TreyCarr
asked on
ASA 5505 remote access VPN issue
I am having trouble traversing NAT on an ASA5505. It is not allowing NAT traversal. Can you look at the config and tell me what needs to be changed?
Thanks,
Thanks,
: Saved
:
ASA Version 7.2(2)
!
hostname ama5505
domain-name ama.local
enable password UpnsM1iqlJ1HcxOF encrypted
names
name X.X.X.203 SBSSVR_EXT description WEBSERVER EXTERNALIP
name 10.10.11.2 SBSSVR_INT description WEBSERVER InternalIP
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.11.24 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.202 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
switchport access vlan 12
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
speed 100
duplex full
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server SBSSVR_INT
name-server 10.10.11.12
domain-name ama.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 120 remark **Outside Access-list**
access-list 120 extended permit icmp any any
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq www
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq https
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq smtp
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq 987
access-list Outside-Inbound extended permit icmp any any
access-list Outside-Inbound extended permit tcp XXX.XXX.206.0 255.255.255.0 any eq telnet
access-list Outside-Inbound extended permit tcp XXX.XXX.206.0 255.255.255.0 any eq ssh
access-list Outside-Inbound extended permit tcp XXX.XXX.206.0 255.255.255.0 any log
access-list Inbound-Outside extended permit tcp host SBSSVR_INT eq www any
access-list Inbound-Outside extended permit tcp host SBSSVR_INT eq https any
access-list Inbound-Outside extended permit tcp host SBSSVR_INT eq smtp any
access-list Inbound-Outside extended permit tcp host SBSSVR_INT eq 987 any
access-list Inbound-Outside extended permit icmp any any
access-list AMA_VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.11.0
255.255.255.0
pager lines 24
logging enable
logging history emergencies
logging asdm informational
logging class auth history emergencies
logging class session history emergencies
logging class vpn history emergencies
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.1.10-192.168.1.19 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 2 SBSSVR_EXT-X.X.X.206 netmask 255.0.0.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) SBSSVR_EXT SBSSVR_INT netmask 255.255.255.255
access-group Outside-Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.201 1
timeout xlate 1:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy AMA_VPN internal
group-policy AMA_VPN attributes
dns-server value 10.10.11.2 10.10.11.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AMA_VPN_splitTunnelAcl
default-domain value AMA.LOCAL
username sammy password PJ1HyaWWuYlkPIZ. encrypted privilege 0
username sammy attributes
vpn-group-policy AMA_VPN
username tcarr password eYZdh.nUkFUSXnpe encrypted privilege 15
username amadmin password Wgiy/52QCbdrSgpD encrypted privilege 15
aaa authentication enable console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.11.13 community Public
snmp-server location AMA
snmp-server contact IT Department
snmp-server community Public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group AMA_VPN type ipsec-ra
tunnel-group AMA_VPN general-attributes
address-pool VPN_POOL2
default-group-policy AMA_VPN
tunnel-group AMA_VPN ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
!
!
prompt hostname context
Cryptochecksum:d593c090a210c6e7bb55a391987b25cb
: end
asdm image disk0:/asdm-522.bin
asdm location SBSSVR_INT 255.255.255.255 inside
asdm location SBSSVR_EXT 255.255.255.255 inside
no asdm history enable
ASKER
MY VPN clients cant access the internal LAN vpn clients are on 192.168.1 and internal is on 10.10.11.x.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is this the acl that you have?
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.11.x 255.255.255.0
You also can use packet tracer to see where the packets are being dropped.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.11.x 255.255.255.0
You also can use packet tracer to see where the packets are being dropped.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The packets are being dropped at the ACL. I will try Memo's suggestion and go from there.
ASKER
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: xx.xx.84.55
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 8
In Octets: 55335
In Packets: 437
In Drop Packets: 7
In Notifys: 366
In P2 Exchanges: 8
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 7
Out Octets: 41028
Out Packets: 416
Out Drop Packets: 0
Out Notifys: 722
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 1
System Capacity Fails: 0
Auth Fails: 1
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
-------------------------- ------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
ama5505(config)#
here is the sh isakmp
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: xx.xx.84.55
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 8
In Octets: 55335
In Packets: 437
In Drop Packets: 7
In Notifys: 366
In P2 Exchanges: 8
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 7
Out Octets: 41028
Out Packets: 416
Out Drop Packets: 0
Out Notifys: 722
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 1
System Capacity Fails: 0
Auth Fails: 1
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
--------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
ama5505(config)#
here is the sh isakmp
ASKER
Your NAT's are correct, you may want to revisit your policy statements for split tunneling. It seems that you are telling everything to NOT take the tunnel rather than just DNS.
What do I change them too?
Are you clients getting the IP pool addresses that you have defined?
Yes
Also what is the output of your: sh isakmp, sh ipsec sa, and sh xlate.
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: xx.xx.00.202
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.10/255.255.255. 255/0/0)
current_peer: xx.xx.84.55, username: jenny
dynamic allocated peer ip: 192.168.1.10
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xx.xx.00.202/4500, remote crypto endpt.: 65.33.84.55/2518
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 74915A0E
inbound esp sas:
spi: 0xA487BB5F (2760358751)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28777
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x74915A0E (1955682830)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28759
IV size: 8 bytes
replay detection support: Y
ama5505(config)# sh xlate
14 in use, 370 most used
Global SBSSVR_EXT Local SBSSVR_INT
PAT Global xx.xx.00.202(12454) Local 10.10.11.60(1123)
PAT Global xx.xx.00.202(14487) Local 10.10.11.62(2620)
PAT Global xx.xx.00.202(14486) Local 10.10.11.62(2619)
PAT Global xx.xx.00.202(14485) Local 10.10.11.62(2618)
PAT Global xx.xx.00.202(14484) Local 10.10.11.62(2617)
PAT Global xx.xx.00.202(12605) Local 10.10.11.62(1225)
PAT Global xx.xx.00.202(12601) Local 10.10.11.62(1223)
PAT Global xx.xx.00.202(12598) Local 10.10.11.62(1219)
PAT Global xx.xx.00.202(12597) Local 10.10.11.62(1218)
PAT Global xx.xx.00.202(12587) Local 10.10.11.62(1203)
PAT Global xx.xx.00.202(59203) Local 10.10.11.66(2441)
PAT Global xx.xx.00.202(13599) Local 10.10.11.56(4712)
PAT Global xx.xx.00.202(6264) Local 10.10.11.57(1245)
ama5505(config)#
sho isakmp above
What do I change them too?
Are you clients getting the IP pool addresses that you have defined?
Yes
Also what is the output of your: sh isakmp, sh ipsec sa, and sh xlate.
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: xx.xx.00.202
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.10/255.255.255.
current_peer: xx.xx.84.55, username: jenny
dynamic allocated peer ip: 192.168.1.10
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xx.xx.00.202/4500, remote crypto endpt.: 65.33.84.55/2518
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 74915A0E
inbound esp sas:
spi: 0xA487BB5F (2760358751)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28777
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x74915A0E (1955682830)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28759
IV size: 8 bytes
replay detection support: Y
ama5505(config)# sh xlate
14 in use, 370 most used
Global SBSSVR_EXT Local SBSSVR_INT
PAT Global xx.xx.00.202(12454) Local 10.10.11.60(1123)
PAT Global xx.xx.00.202(14487) Local 10.10.11.62(2620)
PAT Global xx.xx.00.202(14486) Local 10.10.11.62(2619)
PAT Global xx.xx.00.202(14485) Local 10.10.11.62(2618)
PAT Global xx.xx.00.202(14484) Local 10.10.11.62(2617)
PAT Global xx.xx.00.202(12605) Local 10.10.11.62(1225)
PAT Global xx.xx.00.202(12601) Local 10.10.11.62(1223)
PAT Global xx.xx.00.202(12598) Local 10.10.11.62(1219)
PAT Global xx.xx.00.202(12597) Local 10.10.11.62(1218)
PAT Global xx.xx.00.202(12587) Local 10.10.11.62(1203)
PAT Global xx.xx.00.202(59203) Local 10.10.11.66(2441)
PAT Global xx.xx.00.202(13599) Local 10.10.11.56(4712)
PAT Global xx.xx.00.202(6264) Local 10.10.11.57(1245)
ama5505(config)#
sho isakmp above
ASKER
access-list AMA_VPN_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0 was what fixed this, I appreciate everyone's help
ASKER
Thanks again. I have a new problem now.. But i believe it is hyper-v related. lol It isnt seeing a server... Ill try and figure it out and come back if I cant.. *with a new question!*
Thanks for using EE
If I had to guess, It seems that you are having issues with the SBSSVR_EXT-X.X.X.206 not getting access to the outside. If so then you need to have a nat statement on the same ID as that global command line:
global (outside) 2 SBSSVR_EXT-X.X.X.206 netmask 255.0.0.0
access-list SBSSVR2_EXT_OUT permit ip any any
say something like:nat (inside) 2 access-list SBSSVR2_EXT_OUT
I may be way off here, but it would help to know what you are having an issue with. It appears that your static nat and your internal hosts nats to the outside interface are in order.
HTH