Solved

ASA Remote-Access VPN - Unable to reach inside network

Posted on 2008-10-28
5
1,723 Views
Last Modified: 2012-08-14
We have a Cisco ASA 5510 installed in one of our datacenters that we are using for remote-access VPN connections.  The Cisco VPN Client is able to connect and split tunneling is currently allowing us to use the internet but we are unable to access any of the resources on the "inside" of the ASA.

Our datacenter ip addressing is 10.x.x.x while our offices are 172.x.x.x.  We are unable to access resources in either.

The route details in the VPN client indicate that 10.0.0.0/8 and 172.16.0.0/12 are secured routes.
Tunnel details shows that packets are being encrypted but none are being decrypted.

Consoled into the ASA, I am able to ping an address on the inside network.  I am unable to ping any address outside including the address of the connected VPN client.

Pinging from the VPN client seems to be reaching the inside interface however no response is returned.
ICMP echo request from 172.16.5.100 to 10.249.1.246 ID=1024 seq=1536 len=32
ICMP echo request from 172.16.5.100 to 10.249.1.246 ID=1024 seq=1792 len=32
ICMP echo request from 172.16.5.100 to 10.249.1.246 ID=1024 seq=2048 len=32
ICMP echo request from 172.16.5.100 to 10.249.1.246 ID=1024 seq=2304 len=32

Please see the below config for reference.  The route print is also attached.

ASA Version 7.2(4) 
!
hostname XXXX
domain-name XXXX
enable password XXXX encrypted
passwd XXXX encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address XXX.176.55.187 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.249.1.246 255.255.255.0 
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 timeout 30
 name-server 172.19.2.31
 domain-name XXX
access-list vpnSplitTunnel standard permit 172.16.0.0 255.240.0.0 
access-list vpnSplitTunnel standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 172.19.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.19.5.0 255.255.255.0 
pager lines 24
logging enable
logging buffer-size 500000
mtu outside 1500
mtu inside 1500
ip local pool vpnClientPool 172.16.5.100-172.16.5.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.176.55.190 1
!
router ospf 24901
 router-id 10.249.1.246
 network 10.249.1.0 255.255.255.0 area 0
 log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server vpnUsers protocol radius
aaa-server vpnUsers (inside) host 10.249.24.32
 key XXX
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map vpnDynamicMap 10 set transform-set ESP-3DES-SHA
crypto dynamic-map vpnDynamicMap 10 set reverse-route
crypto map vpnMap 10 ipsec-isakmp dynamic vpnDynamicMap
crypto map vpnMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy abc123 internal
group-policy abc123 attributes
 dns-server value 172.19.2.31
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnSplitTunnel
 default-domain value XXXX
username XXXX password XXXX encrypted privilege 15
tunnel-group abc123 type ipsec-ra
tunnel-group abc123 general-attributes
 address-pool vpnClientPool
 default-group-policy abc123
tunnel-group abc123 ipsec-attributes
 pre-shared-key XXXX
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:00e61c7b5eeb447bb962df22d6262857
: end

Open in new window

route.txt
0
Comment
Question by:BubbaJones82
  • 3
  • 2
5 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 22832885
Hello BubbaJones82,
ip local pool vpn_pool 172.19.5.100-172.19.5.120 mask 255.255.255.0
tunnel-group abc123 general-attributes
no address-pool vpnClientPool
address-pool vpn_pool
no ip local pool vpnClientPool 172.16.5.100-172.16.5.120 mask 255.255.255.0
   As far as I know, ASA can not have loopback interfaces so you can not advertise 172.19.5.0/24 network to adjacent router. You have to create a route for this VPN network in adjacent router manually.

Regards



0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22833369
Hello MrHusy,

I should have updated my post.  I saw that error earlier with the x.16.x.x and have already changed it to x.19.x.x.  Thanks for catching it though.  

Another thing I should have clarified is that the ASA has a public IP address on the outside interface.

In the route print I've attached, it shows that the VPN Client is receiving routes to the ASA and traffic is arriving at the ASA and being decrypted.  I just cant access anything on the inside of the ASA.

The sh route on the ASA also shows a route to the VPN Client.

C    216.XXX.XXX.176 255.255.255.240 is directly connected, outside
S    172.19.5.100 255.255.255.255 [1/0] via 216.XXX.XXX.190, outside
O E2 10.0.0.0 255.255.0.0 [110/20] via 10.249.1.248, 0:42:23, inside

If I ping the VPN client from the ASA outside interface I don not receive any reply however I can see the decrypted count go up on the VPN Client statistics and the encrypted count go up on the ASA

ping outside 172.19.5.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.5.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

sh crypto ispsec sa
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0


If  I ping the VPN client from the ASA inside interface I also do not receive any reply and the decrypted cound on the VPN Client statistics does NOT increase.  The encrypted count on the ASA also does not increase.

ping inside 172.19.5.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.5.100, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Any further suggestions?






0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 22834795
Add the following
policy-map global_policy
 class inspection_default
  inspect icmp

Try testing with telnet to specific port (i.e 3389) instead ping.

"The sh route on the ASA also shows a route to the VPN Client.

C    216.XXX.XXX.176 255.255.255.240 is directly connected, outside
S    172.19.5.100 255.255.255.255 [1/0] via 216.XXX.XXX.190, outside "

What we need is having the following output in 10.249.1.248 router

S    172.19.5.0 255.255.255.0[1/0] via 10.249.1.246,

0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22846902
Adding the static route into the adjacent router did the trick.
However, Im going to look into other possible solutions.  OSPF should be advertising that network.  When you connect to the ASA with the VPN Client, a static route is added to the ASA table for the specific host.  Im not sure why OSPF isnt sending this to the adjacent router.  I might possibly have to redistribute or something.  Not totally sure at this point.
 
Cheers
0
 
LVL 1

Author Closing Comment

by:BubbaJones82
ID: 31511013
Thanks for the tip on this.  I struggled with it for days.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
eigrp in site-to-site vpn 4 35
Cisco 1811W VLAN configuration problem 3 29
Microsoft VPN Access - Routing and Remote Access 2 29
route-map permit with a number 1 18
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question