ASA5505 to ASA5505, EZVPN Client mode works, NEM does not?

I am currently trying to get an EZVPN NEM tunnel working between two sites. The headend is a static IP, remote site will be DHCP. When I configure the remote ASA for Client-mode, the tunnel comes up, all traffic flows as intended. I have some split tunneling rules set up. Here is an image of the basic layout of the network, the ASA is in front of the UC520 data network.

Interspace Network

I could post some scrubbed configs of each ASA if so desired, here is the output of show vpnclient on the remote device, one from the working client mode and another from the non-working NEM. I also enabled the reverse-route on the dynamic cryptomap on the headend.
Any help on this is greatly appreciated.

WORKING:

 vpnclient mode client-mode
vpnclient vpngroup INTERVPN password *****
vpnclient username SITE1 password *****
vpnclient enable

DOWNLOADED DYNAMIC POLICY
Current Server                     : 70.60.48.50
NAT addr                           : 192.168.12.90
Primary DNS                        : 192.168.10.10
Default Domain                     : interspacetech.net
PFS Enabled                        : No
Secure Unit Authentication Enabled : No
User Authentication Enabled        : No
Split Tunnel Networks              : 192.168.11.0/255.255.255.0 192.168.10.0/255.255.255.0 10.1.1.0/255.255.255.0 10.1.10.0/255.255.255.0 
Backup Servers                     : None

STORED POLICY
Secure Unit Authentication Enabled : No
Split Tunnel Networks              : 192.168.11.0/255.255.255.0 192.168.10.0/255.255.255.0 10.1.1.0/255.255.255.0 10.1.10.0/255.255.255.0 
Backup Servers                     : None

RELATED CONFIGURATION
object network _vpnc_cm_split_nat_addr hidden 
 host 192.168.12.90
 description VPN client mapped address object 
object-group network _vpnc_objgrp_cm_split
 network-object 192.168.11.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
 network-object 10.1.1.0 255.255.255.0
 network-object 10.1.10.0 255.255.255.0
nat (inside,outside) source dynamic any _vpnc_cm_split_nat_addr destination static _vpnc_objgrp_cm_split _vpnc_objgrp_cm_split
nat (_internal_loopback,outside) source dynamic any _vpnc_cm_split_nat_addr
access-list _vpnc_acl extended permit ip host 65.25.101.203 host 70.60.48.50 
access-list _vpnc_acl extended permit ip host 192.168.12.90 192.168.11.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 192.168.12.90 192.168.10.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 192.168.12.90 10.1.1.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 192.168.12.90 10.1.10.0 255.255.255.0 
access-list _vpnc_acl extended deny udp host 65.25.101.203 eq bootpc any eq bootps 
access-list _vpnc_acl extended permit ip host 65.25.101.203 192.168.11.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 65.25.101.203 192.168.10.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 65.25.101.203 10.1.1.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 65.25.101.203 10.1.10.0 255.255.255.0 
crypto ipsec ikev1 transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_5 esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_6 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_7 esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_8 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_9 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_10 esp-null esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_11 esp-null esp-sha-hmac 
crypto map _vpnc_cm 10 match address _vpnc_acl
crypto map _vpnc_cm 10 set peer 70.60.48.50 
crypto map _vpnc_cm 10 set ikev1 phase1-mode aggressive 
crypto map _vpnc_cm 10 set ikev1 transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_tset_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
crypto map _vpnc_cm 10 set security-association lifetime seconds 2147483647

Open in new window


NOT WORKING:

LOCAL CONFIGURATION
vpnclient server 70.60.48.50
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup INTERVPN password *****
vpnclient username SITE1 password *****
vpnclient enable

DOWNLOADED DYNAMIC POLICY
Current Server                     : 70.60.48.50
Primary DNS                        : 192.168.10.10
Default Domain                     : interspacetech.net
PFS Enabled                        : No
Secure Unit Authentication Enabled : No
User Authentication Enabled        : No
Split Tunnel Networks              : 192.168.11.0/255.255.255.0 192.168.10.0/255.255.255.0 10.1.1.0/255.255.255.0 10.1.10.0/255.255.255.0 
Backup Servers                     : None

STORED POLICY
Secure Unit Authentication Enabled : No
Split Tunnel Networks              : 192.168.11.0/255.255.255.0 192.168.10.0/255.255.255.0 10.1.1.0/255.255.255.0 10.1.10.0/255.255.255.0 
Backup Servers                     : None

RELATED CONFIGURATION
object network _vpnc_nem_split_nat_addr hidden 
 host 192.168.14.1
 description VPN client mapped address object 
object-group network _vpnc_objgrp_nem_split
 network-object 192.168.11.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
 network-object 10.1.1.0 255.255.255.0
 network-object 10.1.10.0 255.255.255.0
nat (inside,outside) source static any any destination static _vpnc_objgrp_nem_split _vpnc_objgrp_nem_split
nat (_internal_loopback,outside) source dynamic any _vpnc_nem_split_nat_addr
access-list _vpnc_acl extended permit ip host 65.25.101.203 host 70.60.48.50 
access-list _vpnc_acl extended permit ip 192.168.14.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list _vpnc_acl extended permit ip 192.168.14.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list _vpnc_acl extended permit ip 192.168.14.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list _vpnc_acl extended permit ip 192.168.14.0 255.255.255.0 10.1.10.0 255.255.255.0 
access-list _vpnc_acl extended deny udp host 65.25.101.203 eq bootpc any eq bootps 
access-list _vpnc_acl extended permit ip host 65.25.101.203 192.168.11.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 65.25.101.203 192.168.10.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 65.25.101.203 10.1.1.0 255.255.255.0 
access-list _vpnc_acl extended permit ip host 65.25.101.203 10.1.10.0 255.255.255.0 
crypto ipsec ikev1 transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_5 esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_6 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_7 esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_8 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_9 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_10 esp-null esp-md5-hmac 
crypto ipsec ikev1 transform-set _vpnc_tset_11 esp-null esp-sha-hmac 
crypto map _vpnc_cm 10 match address _vpnc_acl
crypto map _vpnc_cm 10 set peer 70.60.48.50 
crypto map _vpnc_cm 10 set ikev1 phase1-mode aggressive 
crypto map _vpnc_cm 10 set ikev1 transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_tset_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
crypto map _vpnc_cm 10 set security-association lifetime seconds 2147483647
crypto map _vpnc_cm 10 set security-association lifetime kilobytes 2147483647
crypto map _vpnc_cm interface outside
tunnel-group 70.60.48.50 type ipsec-ra
tunnel-group 70.60.48.50 ipsec-attributes
 isakmp keepalive threshold 90 retry 5

Open in new window

J-RodderAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DanJCommented:
have you configured nem under the group-policy?

group-policy myGROUP attributes
 nem enable
0
J-RodderAuthor Commented:
Good question, but yes.

group-policy INTERVPN internal
group-policy INTERVPN attributes
 dns-server value 192.168.10.10
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value INTERVPN_splitTunnelAcl
 default-domain value interspacetech.net
 ip-phone-bypass enable
 nem enable
0
J-RodderAuthor Commented:
Here is a scrubbed config of the headend. I didn't bother doing the remote client asa yet, but can do so if requested. If anyone has any kind of direction for me on this, it would be greatly appreciated.

Result of the command: "show run"

: Saved
:
ASA Version 8.4(1) 
!
hostname Cerberus
domain-name interspacetech.net
enable password **** encrypted
passwd **** encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.11.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address **** 255.255.255.248 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 192.168.13.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport monitor Ethernet0/1 
!
interface Ethernet0/5
 switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.10.10
 domain-name interspacetech.net
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network MAIL 
 host 192.168.10.121
 description Mail Server         
object network VPN-NET 
 range 192.168.12.1 192.168.12.255
object network DATA-NET10 
 range 192.168.10.1 192.168.10.255
object network UC-NET 
 range 10.1.1.1 10.1.1.255
object network UC-NET2 
 range 10.1.10.1 10.1.10.255
object network ChunkVNC 
 host 192.168.10.109
object network ChunkVNC2 
 host 192.168.10.109
object network TimeTrex 
 host 192.168.10.101
 description Timeclock Server     
object network Untangle 
 host 192.168.10.116
object network DMZ 
 subnet 192.168.13.0 255.255.255.0
 description DMZ Network     
object network Hubbert 
 host 192.168.10.104
object-group service ActiveSync tcp
 port-object eq 26675
 port-object eq 5678
 port-object eq 5679
 port-object eq 5721
 port-object eq 990
 port-object eq 999
object-group service Chunkvnc tcp
 port-object eq 5500
 port-object eq 5901
object-group service TimeTrexPort tcp
 port-object eq 8085
object-group service UntanglePortSSL tcp
 port-object eq 444
object-group service HubbertPorts tcp
 port-object eq 13897
access-list outside_access_in remark SMTP connection to Mail Server
access-list outside_access_in extended permit tcp any object MAIL eq smtp 
access-list outside_access_in remark Mail Server web access
access-list outside_access_in extended permit tcp any object MAIL eq https 
access-list outside_access_in extended permit tcp any object MAIL object-group ActiveSync 
access-list outside_access_in extended permit tcp any object ChunkVNC object-group Chunkvnc 
access-list outside_access_in extended permit tcp any object TimeTrex object-group TimeTrexPort 
access-list outside_access_in extended permit tcp any object Untangle object-group UntanglePortSSL 
access-list outside_access_in extended permit tcp any object Hubbert object-group HubbertPorts 
access-list INTERVPN_splitTunnelAcl standard permit 192.168.11.0 255.255.255.0 
access-list INTERVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 
access-list INTERVPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0 
access-list INTERVPN_splitTunnelAcl standard permit 10.1.10.0 255.255.255.0 
pager lines 24
logging enable
logging asdm warnings
logging mail alerts
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPOOL3 192.168.12.90-192.168.12.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static DATA-NET10 DATA-NET10 destination static VPN-NET VPN-NET
nat (inside,outside) source static UC-NET UC-NET destination static VPN-NET VPN-NET
nat (inside,outside) source static UC-NET2 UC-NET2 destination static VPN-NET VPN-NET
!
object network obj_any
 nat (inside,outside) dynamic interface
object network MAIL
 nat (any,any) static ****
object network ChunkVNC
 nat (inside,outside) static interface service tcp 5901 5901 
object network ChunkVNC2
 nat (inside,outside) static interface service tcp 5500 5500 
object network TimeTrex
 nat (inside,outside) static interface service tcp 8085 8085 
object network Untangle
 nat (inside,outside) static interface service tcp 444 444 
object network DMZ
 nat (any,outside) dynamic interface
object network Hubbert
 nat (inside,outside) static interface service tcp 13897 13897 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 **** 1
route inside 10.1.1.0 255.255.255.0 192.168.11.1 1
route inside 10.1.10.0 255.255.255.0 192.168.11.1 1
route inside 192.168.10.0 255.255.255.0 192.168.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.11.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000 
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.11.5-192.168.11.254 inside
!
dhcpd address 192.168.13.2-192.168.13.254 dmz
dhcpd dns 209.18.47.61 209.18.47.62 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 1000 interface dmz
dhcpd domain interspacetech.net interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 63.240.161.99 source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.10.10
 vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
 ip-phone-bypass enable
 nem enable
group-policy INTERVPN internal
group-policy INTERVPN attributes
 dns-server value 192.168.10.10
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value INTERVPN_splitTunnelAcl
 default-domain value interspacetech.net
 ip-phone-bypass enable
 nem enable
username jmiranda password **** encrypted privilege 15
username jmiranda attributes
 vpn-group-policy INTERVPN
username jclark password **** encrypted privilege 15
username jclark attributes
 vpn-group-policy INTERVPN
username SITE1 password **** encrypted
username SITE1 attributes
 vpn-group-policy INTERVPN
username mwartman password **** encrypted privilege 15
username mwartman attributes
 vpn-group-policy INTERVPN
tunnel-group INTERVPN type remote-access
tunnel-group INTERVPN general-attributes
 address-pool VPNPOOL3
tunnel-group INTERVPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:e3141de81ea7ccdfefb4b4590060c36e
: end

Open in new window

0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

DanJCommented:
when running in nem mode is like site-to-site vpn but only the client can bring up the tunnel.
this means there is no ip address assigned to the client and the client does not perform nat for the subnets.
you need to ensure nat exemption for the addresses and also that there is routing information on both ends. even if you do reverse route it's only in the routing table of the server. you have to redistribute the routers to other peers via a routing protocol like ospf.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J-RodderAuthor Commented:
Ok, that helps a bit. This explains why even though the tunnel was up, doing a netstat -r from a client machine connected to the remote ASA didn't show anything in the routing table for the 192.168.10.0 network. Can you further explain what I would do then to make this working using OSPF? Can I do that within the client ASA itself? Or do I have to attach a router to that remote network to handle DHCP and handing out routing info about the headend network?
0
J-RodderAuthor Commented:
I should have looked before I banged out that response, sorry. So it looks like I need to figure out/get help with properly configuring OSPF between the two ASAs from the routing config section. I read about it in my CCNA studies a few years back, never had to actually do it. :) I'll get to work on that. I will award points because it certainly looks like that is my issue. If you want to post a synopsis of what a proper OSPF config would look like or procedure in this instance, I certainly wouldn't complain. ;)

Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.