[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?
Scott Granados
gsgranados at comcast.net
Fri Aug 7 19:12:01 EDT 2009
Hi, so the client is attached directly to a Sprint air card or directly to a cable internet connection with a real IP address. I have udp 10000 defined in the group policy and see that port being used in the client logs.
Thanks
Scott
----- Original Message -----
From: Randy
To: Rob Gilreath ; cisco-nsp at puck.nether.net ; Scott Granados
Sent: Friday, August 07, 2009 3:40 PM
Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?
..NAT entries are not required as long as *nat-control* is not enabled. I can't recall the default but you can verify your setup - sh run nat-control.
The PC in question wouldn't happen to be behind a firewall and using an rfc1918 addr. on the 10.x space as well ? Also, NAT-T (ipsec/UDP port 10,000 is enabled on the client?
--- On Fri, 8/7/09, Scott Granados <gsgranados at comcast.net> wrote:
From: Scott Granados <gsgranados at comcast.net>
Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?
To: "Rob Gilreath" <rgilreath at hbs.net>, cisco-nsp at puck.nether.net
Date: Friday, August 7, 2009, 2:51 PM
I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect?
----- Original Message ----- From: "Rob Gilreath" <rgilreath at hbs.net>
To: <cisco-nsp at puck.nether.net>
Cc: "Scott Granados" <gsgranados at comcast.net>
Sent: Friday, August 07, 2009 2:35 PM
Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?
>
> Is your nat 0 exception setup?
>
> Send the config lines starting with nat as well.
>
>
>
> On Friday 07 August 2009 03:47:27 pm Scott Granados wrote:
>> Hi, I'm having difficulties configuring VPN tunnels between a PC with the
>> Cisco VPN client (windows XP) and an ASA5520.
>>
>> BACKGROUND
>>
>> I have an ASA5520 with a public interface of 206.x.x.232 and an inside
>> address of 10.18.14.6. The outside interface is connected to the public
>> internet directly, the inside interface is attached to a switch with layer
>> 3 capabilities and has an address of 10.18.14.1/24. The default route is
>> pointed to the public Internet gateway and the 10.18.0.0/16 network is
>> routed via the 10.18.14.1 inside address. The VPN device is running
>> version 7 software (according to the VPN client log file).
>>
>> PROBLEM
>>
>>
>> When I initiate a connection from the PC to the public facing interface
>> over an external network the session authenticates and reports connected,
>> the client is assigned an address from the correct pool, but I'm not able
>> to pass traffic. Looking at the stats the routes learned appear
>> (10.18.0.0/16) or what ever routes I added to the split-tunnel network
>> list. I do notice that the tunnel stats do not show the encrypted packet
>> count increasing so I assume I'm not tagging something correctly or the ASA
>> is confused about what to encrypt. I've been using the Cisco ASA
>> configuration examples as a starting point but think I'm missing the point
>> somewhere. Any pointers would be appreciated, config tidbits follow.
>>
>> split-tunnel ACL
>>
>> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0
>> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0
>> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0
>> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0
>> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0
>>
>> local pool definition
>> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask
>> 255.255.255.0
>>
>> STATIC ROUTES
>> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1
>> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1
>> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1
>> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1
>> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1
>> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1
>>
>> GROUP POLICY DEFINITION
>>
>> group-policy VPRN-team-policy internal
>> group-policy VPRN-team-policy attributes
>> banner value This is a private network connection for XXX authorized users
>> only. If you do not have explicit permission from the XXX Network Services
>> department you must disconnect now.
>> banner value Thank you,
>> banner value Network Services
>> banner value 415.xxx.xxxx
>> wins-server value 10.18.1.14 10.18.1.15
>> dns-server value 10.18.1.14 10.18.1.15
>> dhcp-network-scope none
>> vpn-access-hours none
>> vpn-simultaneous-logins 1
>> vpn-idle-timeout 30
>> vpn-session-timeout none
>> vpn-filter none
>> vpn-tunnel-protocol IPSec
>> password-storage disable
>> ip-comp enable
>> re-xauth disable
>> group-lock none
>> pfs disable
>> ipsec-udp enable
>> ipsec-udp-port 10000
>> split-tunnel-policy tunnelspecified
>> split-tunnel-network-list value vpn-nets
>> default-domain value MY-COMPANY.COM
>> split-dns none
>> secure-unit-authentication disable
>> user-authentication enable
>> user-authentication-idle-timeout 30
>> ip-phone-bypass disable
>> leap-bypass disable
>> nem disable
>> backup-servers 206.x.x.233
>> client-firewall opt cisco-integrated acl-in FWBlockIn acl-out
>> FWAllowAnyOut webvpn
>> functions none
>>
>> tunnel-group VPRN-team type ipsec-ra
>> tunnel-group VPRN-team general-attributes
>> address-pool VPRN-team-vpn-pool1
>> authentication-server-group my_authent_grp
>> default-group-policy VPRN-team-policy
>> tunnel-group VPRN-team ipsec-attributes
>> pre-shared-key *
>>
>> CRYPTO MAP and ISAKMP
>>
>> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac
>> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1
>> crypto dynamic-map dynmap1 10 set reverse-route
>> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1
>> crypto map vpnmap interface outside
>> isakmp enable outside
>> isakmp policy 1 authentication pre-share
>> isakmp policy 1 encryption aes
>> isakmp policy 1 hash sha
>> isakmp policy 1 group 2
>> isakmp policy 1 lifetime 28800
>> isakmp policy 10 authentication pre-share
>> isakmp policy 10 encryption 3des
>> isakmp policy 10 hash sha
>> isakmp policy 10 group 2
>> isakmp policy 10 lifetime 1000
>> isakmp policy 20 authentication pre-share
>> isakmp policy 20 encryption 3des
>> isakmp policy 20 hash md5
>> isakmp policy 20 group 2
>> isakmp policy 20 lifetime 10000
>> isakmp policy 30 authentication pre-share
>> isakmp policy 30 encryption 3des
>> isakmp policy 30 hash sha
>> isakmp policy 30 group 2
>> isakmp policy 30 lifetime 10000
>> isakmp policy 40 authentication pre-share
>> isakmp policy 40 encryption 3des
>> isakmp policy 40 hash sha
>> isakmp policy 40 group 2
>> isakmp policy 40 lifetime 86400
>> isakmp nat-traversal 20
>> isakmp reload-wait
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> -- Rob Gilreath
> Systems Engineer - CCNP, CCDP
> Heartland Business Systems
> rgilreath at hbs.net
> (920) 850-3018
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list