?
Solved

ASA 5510 Vpn Routing table issue with cisco vpn client

Posted on 2008-11-16
7
Medium Priority
?
3,237 Views
Last Modified: 2012-05-05
Cisco Vpn client v5 connects to asa 5510 and every vpn client is able to ping  servers / pcs on the 10.19.xx.xx network however, they have no access to any of the remote sites that connect into the same asa and 1811 router.  Remote site ips 10.18.xx.xx 10.39.xx.xx (etc.)  This is odd because any computer on the 10.19.xx can ping the above remote sites.  I think this is a routing table issue and tied in with OSPF but not knowledgable enough to fix this.  Listed below I have the running-config of the ASA followed by the Cisco 2811.  IPs 10.19.248.1-49 are the ips handed out by asa for vpn clients. Then cli shows:
router ospf 1
network 10.19.248.0 255.255.255.0 area 0

looking at the 2811 router theres a ip route for these cisco vpn clients to route back to the asa on 251.1 as shown below:
ip route 10.19.248.0 255.255.255.0 10.19.251.1
I also think the router ospf 1 section right above in the config file looks wrong.  Please look at configs and advise on why the vpn client ips (10.19.248.xx) can only communicate with servers / pcs on the10.19.xx.xx network.  As I am still new to posting questions on here I will pase in both configs and attach a .txt file that has both configs.  Thanks for helping me resolve this.
ASA5510
mtu inside2 1500
mtu DMZ 1500
mtu management 1500
ip local pool RemoteUsers 10.19.248.1-10.19.248.49 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/ASDM-524.BIN
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside2) 25 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound outside
static (inside,outside) tcp xx.xx.xx.xx smtp Barracuda smtp netmask 255.255.2
55.255
static (inside,outside) tcp xx.xx.xx.xx https Server04 https netmask 255.255.
255.255
static (inside,outside) tcp xx.xx.xx.xx www Server04 www netmask 255.255.255.
255
static (inside,outside) tcp xx.xx.xx.xx ftp Server04 ftp netmask 255.255.255.
255
static (DMZ,outside) xx.xx.xx.xx 10.19.11.2 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.xx 10.19.250.2 netmask 255.255.255.255
static (inside,inside2) 10.19.10.3 10.19.10.3 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.xx 10.19.251.2 netmask 255.255.255.255
static (inside,DMZ) 10.19.10.0 10.19.10.0 netmask 255.255.255.0
static (inside,DMZ) voicevlan voicevlan netmask 255.255.255.0
static (inside,DMZ) 10.102.1.0 10.102.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.10.1.0 10.10.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.251.251.0 10.251.251.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
!
router ospf 1
 network 10.19.11.0 255.255.255.0 area 0
 network 10.19.248.0 255.255.255.0 area 0
 network 10.19.249.0 255.255.255.248 area 0
 network 10.19.251.0 255.255.255.248 area 0
 area 0
 log-adj-changes
 redistribute static
 default-information originate always
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 inside
http 10.102.0.0 255.255.0.0 inside
http 10.19.10.0 255.255.255.0 inside
http 10.100.0.0 255.255.0.0 inside
http 192.168.0.0 255.255.0.0 inside
http 10.19.0.0 255.255.0.0 inside
snmp-server host inside 10.100.10.101
snmp-server host inside 10.102.1.20
snmp-server host inside 10.19.20.3
snmp-server host inside 10.19.249.3
snmp-server host inside 10.27.10.100
snmp-server host inside 10.36.10.101
snmp-server host inside 10.48.10.100
snmp-server host inside 10.19.10.4
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.19.0.0 255.255.0.0 inside
telnet 10.100.0.0 255.255.0.0 inside
telnet 10.102.0.0 255.255.0.0 inside
telnet 10.19.10.0 255.255.255.0 inside
telnet 10.19.249.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ftp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 10.19.10.2 10.19.10.4
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value nightingale.local
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not
 been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy FCCS internal
group-policy FCCS attributes
 dns-server value 10.19.10.4 10.19.10.2
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value nightingale.local
group-policy mhsvendor internal
group-policy mhsvendor attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value mhsvendor_splitTunnelAcl
group-policy Connect internal
group-policy Connect attributes
 dns-server value 10.19.10.2 10.19.10.4
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Connect_splitTunnelAcl
 default-domain value nightingale.local
 split-dns value nightingale.local
group-policy connect internal
group-policy connect attributes
 dns-server value 10.19.10.4 10.19.10.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value connect_splitTunnelAcl
 default-domain value nightingale.local
group-policy Connect_1 internal
group-policy Connect_1 attributes
 dns-server value 10.19.10.4 10.19.10.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Connect_splitTunnelAcl
 default-domain value nightingale.local
: end

Cisco 2811 config:
!
!
interface Loopback0
 ip address 10.19.240.10 255.255.255.0
 ip pim dense-mode
!
interface Tunnel1
 no ip address
!
interface Tunnel18
 description Multilink tunnel for all remote VPN Clients
 bandwidth 1544
 ip address 10.251.251.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip pim sparse-dense-mode
 ip nhrp authentication S3tFre3
 ip nhrp map multicast dynamic
 ip nhrp network-id 18
 ip nhrp holdtime 600
 ip nhrp cache non-authoritative
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 1
 no ip mroute-cache
 ip ospf network broadcast
 ip ospf cost 100
 ip ospf priority 2
 delay 1000
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 18
 tunnel protection ipsec profile dmvpn
!
interface FastEthernet0/0
 description Connection to 3560sw 0/22
 ip address 10.19.251.2 255.255.255.248
 ip access-group voicemarks out
 ip pim dense-mode
 ip virtual-reassembly
 ip tcp adjust-mss 1200
 duplex auto
 speed auto
 service-policy output voip-rtp
!
interface FastEthernet0/1
 description GATEWAYS FOR VLAN's
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 encapsulation dot1Q 1 native
 ip address 10.19.1.254 255.255.255.0
 standby 1 ip 10.19.1.10
 standby 1 preempt
!
interface FastEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.19.10.254 255.255.255.0
 standby 10 ip 10.19.10.10
 standby 10 priority 150
 standby 10 preempt
!
interface FastEthernet0/1.20
 encapsulation dot1Q 20
 ip address 10.19.20.254 255.255.255.0
 standby 20 ip 10.19.20.10
 standby 20 priority 150
 standby 20 preempt
!
interface Serial0/0/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
!
interface Serial0/0/1:2
 ip address 10.19.253.1 255.255.255.252
 compress stac
 service-policy output voip-rtp-t1
!
router ospf 1
 router-id 10.1.1.1
 log-adjacency-changes
 network 10.19.0.0 0.0.255.255 area 0
 network 10.251.251.0 0.0.0.255 area 0
!
ip route 10.19.248.0 255.255.255.0 10.19.251.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip pim rp-address 10.19.20.10
ip pim autorp listener
!
ip access-list extended cmftest
 deny   ip host 10.19.20.1 any
 permit ip any any
ip access-list extended voicemarks
 permit udp any any precedence routine
 permit udp any any precedence priority
 permit udp any any precedence immediate
 permit udp any any precedence flash
 permit udp any any precedence flash-override
 permit udp any any precedence critical
 permit udp any any precedence internet
 permit udp any any precedence network
 permit tcp any any precedence routine
 permit tcp any any precedence priority
 permit tcp any any precedence immediate
 permit tcp any any precedence flash
 permit tcp any any precedence flash-override
 permit tcp any any precedence critical
 permit tcp any any precedence internet
 permit tcp any any precedence network
 permit ip any any
!
logging trap notifications
access-list 100 deny   udp host 10.19.20.1 range 16384 32768 any
access-list 100 permit ip any any
snmp-server community
snmp-server community
snmp-server enable traps syslog
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0:23
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
voice-port 0/3/0
!
voice-port 0/3/1
!
voice-port 0/3/2
!
voice-port 0/3/3
!
ccm-manager fallback-mgcp
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.19.20.1
!
mgcp
mgcp call-agent 10.19.20.1 2427 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode out-of-band
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
no mgcp package-capability res-package
mgcp package-capability sst-package
no mgcp package-capability fxr-package
mgcp package-capability pre-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
!
mgcp profile default
!
sccp local FastEthernet0/0
sccp ccm 10.19.20.1 identifier 1 priority 1 version 4.1
sccp
!
sccp ccm group 1
 associate ccm 1 priority 1
 associate profile 1 register MTP001
!
dspfarm profile 1 transcode
 codec g711ulaw
 codec g711alaw
 codec g729ar8
 codec g729abr8
 maximum sessions 6
 associate application SCCP
!
!
dial-peer voice 999000 pots
 service mgcp
 destination-pattern 9T
 incoming called-number ....
 direct-inward-dial
 port 0/0/0:23
!
dial-peer voice 999010 pots
 service mgcpapp
 port 0/1/0
!
dial-peer voice 999011 pots
 service mgcpapp
 port 0/1/1
!
dial-peer voice 999012 pots
 service mgcpapp
 port 0/1/2
!
dial-peer voice 999013 pots
 service mgcpapp
 port 0/1/3
!
dial-peer voice 999020 pots
 service mgcpapp
 port 0/2/0
!
dial-peer voice 999021 pots
 service mgcpapp
 port 0/2/1
!
dial-peer voice 999022 pots
 service mgcpapp
 port 0/2/2
!
dial-peer voice 999023 pots
 service mgcpapp
 port 0/2/3
!
dial-peer voice 999030 pots
 service mgcpapp
 port 0/3/0
!
dial-peer voice 999031 pots
 service mgcpapp
 port 0/3/1
!
dial-peer voice 999032 pots
 service mgcpapp
 port 0/3/2
!
dial-peer voice 999033 pots
 service mgcpapp
 port 0/3/3
!
!
!
!
call-manager-fallback
 max-conferences 8 gain -6
 transfer-system full-consult
 ip source-address 10.19.240.10 port 2000
 max-ephones 42
 max-dn 50
 translate calling 1
 translate called 1
!
banner login ^C This is a private network.  Unauthorized access is prohibited ^C
alias exec c config t
alias exec i show ip route
alias exec snh show ip nhrp | in 10.251
alias exec sdp show run | b dial-peer
alias exec svcs show voice call sum | ex 50
alias exec svp show run | b voice-port
!
line con 0
 login local
line aux 0
 login local
line vty 0 4
 session-timeout 45
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180158
ntp master
ntp server 192.73.48.2 prefer
!
end
asa5510.txt
Cisco2811.txt
0
Comment
Question by:davidkidder01
  • 3
  • 3
6 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 22972563
i havent look further into the config, but try this:
sysopt connection permit-vpn ( this will bypass acl and nat for all ipsec traffic)
let me know howit goes, once we get this working, we can narrow down by working on acl or nat only.
0
 

Author Comment

by:davidkidder01
ID: 22972740
Added sysopt connection permit-vpn in cisco asa.  Connected via the cisco client vpn.
Shown below is the ipconfig of the vpn client pc and 3 different ping attempts.  1 ping in the 10.19.xx and had replies.  2 more outside the 10.19.xx and "request timed out.  It would still appear that there is some sort of breakdown in the routing.  10.19.248.0 255.255.255.0  should be able to access any of our internal networkable addresses besides the 10.19.xx.xx range.

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : nightingale.local
   IPv4 Address. . . . . . . . . . . : 10.19.248.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :


Pinging server04.nightingale.local [10.19.10.12] with 32 bytes of data:
Reply from 10.19.10.12: bytes=32 time=62ms TTL=127
Reply from 10.19.10.12: bytes=32 time=59ms TTL=127
Reply from 10.19.10.12: bytes=32 time=60ms TTL=127

Pinging petrel.nightingale.local [10.39.10.110] with 32 bytes of data:
Request timed out.

Pinging rno-002.nightingale.local [10.49.10.100] with 32 bytes of data:
Request timed out.
0
 
LVL 6

Expert Comment

by:ricks_v
ID: 22972923
You dont seems to have route for 10.49.x.x and 10.39.x.x .
trying adding it statically:
route 10.49.0.0 255.255.0.0 10.19.251.1/ any appropriate interface
route 10.39.0.0 255.255.0.0 10.19.251.1/ any appropriate interface

or dynamically on ospf if desired

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:davidkidder01
ID: 22975855
would perfer to have this dynamic on ospf.  There are 18 different remote sites.  As we grow i don't want to have to continue to statically add the routes.  Can you guide me through routing dyn on ospf.  Keeping in mind I only want to impact the 10.19.248.0 group.
Thanks
0
 
LVL 6

Accepted Solution

by:
ricks_v earned 1500 total points
ID: 22983403
havent used ospf on asa, but try this anyway.. (with console access please,so you can always reverse if something happen)

router ospf 1
 network 10.49.0.0 255.255.0.0 area 0
 network 10.39.0.0 255.255.0.0 area 0
gud luk
0
 

Author Closing Comment

by:davidkidder01
ID: 31517271
This worked.  Sorry for the delay.  Finally back at the office after all this traveling.  Thanks
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question