Options
remote-access vpn problem on asa
marco_fera
Member Posts: 34 ■■□□□□□□□□
Hi,
I configured a remote-access vpn on an ASA 5510 version 8.3. This is the configuration
............
tunnel-group prova4 type remote-access
tunnel-group prova4 general-attributes
address-pool vpnpool1
default-group-policy test_vpnpool1_policy
tunnel-group prova4 ipsec-attributes
pre-shared-key *****
................
access-list soft_vpnpool1 extended permit icmp host 192.168.31.1 host 192.168.32.254
access-list soft_vpnpool1 extended permit ip host 192.168.31.1 host 192.168.32.254
access-list soft_vpnpool1 extended permit ip any any
access-list soft_vpnpool1 extended permit icmp any any
.............
group-policy test_vpnpool1_policy attributes
vpn-filter value soft_vpnpool1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value soft_vpnpool1
..................
nat (inside,any) source static N1-192.168.32.0 N1-192.168.32.0 destination static N1-192.168.31.0 N1-192.168.31.0 unidirectional
.........
The vpn goes up and I get an ip address, but it's impossible to reach the internal network.
This is what I can see from the logs:
............................................................
Mar 11 10:10:20 192.168.32.140 : Mar 11 10:10:20 CET: %ASA-ipaa-6-737026: IPAA: Client assigned 192.168.31.1 from local pool
Mar 11 10:10:20 192.168.32.140 : Mar 11 10:10:20 CET: %ASA-vpn-6-713228: Group = prova4, Username = pippo, IP = 212.x.x.x, Assigned private IP address 192.168.31.1 to remote user
Mar 11 10:10:20 192.168.32.141 : Mar 11 10:10:20 CET: %ASA-ipaa-6-737029: IPAA: Added 192.168.31.1 to standby
Mar 11 10:10:29 192.168.32.140 : Mar 11 10:10:29 CET: %ASA-bridge-6-110002: Failed to locate egress interface for UDP from outside:192.168.31.1/1885 to 239.255.255.250/1900
Mar 11 10:11:51 192.168.32.140 : Mar 11 10:11:51 CET: %ASA-vpn-5-713050: Group = prova4, Username =pippo, IP = 212.x.x.x, Connection terminated for peer pippo. Reason: Peer Terminate Remote Proxy 192.168.31.1, Local Proxy 0.0.0.0
Mar 11 10:11:51 192.168.32.140 : Mar 11 10:11:51 CET: %ASA-ipaa-6-737016: IPAA: Freeing local pool address 192.168.31.1
Mar 11 10:11:51 192.168.32.141 : Mar 11 10:11:51 CET: %ASA-ipaa-6-737031: IPAA: Removed 192.168.31.1 from standby
............................................................
The only error I can see is %ASA-bridge-6-110002, which is not related to the traffic I'm generating, it's like a messenger program trying to do multicast.
What I can tell you from the vpn client I'm using is that I can see encrypted packets going out my tunnel, but nothing incoming. Also, on the firewall I can see no incoming packets from this tunnel.
Another thing I noticed: is it correct that I do not have a default gateway ip address when the tunnel goes up? I'm not talking about my normal network, when the vpn goes up I can see that my address is 192.168.31.1, which is correctly taken from the pool I've decided, but my default gateway is again 192.168.31.1.
Thank for your help.
I configured a remote-access vpn on an ASA 5510 version 8.3. This is the configuration
............
tunnel-group prova4 type remote-access
tunnel-group prova4 general-attributes
address-pool vpnpool1
default-group-policy test_vpnpool1_policy
tunnel-group prova4 ipsec-attributes
pre-shared-key *****
................
access-list soft_vpnpool1 extended permit icmp host 192.168.31.1 host 192.168.32.254
access-list soft_vpnpool1 extended permit ip host 192.168.31.1 host 192.168.32.254
access-list soft_vpnpool1 extended permit ip any any
access-list soft_vpnpool1 extended permit icmp any any
.............
group-policy test_vpnpool1_policy attributes
vpn-filter value soft_vpnpool1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value soft_vpnpool1
..................
nat (inside,any) source static N1-192.168.32.0 N1-192.168.32.0 destination static N1-192.168.31.0 N1-192.168.31.0 unidirectional
.........
The vpn goes up and I get an ip address, but it's impossible to reach the internal network.
This is what I can see from the logs:
............................................................
Mar 11 10:10:20 192.168.32.140 : Mar 11 10:10:20 CET: %ASA-ipaa-6-737026: IPAA: Client assigned 192.168.31.1 from local pool
Mar 11 10:10:20 192.168.32.140 : Mar 11 10:10:20 CET: %ASA-vpn-6-713228: Group = prova4, Username = pippo, IP = 212.x.x.x, Assigned private IP address 192.168.31.1 to remote user
Mar 11 10:10:20 192.168.32.141 : Mar 11 10:10:20 CET: %ASA-ipaa-6-737029: IPAA: Added 192.168.31.1 to standby
Mar 11 10:10:29 192.168.32.140 : Mar 11 10:10:29 CET: %ASA-bridge-6-110002: Failed to locate egress interface for UDP from outside:192.168.31.1/1885 to 239.255.255.250/1900
Mar 11 10:11:51 192.168.32.140 : Mar 11 10:11:51 CET: %ASA-vpn-5-713050: Group = prova4, Username =pippo, IP = 212.x.x.x, Connection terminated for peer pippo. Reason: Peer Terminate Remote Proxy 192.168.31.1, Local Proxy 0.0.0.0
Mar 11 10:11:51 192.168.32.140 : Mar 11 10:11:51 CET: %ASA-ipaa-6-737016: IPAA: Freeing local pool address 192.168.31.1
Mar 11 10:11:51 192.168.32.141 : Mar 11 10:11:51 CET: %ASA-ipaa-6-737031: IPAA: Removed 192.168.31.1 from standby
............................................................
The only error I can see is %ASA-bridge-6-110002, which is not related to the traffic I'm generating, it's like a messenger program trying to do multicast.
What I can tell you from the vpn client I'm using is that I can see encrypted packets going out my tunnel, but nothing incoming. Also, on the firewall I can see no incoming packets from this tunnel.
Another thing I noticed: is it correct that I do not have a default gateway ip address when the tunnel goes up? I'm not talking about my normal network, when the vpn goes up I can see that my address is 192.168.31.1, which is correctly taken from the pool I've decided, but my default gateway is again 192.168.31.1.
Thank for your help.
Comments
-
Options
shednik
Member Posts: 2,005
IP Address and Default Gateway will generally be the same on the IPSec client when you are not doing split tunneling.
If it were 8.2 or earlier you would have to make sure you had a NAT exemption rule for the VPN pool but 8.3 no longer requires them. I'd try removing that first.
You have an ACL allowing the one IP address to access another IP address on your network that alone should be all the configuration needed for this VPN group.