Solved

cisco asa webvpn connect through asa-to-asa tunnel

Posted on 2011-03-20
5
1,185 Views
Last Modified: 2012-06-21
Users connecting to one ASA can ping hosts local to that ASA, but not hosts on the other side of an ASA-to-ASA tunnel.

ASA1
inside: 10.10.1.1/24
webvpn pool: 10.100.1.1/24
ServerA: 10.10.1.100

ASA2
inside 10.10.2.1/24
webvpn pool: 10.200.1.1/24
ServerB: 10.10.2.100

The 2 asa's are connected via ipsec tunnel.  Webvpn users can ping hosts on the inside of the ASA to which they connect (i.e., if I webvpn to ASA1, I can ping ServerA, and if I connect to ASA2, I can ping Server2).

I can't ping ServerB on ASA2 from a webvpn connection to ASA1.

I have nat0 acl's for the webvpn pool destined for the inside subnet on the remote ASA, and also in the crypto map match address.  I also have the remote subnet included in the split-tunnel policy for webvpn connections.

When I make a webvpn connection to ASA, the crypto ipsec sa for the ASA-ASA tunnel ads a policy for the local webvpn user to the remote ASA (e.g., local: 10.100.1.0/24; remote: 10.10.2.0/24).  howeverm there are no encrypts/encaps on the webvpn side, which leads me to believe the packets are not getting considered interesting when coming from webvpn users destined for the remote ASA subnet.

A packet-trace suggests the same thing, as it allows the packet, but says it's destined for the outside interface.

What am I missing?  Thanks.

Should this work?
0
Comment
Question by:snowdog_2112
  • 3
  • 2
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
I think you're on the right track, but without seeing the full config it's hard to be sure.  I suspect the traffic from the WebVPN client is not being considered "interesting" and it's not going through the tunnel.
0
 

Author Comment

by:snowdog_2112
Comment Utility
I had used different IP's in my example for simplicity.  here is the config - which I've also edited to replace usernames and actual public IP's.  One noticable difference (hopefully this isn't the deal-breaker), is that the ASA2 internal network is a /16 subnet.

My webvpn client gets a 10.223.1.x address, and I can reach hosts on ASA1.  ASA2 is connected via the tunnel, and hosts on either side can reach the other side.

As mentioned, my crypto ipsec sa's have route policies for the webvpn pool to the remote side (local: 10.223.1.0/24, remote: 10.10.1.0/16).  I can trace from the webvpn client to the remote side, and it gets handled as split-tunnel traffic and does not use my internet gateway, so it's getting into the ASA.

hostname asa
domain-name mydomain.local
enable password * encrypted
passwd * encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.20.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.100.100.121 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name mydomain.local
dns server-group WhiteWaterDNS
 domain-name mydomain2.local
dns server-group mat-inside-dns
 domain-name mydomain2.local
access-list asa_tunnel extended permit ip 10.20.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list asa_tunnel extended permit ip 10.20.1.0 255.255.255.0 10.222.1.0 255.255.255.0              
access-list asa_tunnel extended permit ip 10.223.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list asa_tunnel extended permit ip 10.223.1.0 255.255.255.0 10.233.1.0 255.255.255.               0
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit ip 66.100.100.96 255.255.255.224 any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any host 66.100.100.122 eq smtp
access-list outside_access_in extended permit tcp any host 66.100.100.122 eq https
access-list outside_access_in extended permit tcp any host 66.100.100.121 eq www
access-list NONAT extended permit ip 10.20.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list NONAT extended permit ip 10.223.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list NONAT extended permit ip 10.20.1.0 255.255.255.0 10.222.1.0 255.255.255.0
access-list NONAT extended permit ip 10.223.1.0 255.255.255.0 10.233.1.0 255.255.255.0
access-list NONAT extended permit ip 10.20.1.0 255.255.255.0 10.223.1.0 255.255.255.0
access-list split-tunnel standard permit 10.20.1.0 255.255.255.0
access-list split-tunnel standard permit 10.233.1.0 255.255.255.0
access-list split-tunnel standard permit 10.10.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.20.222.100-10.20.222.150
ip local pool vpnp2 10.223.1.100-10.223.1.150
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.10.0.0 255.255.0.0 inside
icmp permit 10.222.1.0 255.255.1.0 inside
icmp permit any inside
icmp permit 66.100.100.96 255.255.255.224 outside
icmp permit 140.100.100.0 255.255.255.192 outside
icmp permit host 140.100.100.27 outside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 10.20.1.100 www netmask 255.255.255.255
static (inside,outside) tcp 66.100.100.122 smtp 10.20.1.12 smtp netmask 255.255.255.255
static (inside,outside) tcp 66.100.100.122 https 10.20.1.12 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.100.100.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.20.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 40 match address asa_tunnel
crypto map outside_map 40 set peer 140.100.100.27
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes
 hash md5
 group 5
 lifetime 86400
telnet 10.20.1.0 255.255.255.0 inside
telnet timeout 60
ssh 10.20.1.0 255.255.255.0 inside
ssh 10.223.1.0 255.255.255.0 inside
ssh 66.100.100.96 255.255.255.224 outside
ssh timeout 60
console timeout 0
dhcpd dns 8.8.8.8
dhcpd domain mydomain.local
dhcpd auto_config outside
dhcpd option 3 ip 10.20.1.1
!
dhcpd address 10.20.1.50-10.20.1.60 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 3
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 4
 svc image disk0:/anyconnect-wince-ARMv4I-2.4.1012-k9.pkg 5
 svc image disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 6
 svc enable
group-policy wwwGrp internal
group-policy wwwGrp attributes
 dns-server value 10.10.1.222
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 split-dns value mydomain2.local
 webvpn
  url-list none
  svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
 dns-server value 10.10.1.222
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
group-policy InternalITGrp internal
group-policy InternalITGrp attributes
 dns-server value 10.20.1.10
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 split-dns value mydomain2.local
 webvpn
  url-list none
  svc ask enable default webvpn
group-policy IntDomainWebGrp internal
group-policy IntDomainWebGrp attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  url-list none
  port-forward disable
  http-proxy disable
  svc ask enable default webvpn
  http-comp gzip
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  file-entry enable
  file-browsing enable
  url-entry enable
  smart-tunnel auto-signon disable
group-policy mydomain2vpn internal
username wwwvpn password ** encrypted
username wwwvpn attributes
 vpn-group-policy wwwGrp
username InternalITUser password ** encrypted privilege 15
username InternalITUser attributes
 vpn-group-policy InternalITGrp

username itsupport password ** encrypted privilege 15
username itsupport attributes
 vpn-group-policy wwwGrp
 service-type admin
username external_user password ** encrypted
username external_user attributes
 vpn-group-policy wwwGrp
 service-type admin
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool vpnp2
 default-group-policy mydomain2vpn
tunnel-group 140.100.100.27 type ipsec-l2l
tunnel-group 140.100.100.27 ipsec-attributes
 pre-shared-key *
tunnel-group LocalAuthSSL type remote-access
tunnel-group LocalAuthSSL general-attributes
 default-group-policy IntDomainWebGrp
tunnel-group InternalIT type remote-access
tunnel-group InternalIT general-attributes
 address-pool vpnp2
 default-group-policy InternalITGrp
tunnel-group InternalIT webvpn-attributes
 group-alias sslgroup_users enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f2ed930c3eeebba96d6cb125ad3b831c
: end
0
 

Author Comment

by:snowdog_2112
Comment Utility
update:  I put a packet capture on the inside interface of the local ASA (the one terminating the webvpn connection).  If I ping from the webvpn client to a local host, I see the packets.  If I try to ping a host on the other side of the ASA-ASA tunnel, the local packet cap does not register any packets.  

That suggests that it is a split tunnel issue, but my local route table on the webvpn client looks correct.  A continuous ping with the tunnel up and then dropped (while the ping is still running) shows a time out and then the client's gateway replies "destination unreachable" when the tunnel is dropped.

It seems like the webvpn client is sending the traffic into the tunnel, but the ASA does not see it.
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
Comment Utility
Check your ACLs for your interesting traffic.  I see both 10.222.x.x and 10.233.x.x, but not consistently.  Also make sure the ASA at the other end is set to encrypt traffic to and from the correct networks.  That's the most typical mistake that causes things like this.
0
 

Author Closing Comment

by:snowdog_2112
Comment Utility
Yes, it was a typo in the ACL.  Working now.  Thanks.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now