

It's the same as above with that access-list you've listed

now the problem is that none of the packets are goijng through the tunnel

just add the below commands on the firewall and see
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0

access-list outside_cryptomap_dyn_11 extended permit ip 172.16.200.0 255.255.255.0 any

ASKER

COMASA Version 8.2(1)
!
hostname COMASafirewall
domain-name company.prv
names
name 172.16.1.0 VPNUsers
name 10.0.0.197 CO01-SMTP
name 10.0.0.194 CO01-DNS
name 10.0.0.203 COM01
name 10.0.0.202 COMAS01B
name 161.168.228.14 CLMAS012c
name 161.168.228.13 CLMAS012a
name 161.165.202.14 CLMAS012d
name 161.165.202.13 CLMAS012b
name 10.0.0.253 COIS0101
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name company.prv
object-group service COMAS2 tcp
port-object range 4080 4080
port-object range 5080 5080
object-group service ExchangeAccess tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq imap4
object-group service Phones udp
port-object range 16400 16999
port-object eq 2427
object-group network CLMAS012
description Wal-Mart COMAS2 traffic incomming
network-object CLMAS012b 255.255.255.255
network-object CLMAS012d 255.255.255.255
network-object CLMAS012a 255.255.255.255
network-object CLMAS012c 255.255.255.255
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.197 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.195 object-group ExchangeAccess
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.200 eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp object-group CLMAS012 host xxx.xxx.xxx.202 object-group COMAS2 log
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 object-group COMAS2
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.204 object-group Phones
access-list outside_access_in remark For IP phones
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 VPNUsers 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 102 standard permit 192.168.96.0 255.255.224.0
access-list 102 standard permit 10.0.0.0 255.255.255.0
access-list cvpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list cvpnclient_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_31 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_20 extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
access-list DMZ_access_out extended permit tcp 10.20.28.0 255.255.252.0 host 192.168.98.1 eq telnet
access-list DMZ_access_out extended permit icmp 10.20.28.0 255.255.252.0 192.168.98.0 255.255.255.240
access-list DMZ_access_out extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
access-list DMZ_access_out extended deny ip 10.20.28.0 255.255.252.0 any
access-list TAC extended permit ip host 1.1.1.1 host 2.2.2.2
access-list AMP_Tools_splitTunnelAcl extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging COMASdm-buffer-size 512
logging buffered debugging
logging trap errors
logging history warnings
logging COMASdm informational
logging host inside COIS0101
logging host inside 192.168.100.9
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool CiscoVPN 172.16.2.1-172.16.2.254 mCOMASk 255.255.255.0
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.254 mCOMASk 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface folink Ethernet0/3
failover link folink Ethernet0/3
failover interface ip folink 192.168.253.1 255.255.255.252 standby 192.168.253.2
no monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo dmz
icmp permit any echo-reply dmz
ASdm image disk0:/COMASdm-625-53.bin
ASdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) xxx.xxx.xxx.195 COM01 netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.194 CO01-DNS netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.197 CO01-SMTP netmask 255.255.255.255 dns
static (inside,outside) 192.168.98.2 192.168.98.2 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.202 COMAS01B netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.204 10.0.0.152 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.200 COIS0101 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group DMZ_access_out in interface dmz
!
router ospf 1
network xxx.xxx.xxx.192 255.255.255.192 area 0
log-adj-changes
!
route outside 10.20.28.0 255.255.252.0 xxx.xxx.xxx.193 1
route dmz 192.168.98.0 255.255.255.240 172.16.253.1 1
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host COIS0101
timeout 60
key xxxxxx
aaa-server XauthVPN protocol radius
aaa-server XauthVPN (inside) host 192.168.100.2
timeout 60
key xxxxx
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 dmz
snmp-server host dmz 192.168.100.9 community XXXXXX
no snmp-server location
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change fru-insert fru-remove
auth-prompt prompt Welcome to the T. company Internet
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-none
crypto ipsec transform-set company esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map users 11 set transform-set ESP-3DES-SHA
crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto dynamic-map users 31 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer YYY.YYY.YYY.YYY
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map remote 65535 ipsec-isakmp dynamic users
crypto map remote interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.100.4 source inside prefer
ntp server 192.168.100.2 source inside prefer
webvpn
group-policy 1 internal
group-policy 1 attributes
dns-server value 192.168.100.4 192.168.100.2
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
default-domain value company.prv
group-policy mygroup internal
group-policy mygroup attributes
vpn-idle-timeout 30
group-policy bvftun internal
group-policy cvpnclient internal
group-policy cvpnclient attributes
dns-server value 192.168.100.2 192.168.100.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cvpnclient_splitTunnelAcl
default-domain value company.prv
group-policy AMP_Tools internal
group-policy AMP_Tools attributes
dns-server value 192.168.100.2 192.168.100.6
vpn-filter value AMP_Tools_splitTunnelAcl
vpn-tunnel-protocol IPSec
default-domain value company.prv
username amp_tools password xxxxxxxx encrypted privilege 0
username amp_tools attributes
vpn-group-policy AMP_Tools
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-group RADIUS
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group mygroup type remote-access
tunnel-group mygroup general-attributes
authentication-server-group RADIUS
default-group-policy mygroup
tunnel-group 1 type remote-access
tunnel-group 1 general-attributes
address-pool CiscoVPN
authentication-server-group RADIUS
authorization-server-group RADIUS
default-group-policy 1
tunnel-group 1 ipsec-attributes
pre-shared-key *
tunnel-group cvpnclient type remote-access
tunnel-group cvpnclient general-attributes
address-pool CiscoVPN
authentication-server-group RADIUS
default-group-policy cvpnclient
tunnel-group cvpnclient ipsec-attributes
pre-shared-key *
tunnel-group YYY.YYY.YYY.YYY type ipsec-l2l
tunnel-group YYY.YYY.YYY.YYY general-attributes
default-group-policy bvftun
tunnel-group YYY.YYY.YYY.YYY ipsec-attributes
pre-shared-key *
tunnel-group AMP_Tools type remote-access
tunnel-group AMP_Tools general-attributes
address-pool Restricted_VPN_IP_Pool
default-group-policy AMP_Tools
tunnel-group AMP_Tools ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 rCOMAS
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.0.203
prompt hostname context
Cryptochecksum:26bc203f0217569b8d197af4e9f8ff95
: end

ASKER

put those lines in, still nothing

ASKER

no success in tracert or rdp

for testing add the below command

no crypto dynamic-map users 31 match address outside_cryptomap_dyn_11

even after adding this tunnel details showin 0 ,, then try to connect the vpn client from some other PC.

ASKER

DanJ:

I reverted all my configs to original and followed your advice and have tested with the packet tracer. Here's the output:

asafirewall# packet-tracer input dmz tcp 172.16.200.1 1125 192.168.99.5 3389 detail

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8476560, priority=12, domain=capture, deny=false
hits=13327, user_data=0xd8476a90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0a238, priority=1, domain=permit, deny=false
hits=11780, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.99.5 255.255.255.255 dmz

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_out in interface dmz
access-list DMZ_access_out extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd83760e8, priority=12, domain=permit, deny=false
hits=3, user_data=0xd6873400, cs_id=0x0, flags=0x0, protocol=0
src ip=172.16.200.0, mask=255.255.255.0, port=0
dst ip=192.168.99.5, mask=255.255.255.255, port=0, dscp=0x0

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0c838, priority=0, domain=permit-ip-option, deny=true
hits=1914, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7a350d0, priority=20, domain=lu, deny=false
hits=59, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
nat-control
match ip dmz host 192.168.99.5 dmz 172.16.200.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 4
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7d59c00, priority=6, domain=nat-exempt-reverse, deny=false
hits=3, user_data=0xd78dcab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=172.16.200.0, mask=255.255.255.0, port=0
dst ip=192.168.99.5, mask=255.255.255.255, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 0 0.0.0.0 0.0.0.0
nat-control
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd78afc20, priority=0, domain=host, deny=false
hits=3568, user_data=0xd78af808, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7b0c838, priority=0, domain=permit-ip-option, deny=true
hits=1915, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 0 0.0.0.0 0.0.0.0
nat-control
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd78afc20, priority=0, domain=host, deny=false
hits=3569, user_data=0xd78af808, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 532818227, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

I get through all the way. But, when my clients connect, they can't get to the server. What gives?

ASKER

Is my test wrong? I believe that the interface should be outside. Am I right?

did you try from other PC/laptop ? yesterday what we found is packets are not going thorugh the tunnel

ASKER

I've tried with other laptops. when I put that command in, packets are going through

you mean the below command

no crypto dynamic-map users 31 match address outside_cryptomap_dyn_11

ASKER

No, I meant DanJ's command "same-security-traffic permit intra-interface"

i dont know how it matters ,becuase u dont have any same-security interface
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3

any way get the real time logs from ASDM + show crypto ipsec sa

any update

ASKER

anoopkmr: are you there?

I want to upload my raw config to a site and want you to download it and view it. I'll erase it from that site once we're done.

Let me know when. I really need your help in this matter. Thanks

yes you can do it ?

but how you will communicate to me that link

ASKER

http://jump.fm/VLJOD

please let me know when you've downloaded it and I'll erase it from that server. Thanks

OK I did

ASKER

ok, file deleted. Anything else you need, we'll have to do it this way. Sorry.

this is your current running config, isn't it ?

also I just want to recollect your issue .. if I am not mistaken your isssue is vpn client users cannot communicate to DMZ lan ? isn't it ?

ASKER

Yes, it's my current config - exactly.

Yes, the vpn users can get connected to the asa, and are assigned an IP. But, they can't rdp into a server on the DMZ. We want to restrict them to JUST that server.

your vpn pool : 172.16.200.1-172.16.200.254 mask 255.255.255.0

vpn client want to communicate to : 192.168.98.0 255.255.255.240

please clarify me

ASKER

vpn client want to communicate to : 192.168.99.5

only

you are using the below tunnel group for getting connected isn't it ?

tunnel-group amp_tools type remote-access
tunnel-group amp_tools general-attributes
address-pool Restricted_VPN_Pool
default-group-policy amp_tools
tunnel-group amp_tools ipsec-attributes
pre-shared-key *

ASKER

Yes

first off all we need to check , 192.168.99.5 can able to reach the firewall DMZ IP (172.16.253.2) ?

can you confirm me that .

ASKER

http://jump.fm/QHLBT

various test results

if 99.5 can reach firewall, then just copy and paste the below commands,

then try the reachblity and let me know

no access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 RestrictedVPNUsers 255.255.255.0

access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0

access-list DMZ_access_out extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0

no access-list amp_tools_split extended permit ip host 192.168.99.5 RestrictedVPNUsers 255.255.255.0

access-list amp_tools_split extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0

no access-list outside_cryptomap_dyn_11 extended permit ip any RestrictedVPNUsers 255.255.255.0
no access-list outside_cryptomap_dyn_11 extended permit ip RestrictedVPNUsers 255.255.255.0 any

access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip 172.16.200.0 255.255.255.0 any

from the test output I can see there is a connectivity problem in your lan itself

is that DMZ swittch a Laye3 ?
just check the correct interface is connected to Firewall?
can you tell me what below parameters means

untagged A4

tagged Trk1

ASKER

sorry about this: http://jump.fm/QPCMF

ASKER

you see my issues? plus the other engineer isn't here today. But I can get on the devices and make whatever changes that are necessary.

i dont know anything about procurve.

first try my comands listed above and see , send me the tunnel statistics from client and show crypto ipsec sa from fw

ASKER

configured with commands

trying to rdp on client

Tunnel details

client: 172.16.200.1
server: XXX.XXX.XXX.XXX

bytes sent : 144
bytes received: 0
packets encrypted: 3
packets decrypted:0
packets bypassed: 2
packets discarded: 327

connection info:
entry: companyvpn
time: 2mins

crypto:
encryption: 128bit AES
authentication: HMAC-SHA1

transport:
transparent tunnelling: active on udp port 4500
local lan: disabled
compression: none

tracert results

1. * * * request timed out
2. * * * request timed out
3. * * * request timed out
4. * * * request timed out

Route details:

Local Lan routes: Empty

Secured routes:

192.168.99.5 255.255.255.255

asafirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: XXX.XXX.XXX.XXX

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.200.1/255.255.255.255/0/0)
current_peer: 69.211.139.78, username: amp_tools
dynamic allocated peer ip: 172.16.200.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: XXX.XXX.XXX.XXX/4500, remote crypto endpt.: 69.211.139.78/2284
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: F79A0271

inbound esp sas:
spi: 0x6DF5E7F3 (1844832243)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 712704, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28529
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000000FF
outbound esp sas:
spi: 0xF79A0271 (4154065521)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 712704, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28528
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

see now the packets are comming to the firewall , but the server 99.5 is not replying back / reply packets from 99.5 is not reaching the firewall

as a workaround remove the access-list fron vlan 4 ( i dont know the command ) and see server can reach firewall

interface A4
ip access-group "IPsecVpn" in

hello waiting for your feedback,

if u need further asistance please let me know .

ASKER

I'm stuck with that last request of yours. I don't know how to remove that acl. I've obviously tried the no form of the command, no luck

wait ,dont go any where
let me see

ASKER

done, removed that access-list from the switch. tried with the client, still can't get to the server

what is interface A4

is it interface vlan 4
clarify me

chekc the reachablity from the firewall to server , or from the server to Firewall IP

ASKER

I've done it, it was interface a4, removed the acl from that port

still can't get to the server

ASKER

now from the ASA i can ping that server

ASKER

and vice versa

ping from asa to server : ok
ping from server to asa : ok

now just get the real time logs from ASDM
as you did yesterday

ASKER

pinging from the client to 192.168.99.5

request timed out
request timed out
request timed out
request timed out

result on asdm:

6|Jul 22 2010|14:24:50|302021|172.16.200.1|1024|192.168.99.5|0|Teardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:48|302020|172.16.200.1|1024|192.168.99.5|0|Built inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:45|302021|172.16.200.1|1024|192.168.99.5|0|Teardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:43|302020|172.16.200.1|1024|192.168.99.5|0|Built inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:39|302021|172.16.200.1|1024|192.168.99.5|0|Teardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:37|302020|172.16.200.1|1024|192.168.99.5|0|Built inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:34|302021|172.16.200.1|1024|192.168.99.5|0|Teardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:32|302020|172.16.200.1|1024|192.168.99.5|0|Built inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)

trying to rdp from client

result on asdm:

6|Jul 22 2010|14:26:35|302014|172.16.200.1|2369|192.168.99.5|3389|Teardown TCP connection 533606188 for outside:172.16.200.1/2369 to dmz:192.168.99.5/3389 duration 0:00:30 bytes 0 SYN Timeout (amp_tools)
6|Jul 22 2010|14:26:05|302013|172.16.200.1|2369|192.168.99.5|3389|Built inbound TCP connection 533606188 for outside:172.16.200.1/2369 (172.16.200.1/2369) to dmz:192.168.99.5/3389 (192.168.99.5/3389) (amp_tools)

now what is gateway configured on that server

ASKER

that server's at a remote location, so the gateway's it's mpls router's IP address

ASKER

that hasn't changed, the only thing changes o far is the removal of that IP access-list on that switch

ok
in that mpls router you have to add a route for 172.16.200.0 255.255.255.0

otherwise we have to do a natting on the firewall, which one you prefer let me know

ASKER

natting on the firewall would be the accepted way, thanks

ok just wait i will send you the commands

how many vpn client users will connect to this server

ASKER

at a given time, only one or two

try the below commands and try traffic initiate from client

access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface

ASKER

won't those command disrupt my current asa traffic

no

ASKER

gave me a warning

asafirewall(config)# nat (outside) 8 access-list vpn-nat
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

asafirewall(config)# global (dmz) 8 interface
INFO: dmz interface address added to PAT pool

done, now?

ASKER

still can't ping the server from the client, or rdp into it

ASKER

different error when pinging and rdp-ing

6|Jul 22 2010|15:32:17|109025|172.16.200.1|2533|192.168.99.5|3389|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2533 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|15:32:11|109025|172.16.200.1|2533|192.168.99.5|3389|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2533 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|15:32:08|109025|172.16.200.1|2533|192.168.99.5|3389|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2533 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|15:31:45|109025|172.16.200.1|1024|192.168.99.5|0|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/1024 to 192.168.99.5/0 on interface outside using ICMP
6|Jul 22 2010|15:31:39|109025|172.16.200.1|1024|192.168.99.5|0|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/1024 to 192.168.99.5/0 on interface outside using ICMP
6|Jul 22 2010|15:31:34|109025|172.16.200.1|1024|192.168.99.5|0|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/1024 to 192.168.99.5/0 on interface outside using ICMP
6|Jul 22 2010|15:31:28|109025|172.16.200.1|1024|192.168.99.5|0|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/1024 to 192.168.99.5/0 on interface outside using ICMP

just delete those commands ,we will add one to one natting

no access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
no nat (outside) 8 access-list vpn-nat
no global (dmz) 8 interface

static (outside,dmz) 172.16.253.x 172.16.200.1 netmask 255.255.255.255

here : 172.16.253.x will be any free IP from your DMZ network
172.16.200.1 : i hope this is the client IP assigned. if not chane accordingly

expecting a quick reply ,, becuase here time is 11PM.

hold on , let me check that error

ASKER

too late, already removed

ok try with static nat and let me know

ASKER

I don't have any spare IPs in that segment

If you notice it's the 172.16.200.0 network with the subnet mask 255.255.255.248

Network 172.16.253.0
Hosts
from       172.16.253.1
to 172.16.253.2
Broadcast Address 172.16.253.3

ASKER

sorry: If you notice it's the 172.16.253.0 network with the subnet mask 255.255.255.248

no you are wrong

with 255.255.255.248 mask you will have 6 free iP
172.16.253.1
172.16.253.2
172.16.253.3
172.16.253.4
172.16.253.5
172.16.253.6

ASKER

yes, you right

I'm using 1, 2, and 3

so your command would be

static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255

But, that 172.16.200.1 comes from a pool, and it'll change remember?

ASKER

This shouldn't be so complicated. I wonder if we're on the wrong path?

no we are in the right path only , that command is only for testing , other wise you have to add the proper routing on the MPLS router .
kindly add those command and let me knwo , if its working then we wiil see with policy nat

ASKER

ok, the command

static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255

is in place

you sure, it's not supposed to be

static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255

ASKER

tried with the client, still nothing

give me the log

172.16.253.4 is the free iP isn't ?

I need the show conn output also.

ASKER

yes that ip is free

6|Jul 22 2010|16:10:34|109025|172.16.200.1|2557|192.168.99.5|3389|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2557 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|16:10:28|109025|172.16.200.1|2557|192.168.99.5|3389|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2557 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|16:10:25|109025|172.16.200.1|2557|192.168.99.5|3389|Authorization denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2557 to 192.168.99.5/3389 on interface outside using TCP

sh conn is huge, can i filter it for a specific section?

now what i can see is our split tunnel rule is denying the traffic ,so can you add the below line

access-list amp_tools_split extended permit ip host 172.16.253.4 172.16.200.0 255.255.255.0

ASKER

same error

just remove the split tunnel rule and see

no access-list amp_tools_split extended permit ip host 172.16.253.4 172.16.200.0 255.255.255.0
no access-list amp_tools_split extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0

if you trust me , then give me the ssh access to your firewall .

ASKER

I trust you my friend, but there's no need now. IT WORKED!!!!

ASKER

now how do we make it dynamic?

oh gr8
did you remove those "amp_tools_split" access-list

ASKER

that's when it started working

ok
now you want dynamic, no need to add those access-list again , follow the lines

no static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface

ASKER

Nope, does not work

give me the log

ASKER

6|Jul 22 2010|16:47:30|302021|172.16.200.1|1024|192.168.99.5|0|Teardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:28|302020|172.16.200.1|1024|192.168.99.5|0|Built inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:27|302014|172.16.200.1|2621|192.168.99.5|3389|Teardown TCP connection 533749231 for outside:172.16.200.1/2621 to dmz:192.168.99.5/3389 duration 0:00:30 bytes 0 SYN Timeout (amp_tools)
6|Jul 22 2010|16:47:25|302021|172.16.200.1|1024|192.168.99.5|0|Teardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:22|302020|172.16.200.1|1024|192.168.99.5|0|Built inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:20|302021|172.16.200.1|1024|192.168.99.5|0|Teardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:17|302020|172.16.200.1|1024|192.168.99.5|0|Built inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:14|302021|172.16.200.1|1024|192.168.99.5|0|Teardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:12|302020|172.16.200.1|1024|192.168.99.5|0|Built inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:46:57|302013|172.16.200.1|2621|192.168.99.5|3389|Built inbound TCP connection 533749231 for outside:172.16.200.1/2621 (172.16.200.1/2621) to dmz:192.168.99.5/3389 (192.168.99.5/3389) (amp_tools)

try the below commands copy and paste

no nat (outside) 8 access-list vpn-nat
no global (dmz) 8 interface
static (outside,dmz) 172.16.253.4 access-list vpn-nat

dont delete the access-list vpn-nat

ASKER

give it a rest for now. you told me almost 2 hrs ago that it was 11pm. get some sleep and we can touch base again tomorrow.

Thank you for your persistence and your patience.

try the above command , I can wait for you .

ASKER

I get this error:

asafirewall(config)# static (outside,dmz) 172.16.253.4 access-list vpn-nat
global address overlaps with mask

try

static (outside,dmz) 172.16.253.4 access-list vpn-nat netmask 255.255.255.255

ASKER

asafirewall(config)# static (outside,dmz) 172.16.253.4 access-list vpn-nat netmask 255.255.255.255

invalid option netmask
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static

let's call it a day now. get some rest and we'll look at it tomorrow. Good night, and thanks

ok as you wish ,I think there are some limitiations in the nat commands
so better tommorow you correct your route in mpls router , then everything should work

by the way did you remove all your static config
above i can see a command like "clear configure static"

ASKER

could you remind me what those route corrections were?

your quote : that server's at a remote location, so the gateway's it's mpls router's IP address

99.5 gw is to a router's ip address, there you have to add the proper route to 172.16.200.0/24

ASKER

I've already corrected that route, and that's how we started getting to it from the ASA, ofcourse with modifications to the switch's acls.

see if you send some packet from ASA , it will have the source IP of ASA not the vpn client IP , same when the VPN client try to access 99.5 , the particular packet will have the source ip of 172.16.200.1

so the server / server'Gw must know where is this 172.16.200.0

ASKER

when I RDP from the vpn client this is the log on the ASA

6|Jul 23 2010|08:53:54|302014|172.16.200.1|2982|192.168.99.5|3389|Teardown TCP connection 534352879 for outside:172.16.200.1/2982 to dmz:192.168.99.5/3389 duration 0:00:08 bytes 28334 TCP Reset-I (amp_tools)
6|Jul 23 2010|08:53:46|302014|172.16.200.1|2981|192.168.99.5|3389|Teardown TCP connection 534352876 for outside:172.16.200.1/2981 to dmz:192.168.99.5/3389 duration 0:00:00 bytes 38 TCP FINs (amp_tools)
6|Jul 23 2010|08:53:46|302013|172.16.200.1|2982|192.168.99.5|3389|Built inbound TCP connection 534352879 for outside:172.16.200.1/2982 (172.16.253.4/2982) to dmz:192.168.99.5/3389 (192.168.99.5/3389) (amp_tools)
6|Jul 23 2010|08:53:45|302013|172.16.200.1|2981|192.168.99.5|3389|Built inbound TCP connection 534352876 for outside:172.16.200.1/2981 (172.16.253.4/2981) to dmz:192.168.99.5/3389 (192.168.99.5/3389) (amp_tools)

source ip: ip of vpn client
and it's getting to the server and back, routes must be ok, right

yea seems to be working now !!! give me the show conn

is rdp enabled on this server

what abt ping ?

did you remove the below command from asa,fter remove this only i can say routing is ok

static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255

sorry this is the command to remove
static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255

ASKER

no ping getting through because of the acls on the other switches, that's ok. RDP gets through.

so its working isn't it ?

ASKER

no, that line is still in the asa config, here's the sh conn

asafirewall# sh conn | inc dmz
TCP outside 172.16.253.4(172.16.200.1):3818 dmz 192.168.99.5:3389, idle 0:00:00, bytes 927, flags UIOB

i think your RDP is ok now please confirm

from the conn output i can see nat transaltion is hapening for 172.16.200.1
so i don't think your routing is correct until unles that line is removed.

ASKER

please explain

my client get's it's ip and route from the asa

it wasn't going anywhere until we put in that vpn-nat acl and the static

ASKER

all i need now is to change that static into a dynamic and I'm done

I just need that elusive command :) I don't think I need to make any modifications on other network devices

no nat dynamic from outside to inside has certain limitiations, it will not work as you expect .
if you dont want to correct your route , then go for static nat.

ASKER

isn't that called pat?

yes it is pat.

you can have a try anyway

add the below commands and see

no static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface

before you add those commands
please add the line

access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5

ASKER

asafirewall(config)# no static (outside,dmz) 172.16.253.4 172.16.200.1 netmask$

asafirewall(config)# nat (outside) 8 access-list vpn-nat
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

asafirewall(config)# global (dmz) 8 interface
INFO: dmz interface address added to PAT pool

anything to worry about?

ASKER

while RDP-ing

asafirewall# sh conn | in dmz
TCP outside 172.16.200.1:3856 dmz 192.168.99.5:3389, idle 0:00:20, bytes 0, flags SaAB

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

you were right, that switch did not have a route back. I put it in and now the pat is working.

YOU ARE THE MAN!!!!

ok shall we close this?

ASKER

Yes, and the other one as well, please put in a comment on the other ticket as well referencing this page's url, and we'll close that as well.

sure let me see that .

if you are atisfied with my support , kindly give some good bonus point too.
cheers

ASKER

access-list vpn-nat extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
global (dmz) 8 interface
nat (outside) 8 access-list vpn-nat

Just what are we saying with these commands?

an acl to allow ip traffic from 172 to 192 . .5 is patted on the dmz interface?

exactly!!! you are right.

i did the comment on other ticket

ASKER

This comment isn't necessarily the solution, it's the last one in a sequence of steps and troubleshooting that got me to the solution.

Best support in terms of persistence and patience.

Thank you

ASKER

strange, why 7.7 very good? I chose A and excellent!