[c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?

Randy randy_94108 at yahoo.com
Fri Aug 7 18:40:56 EDT 2009


..NAT entries are not required as long as *nat-control* is not enabled. I can't recall the default but you can verify your setup - sh run nat-control.
The PC in question wouldn't happen to be behind a firewall and using an rfc1918 addr. on the 10.x space as well ? Also, NAT-T (ipsec/UDP port 10,000 is enabled on the client?
--- On Fri, 8/7/09, Scott Granados <gsgranados at comcast.net> wrote:


From: Scott Granados <gsgranados at comcast.net>
Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?
To: "Rob Gilreath" <rgilreath at hbs.net>, cisco-nsp at puck.nether.net
Date: Friday, August 7, 2009, 2:51 PM


I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect?

----- Original Message ----- From: "Rob Gilreath" <rgilreath at hbs.net>
To: <cisco-nsp at puck.nether.net>
Cc: "Scott Granados" <gsgranados at comcast.net>
Sent: Friday, August 07, 2009 2:35 PM
Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network?


> 
> Is your nat 0 exception setup?
> 
> Send the config lines starting with nat as well.
> 
> 
> 
> On Friday 07 August 2009 03:47:27 pm Scott Granados wrote:
>> Hi, I'm having difficulties configuring VPN tunnels between a PC with the
>> Cisco VPN client (windows XP) and an ASA5520.
>> 
>> BACKGROUND
>> 
>> I have an ASA5520 with a public interface of 206.x.x.232 and an inside
>> address of 10.18.14.6.  The outside interface is connected to the public
>> internet directly, the inside interface is attached to a switch with layer
>> 3 capabilities and has an address of 10.18.14.1/24.  The default route is
>> pointed to the public Internet gateway and the 10.18.0.0/16 network is
>> routed via the 10.18.14.1 inside address.  The VPN device is running
>> version 7 software (according to the VPN client log file).
>> 
>> PROBLEM
>> 
>> 
>>     When I initiate a connection from the PC to the public facing interface
>> over an external network the session authenticates and reports connected,
>> the client is assigned an address from the correct pool, but I'm not able
>> to pass traffic.  Looking at the stats the routes learned appear
>> (10.18.0.0/16) or what ever routes I added to the split-tunnel network
>> list.  I do notice that the tunnel stats do not show the encrypted packet
>> count increasing so I assume I'm not tagging something correctly or the ASA
>> is confused about what to encrypt. I've been using the Cisco ASA
>> configuration examples as a starting point but think I'm missing the point
>> somewhere.  Any pointers would be appreciated, config tidbits follow.
>> 
>> split-tunnel ACL
>> 
>> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0
>> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0
>> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0
>> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0
>> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0
>> 
>> local pool definition
>> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask
>> 255.255.255.0
>> 
>> STATIC ROUTES
>> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1
>> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1
>> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1
>> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1
>> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1
>> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1
>> 
>> GROUP POLICY DEFINITION
>> 
>> group-policy VPRN-team-policy internal
>> group-policy VPRN-team-policy attributes
>>  banner value This is a private network connection for XXX authorized users
>> only.  If you do not have explicit permission from the XXX Network Services
>> department you must disconnect now.
>>  banner value Thank you,
>>  banner value Network Services
>>  banner value 415.xxx.xxxx
>>  wins-server value 10.18.1.14 10.18.1.15
>>  dns-server value 10.18.1.14 10.18.1.15
>>  dhcp-network-scope none
>>  vpn-access-hours none
>>  vpn-simultaneous-logins 1
>>  vpn-idle-timeout 30
>>  vpn-session-timeout none
>>  vpn-filter none
>>  vpn-tunnel-protocol IPSec
>>  password-storage disable
>>  ip-comp enable
>>  re-xauth disable
>>  group-lock none
>>  pfs disable
>>  ipsec-udp enable
>>  ipsec-udp-port 10000
>>  split-tunnel-policy tunnelspecified
>>  split-tunnel-network-list value vpn-nets
>>  default-domain value MY-COMPANY.COM
>>  split-dns none
>>  secure-unit-authentication disable
>>  user-authentication enable
>>  user-authentication-idle-timeout 30
>>  ip-phone-bypass disable
>>  leap-bypass disable
>>  nem disable
>>  backup-servers 206.x.x.233
>>  client-firewall opt cisco-integrated acl-in FWBlockIn acl-out
>> FWAllowAnyOut webvpn
>>   functions none
>> 
>> tunnel-group VPRN-team type ipsec-ra
>> tunnel-group VPRN-team general-attributes
>>  address-pool VPRN-team-vpn-pool1
>>  authentication-server-group my_authent_grp
>>  default-group-policy VPRN-team-policy
>> tunnel-group VPRN-team ipsec-attributes
>>  pre-shared-key *
>> 
>> CRYPTO MAP and ISAKMP
>> 
>> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac
>> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1
>> crypto dynamic-map dynmap1 10 set reverse-route
>> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1
>> crypto map vpnmap interface outside
>> isakmp enable outside
>> isakmp policy 1 authentication pre-share
>> isakmp policy 1 encryption aes
>> isakmp policy 1 hash sha
>> isakmp policy 1 group 2
>> isakmp policy 1 lifetime 28800
>> isakmp policy 10 authentication pre-share
>> isakmp policy 10 encryption 3des
>> isakmp policy 10 hash sha
>> isakmp policy 10 group 2
>> isakmp policy 10 lifetime 1000
>> isakmp policy 20 authentication pre-share
>> isakmp policy 20 encryption 3des
>> isakmp policy 20 hash md5
>> isakmp policy 20 group 2
>> isakmp policy 20 lifetime 10000
>> isakmp policy 30 authentication pre-share
>> isakmp policy 30 encryption 3des
>> isakmp policy 30 hash sha
>> isakmp policy 30 group 2
>> isakmp policy 30 lifetime 10000
>> isakmp policy 40 authentication pre-share
>> isakmp policy 40 encryption 3des
>> isakmp policy 40 hash sha
>> isakmp policy 40 group 2
>> isakmp policy 40 lifetime 86400
>> isakmp nat-traversal  20
>> isakmp reload-wait
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> -- Rob Gilreath
> Systems Engineer - CCNP, CCDP
> Heartland Business Systems
> rgilreath at hbs.net
> (920) 850-3018 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list