Solved

ASA Remote-Access VPN - Unable to reach inside network

Posted on 2008-10-28
5
1,721 Views
Last Modified: 2012-08-14
We have a Cisco ASA 5510 installed in one of our datacenters that we are using for remote-access VPN connections.  The Cisco VPN Client is able to connect and split tunneling is currently allowing us to use the internet but we are unable to access any of the resources on the "inside" of the ASA.

Our datacenter ip addressing is 10.x.x.x while our offices are 172.x.x.x.  We are unable to access resources in either.

The route details in the VPN client indicate that 10.0.0.0/8 and 172.16.0.0/12 are secured routes.
Tunnel details shows that packets are being encrypted but none are being decrypted.

Consoled into the ASA, I am able to ping an address on the inside network.  I am unable to ping any address outside including the address of the connected VPN client.

Pinging from the VPN client seems to be reaching the inside interface however no response is returned.
ICMP echo request from 172.16.5.100 to 10.249.1.246 ID=1024 seq=1536 len=32
ICMP echo request from 172.16.5.100 to 10.249.1.246 ID=1024 seq=1792 len=32
ICMP echo request from 172.16.5.100 to 10.249.1.246 ID=1024 seq=2048 len=32
ICMP echo request from 172.16.5.100 to 10.249.1.246 ID=1024 seq=2304 len=32

Please see the below config for reference.  The route print is also attached.

ASA Version 7.2(4) 

!

hostname XXXX

domain-name XXXX

enable password XXXX encrypted

passwd XXXX encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address XXX.176.55.187 255.255.255.240 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.249.1.246 255.255.255.0 

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

 timeout 30

 name-server 172.19.2.31

 domain-name XXX

access-list vpnSplitTunnel standard permit 172.16.0.0 255.240.0.0 

access-list vpnSplitTunnel standard permit 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 172.19.5.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.19.5.0 255.255.255.0 

pager lines 24

logging enable

logging buffer-size 500000

mtu outside 1500

mtu inside 1500

ip local pool vpnClientPool 172.16.5.100-172.16.5.120 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XXX.176.55.190 1

!

router ospf 24901

 router-id 10.249.1.246

 network 10.249.1.0 255.255.255.0 area 0

 log-adj-changes

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server vpnUsers protocol radius

aaa-server vpnUsers (inside) host 10.249.24.32

 key XXX

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map vpnDynamicMap 10 set transform-set ESP-3DES-SHA

crypto dynamic-map vpnDynamicMap 10 set reverse-route

crypto map vpnMap 10 ipsec-isakmp dynamic vpnDynamicMap

crypto map vpnMap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh timeout 5

console timeout 0

group-policy abc123 internal

group-policy abc123 attributes

 dns-server value 172.19.2.31

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vpnSplitTunnel

 default-domain value XXXX

username XXXX password XXXX encrypted privilege 15

tunnel-group abc123 type ipsec-ra

tunnel-group abc123 general-attributes

 address-pool vpnClientPool

 default-group-policy abc123

tunnel-group abc123 ipsec-attributes

 pre-shared-key XXXX

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:00e61c7b5eeb447bb962df22d6262857

: end

Open in new window

route.txt
0
Comment
Question by:BubbaJones82
  • 3
  • 2
5 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22832885
Hello BubbaJones82,
ip local pool vpn_pool 172.19.5.100-172.19.5.120 mask 255.255.255.0
tunnel-group abc123 general-attributes
no address-pool vpnClientPool
address-pool vpn_pool
no ip local pool vpnClientPool 172.16.5.100-172.16.5.120 mask 255.255.255.0
   As far as I know, ASA can not have loopback interfaces so you can not advertise 172.19.5.0/24 network to adjacent router. You have to create a route for this VPN network in adjacent router manually.

Regards



0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22833369
Hello MrHusy,

I should have updated my post.  I saw that error earlier with the x.16.x.x and have already changed it to x.19.x.x.  Thanks for catching it though.  

Another thing I should have clarified is that the ASA has a public IP address on the outside interface.

In the route print I've attached, it shows that the VPN Client is receiving routes to the ASA and traffic is arriving at the ASA and being decrypted.  I just cant access anything on the inside of the ASA.

The sh route on the ASA also shows a route to the VPN Client.

C    216.XXX.XXX.176 255.255.255.240 is directly connected, outside
S    172.19.5.100 255.255.255.255 [1/0] via 216.XXX.XXX.190, outside
O E2 10.0.0.0 255.255.0.0 [110/20] via 10.249.1.248, 0:42:23, inside

If I ping the VPN client from the ASA outside interface I don not receive any reply however I can see the decrypted count go up on the VPN Client statistics and the encrypted count go up on the ASA

ping outside 172.19.5.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.5.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

sh crypto ispsec sa
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0


If  I ping the VPN client from the ASA inside interface I also do not receive any reply and the decrypted cound on the VPN Client statistics does NOT increase.  The encrypted count on the ASA also does not increase.

ping inside 172.19.5.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.5.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Any further suggestions?






0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 22834795
Add the following
policy-map global_policy
 class inspection_default
  inspect icmp

Try testing with telnet to specific port (i.e 3389) instead ping.

"The sh route on the ASA also shows a route to the VPN Client.

C    216.XXX.XXX.176 255.255.255.240 is directly connected, outside
S    172.19.5.100 255.255.255.255 [1/0] via 216.XXX.XXX.190, outside "

What we need is having the following output in 10.249.1.248 router

S    172.19.5.0 255.255.255.0[1/0] via 10.249.1.246,

0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22846902
Adding the static route into the adjacent router did the trick.
However, Im going to look into other possible solutions.  OSPF should be advertising that network.  When you connect to the ASA with the VPN Client, a static route is added to the ASA table for the specific host.  Im not sure why OSPF isnt sending this to the adjacent router.  I might possibly have to redistribute or something.  Not totally sure at this point.
 
Cheers
0
 
LVL 1

Author Closing Comment

by:BubbaJones82
ID: 31511013
Thanks for the tip on this.  I struggled with it for days.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now