[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?

Scott Granados gsgranados at comcast.net
Fri Aug 7 16:47:27 EDT 2009 

Hi, I'm having difficulties configuring VPN tunnels between a PC with the 
Cisco VPN client (windows XP) and an ASA5520.

BACKGROUND

I have an ASA5520 with a public interface of 206.x.x.232 and an inside 
address of 10.18.14.6.  The outside interface is connected to the public 
internet directly, the inside interface is attached to a switch with layer 3 
capabilities and has an address of 10.18.14.1/24.  The default route is 
pointed to the public Internet gateway and the 10.18.0.0/16 network is 
routed via the 10.18.14.1 inside address.  The VPN device is running version 
7 software (according to the VPN client log file).

PROBLEM


    When I initiate a connection from the PC to the public facing interface 
over an external network the session authenticates and reports connected, 
the client is assigned an address from the correct pool, but I'm not able to 
pass traffic.  Looking at the stats the routes learned appear (10.18.0.0/16) 
or what ever routes I added to the split-tunnel network list.  I do notice 
that the tunnel stats do not show the encrypted packet count increasing so I 
assume I'm not tagging something correctly or the ASA is confused about what 
to encrypt. I've been using the Cisco ASA configuration examples as a 
starting point but think I'm missing the point somewhere.  Any pointers 
would be appreciated, config tidbits follow.

split-tunnel ACL

access-list vpn-nets standard permit 10.1.0.0 255.255.0.0
access-list vpn-nets standard permit 10.11.0.0 255.255.0.0
access-list vpn-nets standard permit 10.18.0.0 255.255.0.0
access-list vpn-nets standard permit 10.64.0.0 255.255.0.0
access-list vpn-nets standard permit 10.66.0.0 255.255.0.0

local pool definition
ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask 
255.255.255.0

STATIC ROUTES
route outside 0.0.0.0 0.0.0.0 206.x.x.225 1
route inside 10.66.0.0 255.255.0.0 10.18.14.1 1
route inside 10.11.0.0 255.255.0.0 10.18.14.1 1
route inside 10.64.0.0 255.255.0.0 10.18.14.1 1
route inside 10.1.0.0 255.255.0.0 10.18.14.1 1
route inside 10.18.0.0 255.255.0.0 10.18.14.1 1

GROUP POLICY DEFINITION

group-policy VPRN-team-policy internal
group-policy VPRN-team-policy attributes
 banner value This is a private network connection for XXX authorized users 
only.  If you do not have explicit permission from the XXX Network Services 
department you must disconnect now.
 banner value Thank you,
 banner value Network Services
 banner value 415.xxx.xxxx
 wins-server value 10.18.1.14 10.18.1.15
 dns-server value 10.18.1.14 10.18.1.15
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 1
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-nets
 default-domain value MY-COMPANY.COM
 split-dns none
 secure-unit-authentication disable
 user-authentication enable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers 206.x.x.233
 client-firewall opt cisco-integrated acl-in FWBlockIn acl-out FWAllowAnyOut
 webvpn
  functions none

tunnel-group VPRN-team type ipsec-ra
tunnel-group VPRN-team general-attributes
 address-pool VPRN-team-vpn-pool1
 authentication-server-group my_authent_grp
 default-group-policy VPRN-team-policy
tunnel-group VPRN-team ipsec-attributes
 pre-shared-key *

CRYPTO MAP and ISAKMP

crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac
crypto dynamic-map dynmap1 10 set transform-set vpn-transform1
crypto dynamic-map dynmap1 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1
crypto map vpnmap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 10000
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 10000
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp nat-traversal  20
isakmp reload-wait

More information about the cisco-nsp mailing list