VPN Problems
in [Cisco]
|
From: K.J. 44 on 8 Nov 2006 12:35 Hi, I am having trouble with my VPNs. I have them set up and I can connect fine. Everything is to be tunneled (including Internet traffic). I am using Cisco VPN Client on a Win XP SP2 machine to a Cisco ASA 5510. When I connect, it hits the RADIUS server fine (Windows IAS on WIndows 2003 server) and authenticates. Once I am connected, I can get anywhere in the corporate LAN via IP address, but not any other way. If I want to get to the path \\servername\files\IT I have to type in \\10.10.10.10\files\IT. And the tunnel is supposed to support Internet traffic and yet no internet traffic is coming through either. Also, in the Cisco VPN Client Log I am getting: 1 11:28:14.062 11/08/06 Sev=Warning/2 CVPND/0xA3400011 Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: NICs MAC (DRVIFACE:1199). In the Cisco VPN Client Statistics I also see under Route Details -> Secured Routes Network 0.0.0.0 Subnet Mask 0.0.0.0 and that's it. Is that normal? Also, how do i know what group-policy is being applied to my VPN users? Here are some show commands from the ASA followed by the running config. These are edited of course ASA# sh crypto ipsec sa interface: outside Crypto map tag: RemoteVPNDynmap, seq num: 10, local addr: ASA PUBLIC IP local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/0/0) current_peer: 76.212.75.13, username: kholleran dynamic allocated peer ip: 192.168.10.1 #pkts encaps: 480, #pkts encrypt: 480, #pkts digest: 480 #pkts decaps: 559, #pkts decrypt: 559, #pkts verify: 559 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 480, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: ASA PUBLIC IP/PORT, remote crypto endpt.: 76.212.75.1 3/61509 path mtu 1500, ipsec overhead 68, media mtu 1500 current outbound spi: 7425EFE0 inbound esp sas: spi: 0x6072CF2F (1618136879) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, UDP-Encaps, } slot: 0, conn_id: 2, crypto-map: RemoteVPNDynmap sa timing: remaining key lifetime (sec): 28716 IV size: 8 bytes replay detection support: Y ASA# sh crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 76.212.75.13 Type : user Role : responder Rekey : no State : AM_ACTIVE ASA# sh run ASA Version 7.0(5) ! hostname ASA domain-name DOMAIN enable password MsKIE8kJNDmkdKIi encrypted names dns-guard ! interface Ethernet0/0 description INside interface. NAT to private IPs nameif inside security-level 100 ip address ASA PRIVATE IP ! interface Ethernet0/1 description Outside Interface. nameif outside security-level 0 ip address ASA PUBLIC IP ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address management-only ! passwd SisLvDjB/rijelPS encrypted banner exec # You are logging into a corporate device. Unauthorized access is prohibited. banner motd # "We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle # ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns name-server DNS SERVER INTERNAL IP object-group service NecessaryServices tcp port-object eq echo port-object eq www port-object eq domain port-object eq ssh port-object eq smtp port-object eq ftp-data port-object eq pop3 port-object eq aol port-object eq ftp port-object eq https object-group service UDPServices udp port-object eq nameserver port-object eq www port-object eq isakmp port-object eq domain object-group service TCP-UDPServices tcp-udp port-object eq echo port-object eq www port-object eq domain ACLs - Nothing is wrong here access-list 110 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging list ASALog level notifications logging monitor notifications logging trap notifications logging asdm informational logging device-id hostname logging host inside SYSLOG SERVER mtu management 1500 mtu inside 1500 mtu outside 1500 ip local pool vpnclient 192.168.10.1-192.168.10.254 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp permit any inside icmp permit any outside asdm image disk0:/asdm505.bin asdm history enable arp timeout 14400 nat-control global (outside) 2 interface nat (inside) 0 access-list 110 nat (inside) 2 192.168.0.0 255.255.0.0 static (inside,outside) MAIL SERVER access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ISP GATEWAY 1 ! router ospf 1 NETWORK COMMANDS area 0 log-adj-changes ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server vpn protocol radius aaa-server vpn host IAS SERVER key * group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port PORT split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy vpnUsers internal group-policy vpnUsers attributes banner value You are remotely accessing a corporate network. Any unauthor
From: Joe Beasley on 8 Nov 2006 21:58 If you get a dhcp address, your dhcp server needs to set the WINS server address in the scope. If your address is static, you need to manually add the WINS server. That will let you browse by name. -- jbeasley(a)sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
From: K.J. 44 on 9 Nov 2006 10:16 That worked great for getting around inside my network. All drives are being mapped and everything perfectly. I want to tunnel all internet traffic to but none is coming through. I can see the DNS query, DNS Response, and the request for the page to the correct IP when I run ethereal on my remote PC. But nothing comes back. And I see nothing in my ASA for the IP Address when I do a show xlate. The firewall rules are allowing traffic from these IPs. It appears to request the page over the tunnel and then simply disappear. Any ideas on that? Thank you very much for your help. Joe Beasley wrote: > If you get a dhcp address, your dhcp server needs to set the WINS server > address in the scope. If your address is static, you need to manually > add the WINS server. That will let you browse by name. > > -- > jbeasley(a)sdf.lonestar.org > SDF Public Access UNIX System - http://sdf.lonestar.org
From: Al on 9 Nov 2006 15:49 K.J. 44 wrote: > That worked great for getting around inside my network. All drives are > being mapped and everything perfectly. I want to tunnel all internet > traffic to but none is coming through. > > I can see the DNS query, DNS Response, and the request for the page to > the correct IP when I run ethereal on my remote PC. But nothing comes > back. And I see nothing in my ASA for the IP Address when I do a show > xlate. The firewall rules are allowing traffic from these IPs. It > appears to request the page over the tunnel and then simply disappear. > > > Any ideas on that? > > Thank you very much for your help. > > Joe Beasley wrote: > > If you get a dhcp address, your dhcp server needs to set the WINS server > > address in the scope. If your address is static, you need to manually > > add the WINS server. That will let you browse by name. > > > > -- > > jbeasley(a)sdf.lonestar.org > > SDF Public Access UNIX System - http://sdf.lonestar.org I'm no expert on ASAs, but if your crypto map is applied to the outside interface, and the nat happens as packets traverse (inside -> outside), would you expect packets coming in to the outside through the VPN tunnel, and going back out again on that interface to the Internet, to actually get NAT'd...? If you want simultaneous Internet access / vpn access why not use split-tunnelling, or use a proxy server that is inside your network?
From: Kevin Widner on 27 Nov 2006 19:54 !--- Command that permits IPsec traffic to enter and exit the same interface. same-security-traffic permit intra-interface -Kevin K.J. 44 wrote: > Hi, > > I am having trouble with my VPNs. I have them set up and I can connect > fine. Everything is to be tunneled (including Internet traffic). I am > using Cisco VPN > > Client on a Win XP SP2 machine to a Cisco ASA 5510. When I connect, it > hits the RADIUS server fine (Windows IAS on WIndows 2003 server) and > > authenticates. Once I am connected, I can get anywhere in the > corporate LAN via IP address, but not any other way. If I want to get > to the path > > \\servername\files\IT I have to type in \\10.10.10.10\files\IT. And > the tunnel is supposed to support Internet traffic and yet no internet > traffic is coming through > > either. > > Also, in the Cisco VPN Client Log I am getting: > > 1 11:28:14.062 11/08/06 Sev=Warning/2 CVPND/0xA3400011 > Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: NICs MAC > (DRVIFACE:1199). > > In the Cisco VPN Client Statistics I also see under Route Details -> > Secured Routes Network 0.0.0.0 Subnet Mask 0.0.0.0 and that's it. Is > that normal? > > Also, how do i know what group-policy is being applied to my VPN users? > > Here are some show commands from the ASA followed by the running > config. These are edited of course > > ASA# sh crypto ipsec sa > interface: outside > Crypto map tag: RemoteVPNDynmap, seq num: 10, local addr: ASA > PUBLIC IP > > > local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) > remote ident (addr/mask/prot/port): > (192.168.10.1/255.255.255.255/0/0) > current_peer: 76.212.75.13, username: kholleran > dynamic allocated peer ip: 192.168.10.1 > > #pkts encaps: 480, #pkts encrypt: 480, #pkts digest: 480 > #pkts decaps: 559, #pkts decrypt: 559, #pkts verify: 559 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 480, #pkts comp failed: 0, #pkts decomp > failed: 0 > #send errors: 0, #recv errors: 0 > > local crypto endpt.: ASA PUBLIC IP/PORT, remote crypto endpt.: > 76.212.75.1 > 3/61509 > path mtu 1500, ipsec overhead 68, media mtu 1500 > current outbound spi: 7425EFE0 > > inbound esp sas: > spi: 0x6072CF2F (1618136879) > transform: esp-3des esp-sha-hmac > in use settings ={RA, Tunnel, UDP-Encaps, } > slot: 0, conn_id: 2, crypto-map: RemoteVPNDynmap > sa timing: remaining key lifetime (sec): 28716 > IV size: 8 bytes > replay detection support: Y > > > ASA# sh crypto isakmp sa > > Active SA: 1 > Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during > rekey) > Total IKE SA: 1 > > 1 IKE Peer: 76.212.75.13 > Type : user Role : responder > Rekey : no State : AM_ACTIVE > > > ASA# sh run > > ASA Version 7.0(5) > ! > hostname ASA > domain-name DOMAIN > enable password MsKIE8kJNDmkdKIi encrypted > names > dns-guard > ! > interface Ethernet0/0 > description INside interface. NAT to private IPs > nameif inside > security-level 100 > ip address ASA PRIVATE IP > ! > interface Ethernet0/1 > description Outside Interface. > nameif outside > security-level 0 > ip address ASA PUBLIC IP > ! > interface Ethernet0/2 > shutdown > no nameif > no security-level > no ip address > ! > interface Management0/0 > shutdown > nameif management > security-level 100 > ip address > management-only > ! > passwd SisLvDjB/rijelPS encrypted > banner exec # You are logging into a corporate device. Unauthorized > access is prohibited. > banner motd # "We are what we repeatedly do. Excellence, then, is not > an act, but a habit." - Aristotle # > ftp mode passive > clock timezone EST -5 > clock summer-time EDT recurring > dns domain-lookup inside > dns name-server DNS SERVER INTERNAL IP > object-group service NecessaryServices tcp > port-object eq echo > port-object eq www > port-object eq domain > port-object eq ssh > port-object eq smtp > port-object eq ftp-data > port-object eq pop3 > port-object eq aol > port-object eq ftp > port-object eq https > object-group service UDPServices udp > port-object eq nameserver > port-object eq www > port-object eq isakmp > port-object eq domain > object-group service TCP-UDPServices tcp-udp > port-object eq echo > port-object eq www > port-object eq domain > > ACLs - Nothing is wrong here > > access-list 110 extended permit ip 192.168.1.0 255.255.255.0 > 192.168.10.0 255.255.255.0 > pager lines 24 > logging enable > logging timestamp > logging list ASALog level notifications > logging monitor notifications > logging trap notifications > logging asdm informational > logging device-id hostname > logging host inside SYSLOG SERVER > mtu management 1500 > mtu inside 1500 > mtu outside 1500 > ip local pool vpnclient 192.168.10.1-192.168.10.254 > ip verify reverse-path interface inside > ip verify reverse-path interface outside > icmp permit any inside > icmp permit any outside > asdm image disk0:/asdm505.bin > asdm history enable > arp timeout 14400 > nat-control > global (outside) 2 interface > nat (inside) 0 access-list 110 > nat (inside) 2 192.168.0.0 255.255.0.0 > static (inside,outside) MAIL SERVER > access-group inside_access_in in interface inside > access-group outside_access_in in interface outside > route outside 0.0.0.0 0.0.0.0 ISP GATEWAY 1 > ! > router ospf 1 > NETWORK COMMANDS > area 0 > log-adj-changes > ! > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server vpn protocol radius > aaa-server vpn host IAS SERVER > key * > group-policy DfltGrpPolicy attributes > banner none > wins-server none > dns-server none > dhcp-network-scope none > vpn-access-hours none > vpn-simultaneous-logins 3 > vpn-idle-timeout 30 > vpn-session-timeout none > vpn-filter none > vpn-tunnel-protocol IPSec webvpn > password-storage disable > ip-comp disable > re-xauth disable > group-lock none > pfs disable > ipsec-udp enable > ipsec-udp-port PORT > split-tunnel-policy tunnelall > split-tunnel-network-list none > default-domain none > split-dns none > secure-unit-authentication disable > user-authentication disable > user-authentication-idle-timeout 30 > ip-phone-bypass disable > leap-bypass disable > nem disable > backup-servers keep-client-config > client-firewall none > client-access-rule none > webvpn > functions url-entry > port-forward-name value Application Access > group-policy vpnUsers internal > group-policy vpnUsers attributes > banner value You are remotely accessing a corporate network. Any > unauthorized use is strictly prohibited. > dns-server value DNS SERVER INTERNAL IP <- Does this need to be the > public IP? DNS is on the same server as the mail server - SBS Server > ipsec-udp enable > ipsec-udp-port PORT > split-tunnel-policy tunnelall > default-domain value DOMAIN > webvpn > username remoteUser password wDylMAaR4hoo.oAa encrypted > http server enable > no snmp-server location > no snmp-server contact > snmp-server enable traps snmp authentication linkup linkdown coldstart > crypto ipsec transform-set RemoteVPNSet esp-3des esp-sha-hmac > crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet > crypto dynamic-map RemoteVPNDynmap 10 set reverse-route > crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap > crypto map RemoteVPNMap interface outside > isakmp enable outside > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption 3des > isakmp policy 10 hash sha > isakmp policy 10 group 2 > isakmp policy 10 lifetime 86400 > tunnel-group DefaultRAGroup general-attributes > authentication-server-group (outside) vpn > tunnel-group RemoteVPN type ipsec-ra > tunnel-group RemoteVPN general-attributes > address-pool vpnclient > authentication-server-group vpn LOCAL > tunnel-group RemoteVPN ipsec-attributes > pre-shared-key * > > console timeout 0 > dhcpd lease 3600 > dhcpd ping_timeout 50 > ! > class-map global-policy > match default-inspection-traffic > class-map inspection_default > match default-inspection-traffic > ! > ! > policy-map global_policy > class inspection_default > inspect ftp > inspect http > policy-map global-policy > class global-policy > inspect http > inspect icmp > inspect ftp > inspect dns > inspect esmtp > ! > service-policy global_policy global > smtp-server > Cryptochecksum:e16313b5b1f5e9dd1b321e559d8dbeee > : end > > > Thanks for any and all help!
|
Pages: 1 Prev: Aironet 1200 sntp sync problem Next: Which router to buy? |