Limited access to local network for VPN users
I have set up a VPN tunnel for users to connect using the Cisco VPN Client v5.0
-Phase 1 authentication via certificates
-Phase 2 authentication with LDAP protocol (using Microsoft active directory).
Till there setup is successful. The problem is that now users will have FULL access to the internal network and I don't want this.
What I have tried to do is to create an access-list for the vpn users and applied it to the dynamic crypto map. Once I issued this command the VPN failed to connect. phase 1 and phase 2 complete successfully but immediately after the SA is destroyed and the connection drops. I get the attached error.
command:
crypto dynamic-map outside_dyn_map 50 match address vpn_client_access
where vpn_client_access is the name of the access-list
Any clues?
Is there another method to implement this?
-Phase 1 authentication via certificates
-Phase 2 authentication with LDAP protocol (using Microsoft active directory).
Till there setup is successful. The problem is that now users will have FULL access to the internal network and I don't want this.
What I have tried to do is to create an access-list for the vpn users and applied it to the dynamic crypto map. Once I issued this command the VPN failed to connect. phase 1 and phase 2 complete successfully but immediately after the SA is destroyed and the connection drops. I get the attached error.
command:
crypto dynamic-map outside_dyn_map 50 match address vpn_client_access
where vpn_client_access is the name of the access-list
Any clues?
Is there another method to implement this?
1635 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 1.1.1.1
1636 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 1.1.1.1
1637 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=C75EF835
1638 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=0A974FDFEE219F0E R_Cookie=81EFBD25A20F09F7) reason = DEL_REASON_IKE_NEG_FAILED
1639 14:56:07.248 09/25/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.1.1.1
1640 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=0A974FDFEE219F0E R_Cookie=81EFBD25A20F09F7
1641 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 1.1.1.1
1642 14:56:07.436 09/25/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
1643 14:56:10.436 09/25/08 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=0A974FDFEE219F0E R_Cookie=81EFBD25A20F09F7) reason = DEL_REASON_IKE_NEG_FAILED
1644 14:56:10.436 09/25/08 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
ASKER
yes!
the problem is that when I use the command:
crypto dynamic-map outside_dyn_map 50 match address vpn_client_access
the vpn client does not connect!!
the problem is that when I use the command:
crypto dynamic-map outside_dyn_map 50 match address vpn_client_access
the vpn client does not connect!!
Hi,
Can you post the router config? (sanitized of course)
Can you post the router config? (sanitized of course)
ASKER
I can give you the configuration of the vpn client .. see attached
access-list NoNAT_vpn_WAN extended permit ip 192.168.0.0 255.255.255.0 10.0.250.0 255.255.255.192
access-list NoNAT_vpn_WAN extended permit ip 10.0.0.0 255.255.254.0 10.0.250.0 255.255.255.192
access-list dynmap_vpnclient extended permit ip 10.0.250.0 255.255.255.192 10.1.0.0 255.255.0.0
access-list dynmap_vpnclient extended permit ip 10.0.250.0 255.255.255.192 192.168.1.0 255.255.255.0
nat (users) 0 access-list NoNAT_vpn_WAN
ip local pool vpnpool 10.0.250.1-10.0.250.62 mask 255.255.255.192
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address dynmap_vpnclient
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map WAN 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map WAN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec
group-policy allow-vpn-access internal
group-policy allow-vpn-access attributes
banner value Welcome! You are logged in as a VPN user :)
dns-server value 192.168.0.10
vpn-simultaneous-logins 1
vpn-tunnel-protocol IPSec
default-domain value xxxxx.com
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
authentication-server-group ldap_server_grp LOCAL
default-group-policy NOACCESS
tunnel-group DefaultRAGroup ipsec-attributes
trust-point client-vpn
can you throw some light on the following two lines from the configuration?
access-list NoNAT_vpn_WAN extended permit ip 192.168.0.0 255.255.255.0 10.0.250.0 255.255.255.192
dns-server value 192.168.0.10
Cheers
access-list NoNAT_vpn_WAN extended permit ip 192.168.0.0 255.255.255.0 10.0.250.0 255.255.255.192
dns-server value 192.168.0.10
Cheers
Also, can you attach some part of the log before the one you have posted in the original question?
ASKER
regarding the first question:
traffic sourced from the internal network to the VPN pool is not NAT'd via nat0 ACLs
Attached is the whole log:
x.x.x.x is the firewall extenal ip
traffic sourced from the internal network to the VPN pool is not NAT'd via nat0 ACLs
Attached is the whole log:
x.x.x.x is the firewall extenal ip
183 15:16:06.093 10/01/08 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.
184 15:16:06.093 10/01/08 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.
185 15:16:06.140 10/01/08 Sev=Info/4 CM/0x63100002
Begin connection process
186 15:16:06.109 10/01/08 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.
187 15:16:06.140 10/01/08 Sev=Info/4 CM/0x63100004
Establish secure connection
188 15:16:06.109 10/01/08 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.
189 15:16:06.140 10/01/08 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
190 15:16:06.109 10/01/08 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.
191 15:16:06.140 10/01/08 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
192 15:16:06.125 10/01/08 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.
193 15:16:06.156 10/01/08 Sev=Info/6 CERT/0x63600025
Attempting to find a Certificate using Serial Hash.
194 15:16:06.125 10/01/08 Sev=Info/4 CERT/0x63600015
Cert (cn=Denise Vassallo,cn=Users,dc=casaroma,dc=ixaris,dc=com) verification succeeded.
195 15:16:06.156 10/01/08 Sev=Info/6 CERT/0x63600026
Found a Certificate using Serial Hash.
196 15:16:06.187 10/01/08 Sev=Info/4 CERT/0x63600015
Cert (cn=Denise Vassallo,cn=Users,dc=casaroma,dc=ixaris,dc=com) verification succeeded.
197 15:16:06.187 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
198 15:16:06.484 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
199 15:16:06.484 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(Nat-T), VID(Frag)) from x.x.x.x
200 15:16:06.500 10/01/08 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
201 15:16:06.500 10/01/08 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
202 15:16:06.500 10/01/08 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
203 15:16:06.500 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
204 15:16:06.546 10/01/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
205 15:16:06.546 10/01/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
206 15:16:06.656 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
207 15:16:06.656 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?), NAT-D, NAT-D) from x.x.x.x
208 15:16:06.656 10/01/08 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
209 15:16:06.656 10/01/08 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
210 15:16:06.656 10/01/08 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x20000001
211 15:16:06.687 10/01/08 Sev=Info/4 CERT/0x6360001B
No smart card readers with cards inserted found.
212 15:16:06.734 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to x.x.x.x
213 15:16:06.734 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to x.x.x.x
214 15:16:06.734 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to x.x.x.x
215 15:16:06.734 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to x.x.x.x
216 15:16:06.734 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to x.x.x.x
217 15:16:06.734 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to x.x.x.x
218 15:16:07.484 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
219 15:16:07.484 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from x.x.x.x
220 15:16:07.484 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
221 15:16:07.484 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from x.x.x.x
222 15:16:07.484 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
223 15:16:07.484 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from x.x.x.x
224 15:16:07.484 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
225 15:16:07.484 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from x.x.x.x
226 15:16:07.484 10/01/08 Sev=Info/5 IKE/0x63000073
All fragments received.
227 15:16:07.484 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG, VID(dpd)) from x.x.x.x
228 15:16:07.500 10/01/08 Sev=Info/4 CERT/0x63600015
Cert (1.2.840.113549.1.9.2=#13196d742d66772d6661696c6f7665722e6978617269732e636f6d) verification succeeded.
229 15:16:07.500 10/01/08 Sev=Info/5 IKE/0x63000001
Peer supports DPD
230 15:16:07.500 10/01/08 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0D79, Remote Port = 0x01F4
231 15:16:07.500 10/01/08 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
232 15:16:07.500 10/01/08 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
233 15:16:08.437 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
234 15:16:08.437 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
235 15:16:08.437 10/01/08 Sev=Info/4 CM/0x63100015
Launch xAuth application
236 15:16:12.187 10/01/08 Sev=Info/4 CM/0x63100017
xAuth application returned
237 15:16:12.187 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
238 15:16:12.390 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
239 15:16:12.390 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
240 15:16:12.390 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
241 15:16:12.390 10/01/08 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
242 15:16:12.406 10/01/08 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
243 15:16:12.406 10/01/08 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
244 15:16:12.421 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
245 15:16:12.593 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
246 15:16:12.593 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
247 15:16:12.593 10/01/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.250.1
248 15:16:12.593 10/01/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.192
249 15:16:12.593 10/01/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = Welcome! You are logged in as a VPN user :)
250 15:16:12.593 10/01/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
251 15:16:12.593 10/01/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = ixaris.com
252 15:16:12.593 10/01/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
253 15:16:12.593 10/01/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.0(3) built by builders on Tue 06-Nov-07 22:59
254 15:16:12.593 10/01/08 Sev=Info/4 CM/0x63100019
Mode Config data received
255 15:16:12.609 10/01/08 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.0.250.1, GW IP = x.x.x.x, Remote IP = 0.0.0.0
256 15:16:12.609 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to x.x.x.x
257 15:16:12.890 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
258 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
259 15:16:12.890 10/01/08 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
260 15:16:12.890 10/01/08 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
261 15:16:12.890 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
262 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from x.x.x.x
263 15:16:12.890 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
264 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from x.x.x.x
265 15:16:12.890 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
266 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from x.x.x.x
267 15:16:12.890 10/01/08 Sev=Info/5 IKE/0x63000073
All fragments received.
268 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from x.x.x.x
269 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x
270 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=061B7BAC
271 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=79A4461E7FE9AE6A R_Cookie=A7AFB87AAA5FFD0C) reason = DEL_REASON_IKE_NEG_FAILED
272 15:16:12.890 10/01/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
273 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=79A4461E7FE9AE6A R_Cookie=A7AFB87AAA5FFD0C
274 15:16:12.890 10/01/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from x.x.x.x
275 15:16:13.046 10/01/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
276 15:16:16.046 10/01/08 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=79A4461E7FE9AE6A R_Cookie=A7AFB87AAA5FFD0C) reason = DEL_REASON_IKE_NEG_FAILED
277 15:16:16.046 10/01/08 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
278 15:16:16.046 10/01/08 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
279 15:16:16.046 10/01/08 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
280 15:16:16.046 10/01/08 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
281 15:16:16.062 10/01/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
282 15:16:16.062 10/01/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
283 15:16:16.062 10/01/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
284 15:16:16.062 10/01/08 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stoppedASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you ensured that the server that you want the VPN users to access, is not blocked by your access-list?
Cheers