Solved

Cannot reach subnet over site to site VPN ASA 5505 version 9

Posted on 2014-03-15
11
1,359 Views
Last Modified: 2014-03-22
I have an ASA 5505 connected to a site to site VPN that I cannot access the 192.168.1.0 network over.  The VPN works fine and I can access the 192.168.5.0.  The ACLs on the other site allow the traffic as it is working for other sites.  I think this may be a NAT issue but I am not sure.  The ASA is running version 9.  Here is the running configuration:


ASA Version 9.0(1)
!
hostname asa-fw
enable password k4HlcGX2lC1ypFOm encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 description Private-Interface
 nameif inside
 security-level 100
 ip address 172.16.40.254 255.255.0.0
!
interface Vlan2
 description Public-Interface
 nameif outside
 security-level 0
 pppoe client vpdn group xxxxxxxxxxxxxxxxxx
 ip address pppoe setroute
!
ftp mode passive
object network inside-network
 subnet 172.16.40.0 255.255.255.0
object network NETWORK_OBJ_172.16.40.0_24
 subnet 172.16.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
 subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_172.16.25.0_24
 subnet 172.16.25.0 255.255.255.0
object network OBJ_192.168.1.0
 subnet 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 172.16.25.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-

proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static OBJ_192.168.1.0 OBJ_192.168.1.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static NETWORK_OBJ_172.16.25.0_24 NETWORK_OBJ_172.16.25.0_24 no-

proxy-arp route-lookup
!
object network inside-network
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.16.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-

3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.16.40.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx request dialout pppoe
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx localname xxxxxxxxxxxxxxxxxxxxxxxxx
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx ppp authentication pap
vpdn username xxxxxxxxxxxxxxxxxxxxxxx password *****

dhcpd dns 192.168.5.9 192.168.5.10
!
dhcpd address 172.16.40.5-172.16.40.15 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_xxx.xxx.xxx.xxx internal
group-policy GroupPolicy_xxx.xxx.xxx.xxx attributes
 vpn-tunnel-protocol ikev1 ikev2
username xxxxxxxxxxx password 21dkb29Q2GbIGmA9 encrypted privilege 15
username xxxxxxxxxxx password 1NHJ1uyMBfQkbbS9 encrypted privilege 15
username xxxxxxxxxxx password NL1c1I7HLpyQAiL3 encrypted privilege 15
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
 default-group-policy GroupPolicy_xxx.xxx.xxx.xxx
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bfa3f7b53a5d05aa16514430fdcd0277
: end
no asdm history enable
0
Comment
Question by:wayy2be
  • 6
  • 4
11 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39931533
for reference, here are the relevant configuration you have for the VPN set-up

access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 172.16.25.0 255.255.255.0 

nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static OBJ_192.168.1.0 OBJ_192.168.1.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static NETWORK_OBJ_172.16.25.0_24 NETWORK_OBJ_172.16.25.0_24 no-proxy-arp route-lookup

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5

Open in new window


however, i dont see any configuration relating to your permissive ACL.

ex:
access-group inside_access_in in interface inside

I'm guessing you are setup as default (allow all higher security to lower security)

I suspect ACL issue, but to isolate any VPN issue, can you share the following show commands

show crypto ipsec sa peer xxx.xxx.xxx.xxx

please provide output from both sites and hopefully we could isolate where the issue is.
0
 

Author Comment

by:wayy2be
ID: 39931609
The vpn works fine no issues there. I think its NAT or ACL. What should the ACL look like and why can the 192.168.5.0 get through without issue?  How does the NAT look?
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39931659
this is your nat statement and it looks fine
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static OBJ_192.168.1.0 OBJ_192.168.1.0 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24 NETWORK_OBJ_172.16.40.0_24 destination static NETWORK_OBJ_172.16.25.0_24 NETWORK_OBJ_172.16.25.0_24 no-proxy-arp route-lookup

Open in new window


Basically these are identity NAT, meaning NAT to self or NAT-exempt is another acceptable term. I don't see any issue on the NAT as these tree statements are basically the same for each source subnet with varying destination address.

Your ACL should look something like this, as previously shown above, which i dont see on your configuration

access-group inside_access_in in interface inside

this also leads me to assume to have a default any-any for higher security to lower security interface.

One thing, can you provide output for a packet trace? run the following commands

packet-trace input inside tcp 172.16.40.10 80 192.168.5.10 80

and

packet-trace input inside tcp 172.16.40.10 80 192.168.1.10 80

from the output we can infer on which part we are failing (ACL,NAT,VPN)
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39931746
Perhaps I can't read the configuration that well but I wonder:

It looks to me like there is an internal subnet 192.168.1.0
AND
It looks to me like there is an ACL for subnet 192.168.1.0

You likely know this but the subnets served at the ends of the VPN need to be different.
Because 192.168.1.0 is SO common, one generally doesn't want to use it at the "main" end of a network accessible over VPN.  This is more critical for client-to-site VPNs because there's no control over the remote subnets.  

I've seen client-to-site VPNs work with the same subnet at the ends but this still introduces IP conflicts in the sense that a file server at 192.168.1.10 can't communicate with a VPN client at 192.168.1.10 but the client CAN access 192.168.1.xxx where xxx<>10.
In general I would avoid the possibility by choosing a main site subnet that is either rather unique OR guaranteed to not conflict as can be the case with site-to-site VPNs.
0
 

Author Comment

by:wayy2be
ID: 39932151
The 192.168.1.0 network is one subnet on the internal LAN that is on the remote side, same location as the 192.168.5.0 and 172.16.25.0 subnets.  I am not sure I understand why 192.168.1.0 would pose an issue?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:wayy2be
ID: 39932171
I don't have access to the ASA until Monday but the ACL's on the remote site look like this:


access-list INSIDE_NONAT extended permit ip 192.168.5.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list INSIDE_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list INSIDE_NONAT extended permit ip 172.16.25.0 255.255.255.0 172.16.40.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.5.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.16.25.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.40.0 255.255.255.0
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39932294
again, can you try and run the following trace, this will help in troubleshooting your issue

packet-trace input inside tcp 172.16.40.10 80 192.168.5.10 80

and

packet-trace input inside tcp 172.16.40.10 80 192.168.1.10 80

this will give us an idea on where the traffic is failing.
0
 

Author Comment

by:wayy2be
ID: 39934477
The trace says that the flow to 192.168.1.0 is denied by configured rule.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39934718
then most likely the issue is ACL

can you provide for the following outputs of these show command:

show run | inc access-group

show run | inc access_in
0
 

Accepted Solution

by:
wayy2be earned 0 total points
ID: 39935348
I figured this out. The issue here is not the configuration. It was a bad entry in the host file in the PC connected to the ASA.  I had Cisco look at the configuration and they said it was clean and nothing in the configuration would cause this issue.  Once I removed the bad entry from the host file, I was able to get to the resources on the subnets in question without issue.
0
 

Author Closing Comment

by:wayy2be
ID: 39947245
I figured this issue out myself.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now