Solved

Cisco ASA 5510 VPN

Posted on 2009-04-07
22
1,689 Views
Last Modified: 2012-05-06
Hi
I'm setting up VPN connection to comapny internal network. All traffic has been based on Cisco ASA 5510. I've set up all with this tutorial http://www.youtube.com/watch?v=YuDbHCZwzlM&feature=related . After this i'm able to connect to VPN with no problem but after connecting to VPN i'm loosing internet connection and got weird network settings on VPN interface. All host from company internal network are able to connect to me (icmp, http etc.) but it doesn't work in opposite direction - i can't reach any host from internal network :(

Cisco configuration :
WAN settings : XXX.XXX.XXX.XXX/28
LAN settings : 192.168.3.1/24
VPN IP range : 192.168.3.40-50

VPN Client interface configuration (after connecting to VPN) using Cisco VPN Client Software :
IP : 192.168.3.40/24
Gateway : 192.168.3.40 ( here i'm confused couse i always thought that gateway is the IP and MASK calculatio so 192.168.3.40/255.255.255.0 should give 192.168.3.1 as default gateway )
DNS : expected_ip

Also when i'm connected to VPN my default gateway on VPN client is automatically switched to VPN default gateway - this is for sure reason of losing internet connection even if different interfaces on vpn_client (wifi, another eth) are connected to internet.

So in one question i would like to ask about 3 different things :

1. Why after connecting to VPN default gateway on vpn_client is automatically been changed to VPN interface gateway ?
2. Why i got so weird gateway ?
3. If i want to use buil-in Windows XP VPN client should i set up additional (let's call it ) vpn_profile ?

Please excuse for putting 3 questions in 1 but description for issue is required an would be same for all 3 question. Hope none don't mind. Any tips would be appreciated ...
0
Comment
Question by:szczecin
  • 11
  • 8
  • 2
  • +1
22 Comments
 
LVL 5

Expert Comment

by:theoaks
ID: 24087179
split tunneling will enable you to access internet while your vpn is connected.

stick with the cisco vpn client for accessing the vpn, (i dont even think windows can make the connection on its own)

and ....

post your config (a sho run from the asa) so we can tell you why everything is happening, ie your client not being able to see you on the vpn
0
 
LVL 5

Expert Comment

by:theoaks
ID: 24087200
your interface is correct, your default gateway should be 3.40 - that is not a problem...
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24087258

Enabling Split Tunnelling
If its v7 or 8 add the two lines
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
group-policy Remote-VPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteVPN_splitTunnelAcl

 ~where Remote-VPN is the name of the Remote VPN Policy/Group
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Accepted Solution

by:
e3user earned 500 total points
ID: 24096510
first it is better to change the scope for your vpn clients to other than your internal network to avoid confusion. and concerning the internet you should do nat0 matching the ACL of the interesting traffic so you can have internet and VPN connectivity.(but be careful about your company security policy, they may not want to open that for it is considered a security risk)

If you can access your ASA by console try this in the global config mode::

isakmp enable outside
isakmp identity address
isakmp policy 10
authentication pre-share  
encryption des  
hash md5  
group 2
lifetime 86400


ip local pool vpnpool 10.1.1.2-10.1.1.10

access-list split_tunnel standard permit 192.168.3.0 255.255.255.0

group-policy labvpn internal
group-policy labvpn attributes
     dns value xxxexpected_ip
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split_tunnel

username user password user
username user attributes
     vpn-group-policy labvpn

tunnel-group labvpn ipsec-attributes
           pre-shared-key cisco123
   access-list vpnra permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra

crypto ipsec transform-set md5des esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set md5des
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface outside


Glad to help :)
0
 

Author Comment

by:szczecin
ID: 24097318
Ok first of all i would like to add that whole configuration changes are provided through ASDM - but CLI command one by one as e3user gave here should not be a problem.

E3user :
1. "first it is better to change the scope for your vpn clients to other than your internal network to avoid confusion" - changing the scope is clear for me but how to provide traffic between internal network and vpn_clients - shoul i add some rules to routing table ?
2. What do you mean by that ? - (but be careful about your company security policy, they may not want to open that for it is considered a security risk)

Regarding to my original question - why after conneting to vpn i could reach vpn_client from corporate network hosts but i could not reach internal host from vpn client ?
0
 
LVL 2

Expert Comment

by:e3user
ID: 24097539
hello,

1. You do not need to configure routing for it is to the ASA a directly connected network it is done via  an ACL and the nat0 command to identify the interesting traffic and split tunnel.

2.   This is from Cisco site:
 http://www.cisco.com/en/US/products/ps61/products_configuration_example09186a0080702999.shtml

 Warning: Split tunneling can pose a security risk when configured. Because VPN Clients have unsecured access to the Internet, they can be compromised by an attacker. That attacker might then be able to access the corporate LAN via the IPsec tunnel. A compromise between full tunneling and split tunneling can be to allow VPN Clients local LAN access only.

3. If you cannot access the internal network via vpn it should be an acl problem.
If you are using the wizard there is a step  : '' IPsec Settings( Optional)''  be sure to put ur internal network to which the clients should be able to connect and check ''enable split tunnel ...'' if you want to permit access simultaneously to the internet.

hope it helps:)


0
 
LVL 2

Expert Comment

by:e3user
ID: 24097616
be sure that on your cisco vpn profile settings click modify---> transport TAB ---> ALLOW LOCAL LAN ACCESS should be checked

furthermore for testing, when you connect via vpn client:
right click the icon on your taskbar --> statistics--->route details

on the secured routes your internal network should be there and not 0.0.0.0 if you want them to access internet and inside.

:)
0
 

Author Comment

by:szczecin
ID: 24098058
Ok i will try do next step tomorrow. I've add those commands to configuration (thanks PeteLong) :

access-list RemoteVPN_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
group-policy Remote-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_splitTunnelAcl

~where Remote-VPN is the name of the Remote VPN Policy/Group

After saving to flash memory still after connecting to internal network through vpn i can't reach any of internal host  but there is one change - dns started to work - i've got IP from hostname from ping command.

Security issue with simultaneously internet and vpn connection realized me that i don't want internet connection and vpn in same time so i'll just drop it. Now i just want to provide both direction communication between internal hosts and vpnclient.
0
 

Author Comment

by:szczecin
ID: 24114216
1. be sure that on your cisco vpn profile settings click modify---> transport TAB ---> ALLOW LOCAL LAN ACCESS should be checked - it was at first configuration.

2.on the secured routes your internal network should be there and not 0.0.0.0 if you want them to access internet and inside. - i have such routes after connectiong to VPN but i'll leave them as they're now couse i don't want to have connection to internet in same time with VPN

I've just found many such errors on syslog :

3. Apr 10 2009      09:02:48      305005      192.168.3.255 No translation group found for udp src internet:192.168.3.40/137 dst localnet:192.168.3.255/137





0
 

Author Comment

by:szczecin
ID: 24137540
Still no internal hosts access after connectiong to VPN. Any help ?
0
 
LVL 2

Expert Comment

by:e3user
ID: 24139151
hey ... did u do this?

 access-list vpnra permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra
0
 

Author Comment

by:szczecin
ID: 24146604
10.1.1.0 255.255.255.0 - is it vpn clients IP pool ?
0
 
LVL 2

Expert Comment

by:e3user
ID: 24147227
yes it is the vpn pool
0
 

Author Comment

by:szczecin
ID: 24147436
After
access-list vpnra permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra

nothing has changed.
0
 
LVL 2

Expert Comment

by:e3user
ID: 24147724
if you can do a show run and show me
0
 

Author Comment

by:szczecin
ID: 24166918

: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
enable password tytyty encrypted
names
!
interface Ethernet0/0
 nameif internet
 security-level 100
 ip address y.y.y.y 255.255.255.248
!
interface Ethernet0/1
 nameif localnet
 security-level 0
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.250 255.255.255.0
 management-only
!
passwd fgh encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list localnet_access_in extended permit ip any any
access-list localnet_access_in extended permit ip 192.168.3.32 255.255.255.224 a
ny
access-list vpn_splitTunnelAcl standard permit any
access-list localnet_nat0_outbound extended permit ip any 192.168.3.32 255.255.2
55.224
access-list localnet_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0
192.168.3.32 255.255.255.224
access-list vpn_splitTunnelAcl_1 standard permit any
access-list internet_nat0_outbound extended permit ip any 192.168.3.32 255.255.2
55.224
access-list internet_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0
192.168.3.32 255.255.255.224
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list vpn-access_splitTunnelAcl standard permit any
access-list management_nat0_outbound extended permit ip 192.168.3.0 255.255.255.
0 192.168.3.32 255.255.255.224
access-list management_nat0_outbound extended permit ip 192.168.1.0 255.255.255.
0 192.168.3.32 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu internet 1500
mtu localnet 1500
mtu management 1500
ip local pool vpn-pool 192.168.3.40-192.168.3.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (internet) 1 interface
nat (internet) 0 access-list internet_nat0_outbound
nat (localnet) 0 access-list localnet_nat0_outbound
nat (localnet) 1 192.168.3.0 255.255.255.0 outside
nat (management) 0 access-list management_nat0_outbound
access-group localnet_access_in in interface localnet
route internet 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.3.0 255.255.255.0 localnet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 120
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet_map interface internet
crypto map localnet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map localnet_map interface localnet
crypto isakmp enable internet
crypto isakmp enable localnet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.251-192.168.1.254 management
dhcpd enable management
!
vpn load-balancing
 interface lbpublic internet
 interface lbprivate internet
threat-detection basic-threat
threat-detection statistics access-list
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value a.a.a.a b.b.b.b
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
username zzz password xxx encrypted privilege 15
username vpn_user password xxx encrypted privilege 15
username vpn_user attributes
 service-type remote-access
tunnel-group DefaultRAGroup general-attributes
 address-pool vpn-pool
 authentication-server-group (internet) LOCAL
 authorization-server-group (internet) LOCAL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group vpn-access type remote-access
tunnel-group vpn-access general-attributes
 address-pool vpn-pool
tunnel-group vpn-access ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
: end

Open in new window

0
 
LVL 2

Expert Comment

by:e3user
ID: 24174265
hey there,

nat (internet) 0 access-list internet_nat0_outbound
nat (localnet) 0 access-list localnet_nat0_outbound
nat (localnet) 1 192.168.3.0 255.255.255.0 outside
nat (management) 0 access-list management_nat0_outbound
access-group localnet_access_in in interface localnet

1. why is your internet interface (outside) has a security level of 100 and inside 0? should reverse.
and you do not need any acl to permit traffic from a high security level (inside) to a low security level (outside) it is enabled by default.

2. nat (localnet) 1 192.168.3.0 255.255.255.0 outside , where is the ouside interface? in your case this should be: nat (localnet) 1 192.168.3.0 255.255.255.0 internet

3. why are you using the nat0 so many times?

4.same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
 
I advise you after you do 1 and 2  remove the same-security-traffic

5. if it is possible for you try to reset to factory default for your config is over-complicated.Try to configure it using CLI, it is very simple and you can troubleshoot easily and I can help you with the config.














0
 

Author Comment

by:szczecin
ID: 24192776
I'll reset to default settings and configure through CLI. I'm trying to set it up on test system same as production system but when i will be moving this config to production system reset to default settings will not be accepptable.
0
 

Author Comment

by:szczecin
ID: 24193100
As i said i've reset device to default configuration and run commands from this link : http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html

Same problem. Connected by VPN client without any problems but still no traffic between VPN clients and internal hosts available.
enable password zzzxxxccc encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.20.1 255.255.255.0
 management-only
!
passwd aaasssddd encrypted
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.0.10-192.168.0.20
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.20.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Firstset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set Firstset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.20.2-192.168.20.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
username vpnuser password some_password encrypted
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
 address-pool vpnpool
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3addeb01b1a7f8c6a71a75c94d908a8a
: end

Open in new window

0
 
LVL 2

Expert Comment

by:e3user
ID: 24193109
do a reset now and configure it. If you need any help tell me.
once you setup the interfaces and the nat; use the vpn config I put, it will work perfectly. just dont paste everything at once, edit them in a notepad and paste every 3 or 4 commands at a time.

glad to help :)
0
 

Author Comment

by:szczecin
ID: 24293735
Your configuration solve my problem but i had to change it a littlebit ( additional commands marked by <<< >>>. This configuration enable ipsec vpn with split tunneling authenticated by username and password :

isakmp enable outside
isakmp identity address
isakmp policy 10
authentication pre-share  
encryption des  
hash md5  
group 2
lifetime 86400

ip local pool vpnpool 10.1.1.2-10.1.1.10

access-list split_tunnel standard permit 192.168.3.0 255.255.255.0

group-policy labvpn internal
group-policy labvpn attributes
     dns value xxxexpected_ip
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split_tunnel

username user password user
username user attributes
     vpn-group-policy labvpn

<<< tunnel-group labvpn type ipsec-ra >>>
<<< tunnel-group labvpn general-attributes>>>
<<< address-pool vpnpool >>>

tunnel-group labvpn ipsec-attributes
           pre-shared-key cisco123
   access-list vpnra permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra

crypto ipsec transform-set md5des esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set md5des
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface outside
0
 

Author Closing Comment

by:szczecin
ID: 31567493
Those commands below should be added before  "tunnel-group labvpn ipsec-attributes" command :

tunnel-group labvpn type ipsec-ra
tunnel-group labvpn general-attributes
address-pool vpnpool
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question