Solved

After a successful IpSec tunnel is established with the ASA 5510 with Cisco VPN client, traffic is not passed through the tunnel

Posted on 2008-09-30
6
945 Views
Last Modified: 2012-06-27
After successful connection of an Ipsec tunnel with the ASA 5510 and Cisco VPN client(I have used versions from 4.8 to 5.02), the tunnel is established. I can ping the inside interface of the ASA, but not hosts on the LAN
The tunnel will connect with transparent tunneling, IPSec over UDP, IPSeco over TCP port 10000, or without transparent tunneling. I have also tried NAT Traversal Command
I seen this with 3000 series concentrators, and it is usually a routing issue where packets traversing the tunnel can't find the default gateways of the remote LAN segments.
The following is the basic LAN topology:

ASA inside Interface   192.168.1.1
Inside Networks:        192.168.3.0      
                                  192.168.4.0
                                  192.168.5.0
each of the above subnets have a 192.168.3.1 , 192.168.4.1, 192.168.5.1 gateways in vlans in a Cisco 3550 layer 3 switch

There are static routes that route inside traffic from these networks to the inside interface of the ASA.
I am using an internal address pool of 192.168.3.85-90/24
I have tried all the nat0 access-lists scenarios to exempt the above subnets from translation,  with no luck. I have an ASA 5505 on the network with an identical configuration, and it passes traffic fine, with the same nat0 access lists.  (the 5505 has a 192.168.3.2 address for it's inside interface)



I have tried the sysopt connection permit-ipsec command, doesn't work.
If I try the route inside 0.0.0.0 0.0.0.0 192.168.3.1 tunneled
the route inside 0.0.0.0 0.0.0.0 192.168.4.1 tunneled  or      
the route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled, I get error messages "default route exists", even after removing the static routes above

Could this be a routing problem, where the packets cannot find the gateways of the above LAN's?  If I can ping the 192.168.1.1 which is the inside interface of the ASA, why can't the static routes send the packets to the default gateways inside the LAN if the correct nat0 access lists are exempting the above subnets from translation?
Also, I cannot telnet to 192.168.1.1 inside interface, even after adding the access lists;

Here is the current config
Any help is appreciated

Maybe I am missing something simple in the configuration

thanks

ASA5510# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5510
domain-name default.domain.invalid
enable password 0VHZzUN3Y8hDcg1h encrypted
names
name 192.168.4.0 InsideNetwork description 192.168.4.0 Network
name 192.168.3.0 InsideSubnet description 192.168.3.0 subnet
name xxx.xxx.xxx.22 VPNOutside description VPN Public IP
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/3
 shutdown
 nameif dmz
 security-level 50
 ip address 192.168.5.2 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit ip any any
access-list acl_in extended permit udp any any eq isakmp
access-list acl_in extended permit udp any any eq 10000
access-list acl_in extended permit tcp any any eq 10000
access-list acl_in extended permit udp any any eq 1723
access-list acl_in extended permit esp any any
access-list acl_in extended permit udp any any eq 1701
access-list acl_in extended permit tcp any host xxx.xxx.xxx.27 eq smtp
access-list acl_in extended permit tcp any host xxx.xxx.xxx.27 eq ssh
access-list acl_in extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list acl_in extended permit tcp any host xxx.xxx.xxx.21 eq domain
access-list acl_in extended permit udp any host xxx.xxx.xxx.21 eq domain
access-list acl_in extended permit udp any host xxx.xxx.xxx.21 eq ntp
access-list acl_in extended permit gre any any
access-list acl_in extended permit udp any any eq 4500
access-list acl_in extended permit icmp any any
access-list acl_out extended deny tcp any any eq 445
access-list acl_out extended permit udp any any eq isakmp
access-list acl_out extended permit udp any any eq 4500
access-list acl_out extended permit udp any any eq 10000
access-list acl_out extended permit tcp any any eq 10000
access-list acl_out extended permit udp any any eq 1723
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.21 eq https
access-list acl_out extended permit esp any any
access-list acl_out extended permit udp any any eq 1701
access-list acl_out extended permit esp host xxx.xxx.xxx.23 any
access-list acl_out extended permit udp host xxx.xxx.xxx.23 eq 1701 any
access-list acl_out extended permit udp host xxx.xxx.xxx.23 eq isakmp any
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.26 eq 3389
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq 123
access-list acl_out extended permit udp any host xxx.xxx.xxx.27 eq domain
access-list acl_out extended permit udp any host xxx.xxx.xxx.27 eq ntp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq domain
access-list acl_out extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq ssh
access-list acl_out extended permit tcp any host xxx.xxx.xxx.24 eq www
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any host 192.168.3.3 eq smtp
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq ssh
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq telnet
access-list acl_out extended permit ip any InsideNetwork 255.255.255.0
access-list acl_out extended permit tcp InsideNetwork 255.255.255.0 host 192.168
.1.1 eq telnet
access-list inside_nat0_outbound extended permit ip InsideNetwork 255.255.255.0
any
access-list inside_nat0_outbound extended permit ip InsideSubnet 255.255.255.0 a
ny
access-list dmz_access_in extended permit ip any any
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list dmz_out extended permit icmp any any
access-list dmz_out extended permit ip any any
access-list dmz_access_out extended permit ip any any
access-list dmz_access_in_1 extended permit icmp any any
access-list outside_access_out extended permit ip any any
access-list dmz_access_out_1 extended permit ip any any
access-list inside_dmz extended permit ip any any
access-list inside-dmz extended permit icmp any any
access-list inside_nat_0_outbound extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
 host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 host 192.168.3.85
access-list outside_1_cryptomap extended permit ip InsideNetwork 255.255.255.0 1
92.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip InsideSubnet 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list nonat extended permit ip any InsideSubnet 255.255.255.0
access-list nonat extended permit ip any InsideNetwork 255.255.255.0
access-list nonat extended permit ip any 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool NewinfosysPool 192.168.3.85-192.168.3.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 102 interface
nat (inside) 0 access-list nonat
nat (inside) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.19 192.168.3.20 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.26 192.168.3.35 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.25 192.168.3.33 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.21 192.168.3.16 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.20 192.168.3.3 netmask 255.255.255.255 tcp 1
000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.24 192.168.3.17 netmask 255.255.255.255 tcp
1000 100 udp 1000
access-group dmz_out in interface outside
access-group outside_access_out out interface outside
access-group dmz_in in interface inside
access-group dmz_access_in_1 in interface dmz
access-group dmz_access_out_1 out interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.17 255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner value You are connected to the MyCompany Private
Network.  Unauthorized use is prohibited.
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value MyCosysPool
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not
 been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy ipsecgroup internal
group-policy ipsecgroup attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 ipsec-udp enable
 ipsec-udp-port 10000
 default-domain value MyCosys.com
 address-pools value MyCosysPool
username user1 password /qBIjej5xxxx0K13 encrypted
username user1 attributes
 vpn-group-policy somegroup
username user2 password belt2MxxxxZ0jdrz encrypted
username user2 attributes
 vpn-group-policy somegroup
username user3 password ml0Dg4.xxxxNsXBF encrypted privilege 0
username user3 attributes
 vpn-group-policy somegroup
http server enable
http InsideNetwork 255.255.255.0 inside
http InsideSubnet 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http InsideSubnet 255.255.255.0 management
http InsideNetwork 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) MyCosysPool
 dhcp-server 192.168.5.2
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group ipsecgroup type ipsec-ra
tunnel-group ipsecgroup general-attributes
 address-pool (inside) MyCosysPool
 address-pool MyCosysPool
 default-group-policy somegroup
 strip-group
tunnel-group somegroup ipsec-attributes
 pre-shared-key *
tunnel-group somegroup ppp-attributes
 authentication ms-chap-v2
tunnel-group mycosys type ipsec-ra
tunnel-group mycosys general-attributes
 address-pool (inside) MyCosysPool
 address-pool MyCosysPool
 default-group-policy somegroup
tunnel-group mycosys ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet InsideSubnet 255.255.255.0 inside
telnet InsideNetwork 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet xxx.xxx.xxx.0 255.255.255.240 inside
telnet 192.168.1.0 255.255.255.0 management
telnet InsideSubnet 255.255.255.0 management
telnet InsideNetwork 255.255.255.0 management
telnet xxx.xxx.xxx.0 255.255.255.240 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh InsideSubnet 255.255.255.0 inside
ssh InsideNetwork 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh InsideSubnet 255.255.255.0 management
ssh InsideNetwork 255.255.255.0 management
ssh timeout 5
console timeout 20
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd option 6 ip xxx.xxx.xx.85 xxx.xxx.xx.2 interface inside
!
dhcpd option 3 ip 192.168.5.1 interface dmz
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:012e17a04510a04exxxx969fbe77b9f0
: end
0
Comment
Question by:bignewf
  • 4
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22611195
Problem #1 is routing

>name 192.168.3.0 InsideSubnet
>route inside InsideSubnet 255.255.255.0 192.168.1.1 1

You need to pick a differnet subnet, used nowhere else, for the VPN address pool. Pick something like 192.168.99.xx
Then:
access-list nonat permit ip any 192.168.99.0 255.255.255.0
0
 
LVL 15

Author Comment

by:bignewf
ID: 22611323
I tried adding the above subnet as you suggested, but now the vpn client does not connect. I added the following route statements

ip route 192.168.99.0 255.255.255.0 192.168.1.1
ip route 192.168.99.0 255.255.255.0  192.168.3.1
ip route 192.168.99.0 255.255.255.0  192.168.4.1

This is so the 192.168.99.0 network has a path to the inside gateway of the ASA, as well as the other default LAN gateways.

The 192.168.99.0 is now the only address pool for the ipsec tunnels, and I removed the other internal LAN networks from any internal client pools

any suggestions

thanks
0
 
LVL 15

Author Closing Comment

by:bignewf
ID: 31501821
I can't thank you enough. I overlooked the most simple thing, a different subnet.
I spent hours reading the Cisco ASA book by Jazib Frahim, and this was so simple. Since I just joined today, I need to understand the point system to award.
Please forgive me on this

Have a great day
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 15

Author Comment

by:bignewf
ID: 22611439
The solution worked, I just rebooted the ASA. I tried with three different versions of Cisco VPN clients, with and without transparent tunneling. Hosts on all the remote LAN networks are now accessible. I even removed the sysopt connection permit-ipsec for additional security, so the decrypted packedts are inspected against the access lists
 The different subnet did the trick.


thanks again
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22613282
Glad you got it all working out.
You would not have had to put any route statements in at all since this network is not in any route table, it would simply fall into the default route category on your switch, then it would be "connected" to the asa so it knows what to do with it.

-Cheers, and welcome to EE. I hope you find your journey a pleasant one.
0
 
LVL 15

Author Comment

by:bignewf
ID: 22613840
thanks again. There have been so many posts in knowledge bases about this issue, may seem to have gone down the wrong path thinking it is the "nat0  nonat" access lists, which have nothing to do with routing.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now