[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?

Fri Aug 7 18:15:12 EDT 2009

Hi Scott,
...at first pass -
have you *exempted* your vpn pool<->split-tunnel subnets from NAT on the appropriate interfaces?
Regards,
./Randy

--- On Fri, 8/7/09, Scott Granados <gsgranados at comcast.net> wrote:

From: Scott Granados <gsgranados at comcast.net>
Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?
To: cisco-nsp at puck.nether.net
Date: Friday, August 7, 2009, 1:47 PM

Hi, I'm having difficulties configuring VPN tunnels between a PC with the Cisco VPN client (windows XP) and an ASA5520.

BACKGROUND

I have an ASA5520 with a public interface of 206.x.x.232 and an inside address of 10.18.14.6.  The outside interface is connected to the public internet directly, the inside interface is attached to a switch with layer 3 capabilities and has an address of 10.18.14.1/24.  The default route is pointed to the public Internet gateway and the 10.18.0.0/16 network is routed via the 10.18.14.1 inside address.  The VPN device is running version 7 software (according to the VPN client log file).

PROBLEM

   When I initiate a connection from the PC to the public facing interface over an external network the session authenticates and reports connected, the client is assigned an address from the correct pool, but I'm not able to pass traffic.  Looking at the stats the routes learned appear (10.18.0.0/16) or what ever routes I added to the split-tunnel network list.  I do notice that the tunnel stats do not show the encrypted packet count increasing so I assume I'm not tagging something correctly or the ASA is confused about what to encrypt. I've been using the Cisco ASA configuration examples as a starting point but think I'm missing the point somewhere.  Any pointers would be appreciated, config tidbits follow.

split-tunnel ACL

access-list vpn-nets standard permit 10.1.0.0 255.255.0.0
access-list vpn-nets standard permit 10.11.0.0 255.255.0.0
access-list vpn-nets standard permit 10.18.0.0 255.255.0.0
access-list vpn-nets standard permit 10.64.0.0 255.255.0.0
access-list vpn-nets standard permit 10.66.0.0 255.255.0.0

local pool definition
ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask 255.255.255.0

STATIC ROUTES
route outside 0.0.0.0 0.0.0.0 206.x.x.225 1
route inside 10.66.0.0 255.255.0.0 10.18.14.1 1
route inside 10.11.0.0 255.255.0.0 10.18.14.1 1
route inside 10.64.0.0 255.255.0.0 10.18.14.1 1
route inside 10.1.0.0 255.255.0.0 10.18.14.1 1
route inside 10.18.0.0 255.255.0.0 10.18.14.1 1

GROUP POLICY DEFINITION

group-policy VPRN-team-policy internal
group-policy VPRN-team-policy attributes
banner value This is a private network connection for XXX authorized users only.  If you do not have explicit permission from the XXX Network Services department you must disconnect now.
banner value Thank you,
banner value Network Services
banner value 415.xxx.xxxx
wins-server value 10.18.1.14 10.18.1.15
dns-server value 10.18.1.14 10.18.1.15
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp enable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-nets
default-domain value MY-COMPANY.COM
split-dns none
secure-unit-authentication disable
user-authentication enable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers 206.x.x.233
client-firewall opt cisco-integrated acl-in FWBlockIn acl-out FWAllowAnyOut
webvpn
functions none

tunnel-group VPRN-team type ipsec-ra
tunnel-group VPRN-team general-attributes
address-pool VPRN-team-vpn-pool1
authentication-server-group my_authent_grp
default-group-policy VPRN-team-policy
tunnel-group VPRN-team ipsec-attributes
pre-shared-key *

CRYPTO MAP and ISAKMP

crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac
crypto dynamic-map dynmap1 10 set transform-set vpn-transform1
crypto dynamic-map dynmap1 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1
crypto map vpnmap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 10000
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 10000
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp nat-traversal  20
isakmp reload-wait

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/