Solved

Cisco ASA 5510 VPN

Posted on 2009-04-07
22
1,684 Views
Last Modified: 2012-05-06
Hi
I'm setting up VPN connection to comapny internal network. All traffic has been based on Cisco ASA 5510. I've set up all with this tutorial http://www.youtube.com/watch?v=YuDbHCZwzlM&feature=related . After this i'm able to connect to VPN with no problem but after connecting to VPN i'm loosing internet connection and got weird network settings on VPN interface. All host from company internal network are able to connect to me (icmp, http etc.) but it doesn't work in opposite direction - i can't reach any host from internal network :(

Cisco configuration :
WAN settings : XXX.XXX.XXX.XXX/28
LAN settings : 192.168.3.1/24
VPN IP range : 192.168.3.40-50

VPN Client interface configuration (after connecting to VPN) using Cisco VPN Client Software :
IP : 192.168.3.40/24
Gateway : 192.168.3.40 ( here i'm confused couse i always thought that gateway is the IP and MASK calculatio so 192.168.3.40/255.255.255.0 should give 192.168.3.1 as default gateway )
DNS : expected_ip

Also when i'm connected to VPN my default gateway on VPN client is automatically switched to VPN default gateway - this is for sure reason of losing internet connection even if different interfaces on vpn_client (wifi, another eth) are connected to internet.

So in one question i would like to ask about 3 different things :

1. Why after connecting to VPN default gateway on vpn_client is automatically been changed to VPN interface gateway ?
2. Why i got so weird gateway ?
3. If i want to use buil-in Windows XP VPN client should i set up additional (let's call it ) vpn_profile ?

Please excuse for putting 3 questions in 1 but description for issue is required an would be same for all 3 question. Hope none don't mind. Any tips would be appreciated ...
0
Comment
Question by:szczecin
  • 11
  • 8
  • 2
  • +1
22 Comments
 
LVL 5

Expert Comment

by:theoaks
Comment Utility
split tunneling will enable you to access internet while your vpn is connected.

stick with the cisco vpn client for accessing the vpn, (i dont even think windows can make the connection on its own)

and ....

post your config (a sho run from the asa) so we can tell you why everything is happening, ie your client not being able to see you on the vpn
0
 
LVL 5

Expert Comment

by:theoaks
Comment Utility
your interface is correct, your default gateway should be 3.40 - that is not a problem...
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility

Enabling Split Tunnelling
If its v7 or 8 add the two lines
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
group-policy Remote-VPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteVPN_splitTunnelAcl

 ~where Remote-VPN is the name of the Remote VPN Policy/Group
0
 
LVL 2

Accepted Solution

by:
e3user earned 500 total points
Comment Utility
first it is better to change the scope for your vpn clients to other than your internal network to avoid confusion. and concerning the internet you should do nat0 matching the ACL of the interesting traffic so you can have internet and VPN connectivity.(but be careful about your company security policy, they may not want to open that for it is considered a security risk)

If you can access your ASA by console try this in the global config mode::

isakmp enable outside
isakmp identity address
isakmp policy 10
authentication pre-share  
encryption des  
hash md5  
group 2
lifetime 86400


ip local pool vpnpool 10.1.1.2-10.1.1.10

access-list split_tunnel standard permit 192.168.3.0 255.255.255.0

group-policy labvpn internal
group-policy labvpn attributes
     dns value xxxexpected_ip
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split_tunnel

username user password user
username user attributes
     vpn-group-policy labvpn

tunnel-group labvpn ipsec-attributes
           pre-shared-key cisco123
   access-list vpnra permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra

crypto ipsec transform-set md5des esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set md5des
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface outside


Glad to help :)
0
 

Author Comment

by:szczecin
Comment Utility
Ok first of all i would like to add that whole configuration changes are provided through ASDM - but CLI command one by one as e3user gave here should not be a problem.

E3user :
1. "first it is better to change the scope for your vpn clients to other than your internal network to avoid confusion" - changing the scope is clear for me but how to provide traffic between internal network and vpn_clients - shoul i add some rules to routing table ?
2. What do you mean by that ? - (but be careful about your company security policy, they may not want to open that for it is considered a security risk)

Regarding to my original question - why after conneting to vpn i could reach vpn_client from corporate network hosts but i could not reach internal host from vpn client ?
0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
hello,

1. You do not need to configure routing for it is to the ASA a directly connected network it is done via  an ACL and the nat0 command to identify the interesting traffic and split tunnel.

2.   This is from Cisco site:
 http://www.cisco.com/en/US/products/ps61/products_configuration_example09186a0080702999.shtml

 Warning: Split tunneling can pose a security risk when configured. Because VPN Clients have unsecured access to the Internet, they can be compromised by an attacker. That attacker might then be able to access the corporate LAN via the IPsec tunnel. A compromise between full tunneling and split tunneling can be to allow VPN Clients local LAN access only.

3. If you cannot access the internal network via vpn it should be an acl problem.
If you are using the wizard there is a step  : '' IPsec Settings( Optional)''  be sure to put ur internal network to which the clients should be able to connect and check ''enable split tunnel ...'' if you want to permit access simultaneously to the internet.

hope it helps:)


0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
be sure that on your cisco vpn profile settings click modify---> transport TAB ---> ALLOW LOCAL LAN ACCESS should be checked

furthermore for testing, when you connect via vpn client:
right click the icon on your taskbar --> statistics--->route details

on the secured routes your internal network should be there and not 0.0.0.0 if you want them to access internet and inside.

:)
0
 

Author Comment

by:szczecin
Comment Utility
Ok i will try do next step tomorrow. I've add those commands to configuration (thanks PeteLong) :

access-list RemoteVPN_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
group-policy Remote-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_splitTunnelAcl

~where Remote-VPN is the name of the Remote VPN Policy/Group

After saving to flash memory still after connecting to internal network through vpn i can't reach any of internal host  but there is one change - dns started to work - i've got IP from hostname from ping command.

Security issue with simultaneously internet and vpn connection realized me that i don't want internet connection and vpn in same time so i'll just drop it. Now i just want to provide both direction communication between internal hosts and vpnclient.
0
 

Author Comment

by:szczecin
Comment Utility
1. be sure that on your cisco vpn profile settings click modify---> transport TAB ---> ALLOW LOCAL LAN ACCESS should be checked - it was at first configuration.

2.on the secured routes your internal network should be there and not 0.0.0.0 if you want them to access internet and inside. - i have such routes after connectiong to VPN but i'll leave them as they're now couse i don't want to have connection to internet in same time with VPN

I've just found many such errors on syslog :

3. Apr 10 2009      09:02:48      305005      192.168.3.255 No translation group found for udp src internet:192.168.3.40/137 dst localnet:192.168.3.255/137





0
 

Author Comment

by:szczecin
Comment Utility
Still no internal hosts access after connectiong to VPN. Any help ?
0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
hey ... did u do this?

 access-list vpnra permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:szczecin
Comment Utility
10.1.1.0 255.255.255.0 - is it vpn clients IP pool ?
0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
yes it is the vpn pool
0
 

Author Comment

by:szczecin
Comment Utility
After
access-list vpnra permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra

nothing has changed.
0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
if you can do a show run and show me
0
 

Author Comment

by:szczecin
Comment Utility

: Saved

:

ASA Version 8.0(3)

!

hostname ciscoasa

enable password tytyty encrypted

names

!

interface Ethernet0/0

 nameif internet

 security-level 100

 ip address y.y.y.y 255.255.255.248

!

interface Ethernet0/1

 nameif localnet

 security-level 0

 ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.250 255.255.255.0

 management-only

!

passwd fgh encrypted

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list localnet_access_in extended permit ip any any

access-list localnet_access_in extended permit ip 192.168.3.32 255.255.255.224 a

ny

access-list vpn_splitTunnelAcl standard permit any

access-list localnet_nat0_outbound extended permit ip any 192.168.3.32 255.255.2

55.224

access-list localnet_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0

192.168.3.32 255.255.255.224

access-list vpn_splitTunnelAcl_1 standard permit any

access-list internet_nat0_outbound extended permit ip any 192.168.3.32 255.255.2

55.224

access-list internet_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0

192.168.3.32 255.255.255.224

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list vpn-access_splitTunnelAcl standard permit any

access-list management_nat0_outbound extended permit ip 192.168.3.0 255.255.255.

0 192.168.3.32 255.255.255.224

access-list management_nat0_outbound extended permit ip 192.168.1.0 255.255.255.

0 192.168.3.32 255.255.255.224

pager lines 24

logging enable

logging asdm informational

mtu internet 1500

mtu localnet 1500

mtu management 1500

ip local pool vpn-pool 192.168.3.40-192.168.3.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (internet) 1 interface

nat (internet) 0 access-list internet_nat0_outbound

nat (localnet) 0 access-list localnet_nat0_outbound

nat (localnet) 1 192.168.3.0 255.255.255.0 outside

nat (management) 0 access-list management_nat0_outbound

access-group localnet_access_in in interface localnet

route internet 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.3.0 255.255.255.0 localnet

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 120

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128

-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life

time seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map internet_map interface internet

crypto map localnet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map localnet_map interface localnet

crypto isakmp enable internet

crypto isakmp enable localnet

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 50

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.251-192.168.1.254 management

dhcpd enable management

!

vpn load-balancing

 interface lbpublic internet

 interface lbprivate internet

threat-detection basic-threat

threat-detection statistics access-list

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value a.a.a.a b.b.b.b

 vpn-tunnel-protocol l2tp-ipsec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

username zzz password xxx encrypted privilege 15

username vpn_user password xxx encrypted privilege 15

username vpn_user attributes

 service-type remote-access

tunnel-group DefaultRAGroup general-attributes

 address-pool vpn-pool

 authentication-server-group (internet) LOCAL

 authorization-server-group (internet) LOCAL

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

tunnel-group vpn-access type remote-access

tunnel-group vpn-access general-attributes

 address-pool vpn-pool

tunnel-group vpn-access ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

: end

Open in new window

0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
hey there,

nat (internet) 0 access-list internet_nat0_outbound
nat (localnet) 0 access-list localnet_nat0_outbound
nat (localnet) 1 192.168.3.0 255.255.255.0 outside
nat (management) 0 access-list management_nat0_outbound
access-group localnet_access_in in interface localnet

1. why is your internet interface (outside) has a security level of 100 and inside 0? should reverse.
and you do not need any acl to permit traffic from a high security level (inside) to a low security level (outside) it is enabled by default.

2. nat (localnet) 1 192.168.3.0 255.255.255.0 outside , where is the ouside interface? in your case this should be: nat (localnet) 1 192.168.3.0 255.255.255.0 internet

3. why are you using the nat0 so many times?

4.same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
 
I advise you after you do 1 and 2  remove the same-security-traffic

5. if it is possible for you try to reset to factory default for your config is over-complicated.Try to configure it using CLI, it is very simple and you can troubleshoot easily and I can help you with the config.














0
 

Author Comment

by:szczecin
Comment Utility
I'll reset to default settings and configure through CLI. I'm trying to set it up on test system same as production system but when i will be moving this config to production system reset to default settings will not be accepptable.
0
 

Author Comment

by:szczecin
Comment Utility
As i said i've reset device to default configuration and run commands from this link : http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html

Same problem. Connected by VPN client without any problems but still no traffic between VPN clients and internal hosts available.
enable password zzzxxxccc encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address x.x.x.x 255.255.255.248

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.20.1 255.255.255.0

 management-only

!

passwd aaasssddd encrypted

ftp mode passive

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 192.168.0.10-192.168.0.20

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.20.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Firstset esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set Firstset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 43200

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.20.2-192.168.20.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

username vpnuser password some_password encrypted

tunnel-group vpngroup type remote-access

tunnel-group vpngroup general-attributes

 address-pool vpnpool

tunnel-group vpngroup ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3addeb01b1a7f8c6a71a75c94d908a8a

: end

Open in new window

0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
do a reset now and configure it. If you need any help tell me.
once you setup the interfaces and the nat; use the vpn config I put, it will work perfectly. just dont paste everything at once, edit them in a notepad and paste every 3 or 4 commands at a time.

glad to help :)
0
 

Author Comment

by:szczecin
Comment Utility
Your configuration solve my problem but i had to change it a littlebit ( additional commands marked by <<< >>>. This configuration enable ipsec vpn with split tunneling authenticated by username and password :

isakmp enable outside
isakmp identity address
isakmp policy 10
authentication pre-share  
encryption des  
hash md5  
group 2
lifetime 86400

ip local pool vpnpool 10.1.1.2-10.1.1.10

access-list split_tunnel standard permit 192.168.3.0 255.255.255.0

group-policy labvpn internal
group-policy labvpn attributes
     dns value xxxexpected_ip
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split_tunnel

username user password user
username user attributes
     vpn-group-policy labvpn

<<< tunnel-group labvpn type ipsec-ra >>>
<<< tunnel-group labvpn general-attributes>>>
<<< address-pool vpnpool >>>

tunnel-group labvpn ipsec-attributes
           pre-shared-key cisco123
   access-list vpnra permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list vpnra

crypto ipsec transform-set md5des esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set md5des
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface outside
0
 

Author Closing Comment

by:szczecin
Comment Utility
Those commands below should be added before  "tunnel-group labvpn ipsec-attributes" command :

tunnel-group labvpn type ipsec-ra
tunnel-group labvpn general-attributes
address-pool vpnpool
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now