Solved

ASA 5505 remote access VPN issue

Posted on 2010-08-16
11
509 Views
Last Modified: 2012-05-10
I am having trouble traversing NAT on an ASA5505. It is not allowing NAT traversal. Can you look at the config and tell me what needs to be changed?

Thanks,

: Saved
:
ASA Version 7.2(2) 
!
hostname ama5505
domain-name ama.local
enable password UpnsM1iqlJ1HcxOF encrypted
names
name X.X.X.203 SBSSVR_EXT description WEBSERVER EXTERNALIP
name 10.10.11.2 SBSSVR_INT description WEBSERVER InternalIP
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.11.24 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.202 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 switchport access vlan 12
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 speed 100
 duplex full
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server SBSSVR_INT
 name-server 10.10.11.12
 domain-name ama.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 120 remark **Outside Access-list**
access-list 120 extended permit icmp any any 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq www 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq https 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq smtp 
access-list Outside-Inbound extended permit tcp any host SBSSVR_EXT eq 987 
access-list Outside-Inbound extended permit icmp any any 
access-list Outside-Inbound extended permit tcp XXX.XXX.206.0 255.255.255.0 any eq telnet 
access-list Outside-Inbound extended permit tcp XXX.XXX.206.0 255.255.255.0 any eq ssh 
access-list Outside-Inbound extended permit tcp XXX.XXX.206.0 255.255.255.0 any log 
access-list Inbound-Outside extended permit tcp host SBSSVR_INT eq www any 
access-list Inbound-Outside extended permit tcp host SBSSVR_INT eq https any 
access-list Inbound-Outside extended permit tcp host SBSSVR_INT eq smtp any 
access-list Inbound-Outside extended permit tcp host SBSSVR_INT eq 987 any 
access-list Inbound-Outside extended permit icmp any any 
access-list AMA_VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.11.0 

255.255.255.0 
pager lines 24
logging enable
logging history emergencies
logging asdm informational
logging class auth history emergencies 
logging class session history emergencies 
logging class vpn history emergencies 
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.1.10-192.168.1.19 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 2 SBSSVR_EXT-X.X.X.206 netmask 255.0.0.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) SBSSVR_EXT SBSSVR_INT netmask 255.255.255.255 
access-group Outside-Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.201 1
timeout xlate 1:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy AMA_VPN internal
group-policy AMA_VPN attributes
 dns-server value 10.10.11.2 10.10.11.12
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value AMA_VPN_splitTunnelAcl
 default-domain value AMA.LOCAL
username sammy password PJ1HyaWWuYlkPIZ. encrypted privilege 0
username sammy attributes
 vpn-group-policy AMA_VPN
username tcarr password eYZdh.nUkFUSXnpe encrypted privilege 15
username amadmin password Wgiy/52QCbdrSgpD encrypted privilege 15
aaa authentication enable console LOCAL 
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.11.13 community Public
snmp-server location AMA
snmp-server contact IT Department
snmp-server community Public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group AMA_VPN type ipsec-ra
tunnel-group AMA_VPN general-attributes
 address-pool VPN_POOL2
 default-group-policy AMA_VPN
tunnel-group AMA_VPN ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0

!
!
prompt hostname context 
Cryptochecksum:d593c090a210c6e7bb55a391987b25cb
: end
asdm image disk0:/asdm-522.bin
asdm location SBSSVR_INT 255.255.255.255 inside
asdm location SBSSVR_EXT 255.255.255.255 inside
no asdm history enable

Open in new window

0
Comment
Question by:TreyCarr
11 Comments
 
LVL 20

Expert Comment

by:MightySW
ID: 33451197
Hi, what are you trying to NAT to? I mean, what isn't working?  Can your inside clients not get outside, can your outside host not get in?

If I had to guess, It seems that you are having issues with the SBSSVR_EXT-X.X.X.206 not getting access to the outside.  If so then you need to have a nat statement on the same ID as that global command line:

global (outside) 2 SBSSVR_EXT-X.X.X.206 netmask 255.0.0.0

access-list SBSSVR2_EXT_OUT permit ip any any

say something like:nat (inside) 2 access-list SBSSVR2_EXT_OUT

I may be way off here, but it would help to know what you are having an issue with.  It appears that your static nat and your internal hosts nats to the outside interface are in order.

HTH
0
 

Author Comment

by:TreyCarr
ID: 33451226
MY VPN clients cant access the internal LAN vpn clients are on 192.168.1 and internal is on 10.10.11.x.
0
 
LVL 20

Assisted Solution

by:MightySW
MightySW earned 45 total points
ID: 33451362
Your NAT's are correct, you may want to revisit your policy statements for split tunneling.  It seems that you are telling everything to NOT take the tunnel rather than just DNS.

Are you clients getting the IP pool addresses that you have defined?

Also what is the output of your: sh isakmp,  sh ipsec sa, and sh xlate.

Also, be sure to follow this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml

it is very helpful for ASDM and CLI configs.

HTH

0
 

Expert Comment

by:tshi5791
ID: 33451378
Is this the acl that you have?

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.11.x 255.255.255.0

You also can use packet tracer to see where the packets are being dropped.
0
 
LVL 16

Accepted Solution

by:
memo_tnt earned 80 total points
ID: 33452161
Hi

if your LAN IPs is 10.10.x.x as your inside interface ip 10.10.11.24/16
then
add this ::

access-list AMA_VPN_splitTunnelAcl standard permit 10.10.11. 255.255.0.0


0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:TreyCarr
ID: 33459552
The packets are being dropped at the ACL.  I will try Memo's suggestion and go from there.
0
 

Author Comment

by:TreyCarr
ID: 33460229
  Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: xx.xx.84.55
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 8
In Octets: 55335
In Packets: 437
In Drop Packets: 7
In Notifys: 366
In P2 Exchanges: 8
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 7
Out Octets: 41028
Out Packets: 416
Out Drop Packets: 0
Out Notifys: 722
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 1
System Capacity Fails: 0
Auth Fails: 1
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

ama5505(config)#

here is the sh isakmp
0
 

Author Comment

by:TreyCarr
ID: 33460300
Your NAT's are correct, you may want to revisit your policy statements for split tunneling.  It seems that you are telling everything to NOT take the tunnel rather than just DNS.

What do I change them too?

Are you clients getting the IP pool addresses that you have defined?

Yes

Also what is the output of your: sh isakmp,  sh ipsec sa, and sh xlate.

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: xx.xx.00.202

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.10/255.255.255.255/0/0)
      current_peer: xx.xx.84.55, username: jenny
      dynamic allocated peer ip: 192.168.1.10

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: xx.xx.00.202/4500, remote crypto endpt.: 65.33.84.55/2518
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 74915A0E

    inbound esp sas:
      spi: 0xA487BB5F (2760358751)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 12, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28777
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x74915A0E (1955682830)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 12, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28759
         IV size: 8 bytes
         replay detection support: Y

ama5505(config)# sh xlate
14 in use, 370 most used
Global SBSSVR_EXT Local SBSSVR_INT
PAT Global xx.xx.00.202(12454) Local 10.10.11.60(1123)
PAT Global xx.xx.00.202(14487) Local 10.10.11.62(2620)
PAT Global xx.xx.00.202(14486) Local 10.10.11.62(2619)
PAT Global xx.xx.00.202(14485) Local 10.10.11.62(2618)
PAT Global xx.xx.00.202(14484) Local 10.10.11.62(2617)
PAT Global xx.xx.00.202(12605) Local 10.10.11.62(1225)
PAT Global xx.xx.00.202(12601) Local 10.10.11.62(1223)
PAT Global xx.xx.00.202(12598) Local 10.10.11.62(1219)
PAT Global xx.xx.00.202(12597) Local 10.10.11.62(1218)
PAT Global xx.xx.00.202(12587) Local 10.10.11.62(1203)
PAT Global xx.xx.00.202(59203) Local 10.10.11.66(2441)
PAT Global xx.xx.00.202(13599) Local 10.10.11.56(4712)
PAT Global xx.xx.00.202(6264) Local 10.10.11.57(1245)
ama5505(config)#

sho isakmp above
0
 

Author Comment

by:TreyCarr
ID: 33460441
access-list AMA_VPN_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0 was what fixed this, I appreciate everyone's help
0
 

Author Closing Comment

by:TreyCarr
ID: 33460449
Thanks again. I have a new problem now.. But i believe it is hyper-v related.  lol It isnt seeing a server... Ill try and figure it out and come back if I cant.. *with a new question!*
0
 
LVL 20

Expert Comment

by:MightySW
ID: 33460502
Thanks for using EE
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now