ASA5510 with Cisco VPN client. No traffic over VPN tunnel

Discussion in 'Cisco' started by Locutus, May 15, 2008.

  1. Locutus

    Locutus Guest

    Hi all,

    In the hopes anyone sees my error in my config (I'm almost sure it's a
    config error on my part but i can't find it).
    I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the
    manual config way and the ASDM way through the wizard.

    The problem is not that i can't get any ipsec connection. That works. But
    when the VPN connection is established i can't get any trafic from my Client
    VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24).
    The logs in the ASDM keep giving me the same error (this is another error
    but the error for opening a RDP connection from src to dst is the same):

    3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found
    for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53
    3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found
    for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53
    3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found
    for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53
    3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found
    for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53
    3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found
    for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53
    3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group found
    for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53
    3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group found
    for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53


    This is the current config file i'm using (anonymised offcourse):

    : Saved
    :
    ASA Version 8.0(3)
    !
    hostname asa5510
    enable password 1mujhtmA4fcM3pOA encrypted
    !
    interface Ethernet0/0
    description Interface connected to Internet
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.248
    !
    interface Ethernet0/1
    description Interface connected to the Company-Holding LAN
    speed 1000
    duplex full
    nameif Company-lan
    security-level 100
    ip address 172.16.100.1 255.255.255.0
    !
    interface Ethernet0/2
    description Interface connected to the old OLDLAN-Lan
    nameif OLDLAN-lan
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/3
    description Interface for DMZ purposes
    nameif DMZ
    security-level 50
    ip address 10.172.100.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.10.10.1 255.255.255.0
    management-only
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    boot system disk0:/asa803-k8.bin
    ftp mode passive
    dns server-group CompanyDNS
    name-server 172.16.100.252
    name-server 192.168.1.100
    name-server 194.151.228.18
    name-server 194.151.228.34
    domain-name Company-holding.local
    dns-group CompanyDNS
    same-security-traffic permit inter-interface
    access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
    255.255.255.0 192.168.1.0 255.255.255.0
    access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
    255.255.255.0 172.16.101.0 255.255.255.0
    access-list OLDLAN-lan_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 172.16.100.0 255.255.255.0
    access-list outside-entry extended permit tcp any host x.x.x.x eq smtp
    access-list outside_access_in remark SMTP permit line to the Exchange Server
    access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp
    access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
    inactive
    access-list outside_access_in extended permit ip 172.16.101.0 255.255.255.0
    172.16.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu Company-lan 1500
    mtu OLDLAN-lan 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool CompanySecure 172.16.101.100-172.16.101.252 mask 255.255.255.0
    ip verify reverse-path interface outside
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdn-611.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (Company-lan) 0 access-list Company-lan_nat0_outbound
    nat (Company-lan) 1 0.0.0.0 0.0.0.0
    nat (OLDLAN-lan) 0 access-list OLDLAN-lan_nat0_outbound
    nat (OLDLAN-lan) 1 0.0.0.0 0.0.0.0
    static (Company-lan,outside) tcp interface smtp 172.16.100.251 smtp netmask
    255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 77.61.155.73 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server IASadCompany protocol radius
    aaa-server IASadCompany (Company-lan) host <host>
    key <omitted>
    aaa authentication http console IASadCompany LOCAL
    aaa authentication ssh console LOCAL
    http server enable 20443
    http 172.16.100.0 255.255.255.0 Company-lan
    http 10.10.10.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
    ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
    ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    telnet timeout 5
    ssh 172.16.100.0 255.255.255.0 Company-lan
    ssh 10.10.10.0 255.255.255.0 management
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd address 10.10.10.100-10.10.10.200 management
    dhcpd dns 194.151.228.18 194.151.228.34 interface management
    dhcpd domain itmanagement.Company-holding.local interface management
    dhcpd enable management
    !
    vpn load-balancing
    interface lbprivate DMZ
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    webvpn
    csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
    csd enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol l2tp-ipsec webvpn
    group-policy ClientVPN internal
    group-policy ClientVPN attributes
    dns-server value 172.16.100.252
    vpn-tunnel-protocol IPSec
    password-storage disable
    default-domain value secure.Company-holding.local
    secure-unit-authentication enable
    user-authentication enable
    msie-proxy server value 172.16.100.250:8080
    msie-proxy method use-server
    msie-proxy local-bypass enable
    username admin password <omitted> privilege 15
    tunnel-group ClientVPN type remote-access
    tunnel-group ClientVPN general-attributes
    address-pool CompanySecure
    default-group-policy ClientVPN
    tunnel-group ClientVPN ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname domain context
    Cryptochecksum:25bc95a8279f59219e3d64b5129271c8
    : end


    Hope anyone can help....
     
    Locutus, May 15, 2008
    #1
    1. Advertisements

  2. Locutus

    Newbie72 Guest

    the error you listed indicates you have not setup nat for your
    clients. You can fix it one of 2 ways either configure Nat for your
    vpn clients or configure nat 0

    use the the following command

    nat 0 access-list vpnclients

    then creat an acl called vpn clients with the ip address of your vpn
    clients.

    like so
    access-list vpnclients extended permit ip any host {enter your host
    ips here}
     
    Newbie72, May 16, 2008
    #2
    1. Advertisements

  3. Locutus

    Newbie72 Guest

    or in your case just add the address to this access list nat (Company-
    lan) 0 access-list Company-lan_nat0_outbound
     
    Newbie72, May 16, 2008
    #3
  4. Locutus

    Locutus Guest

    Hi thanks for the quick answer ..
    I tried those yesterday. Unfortunately to effect.
    It did however bring me to the solution.

    There is a bug in the ASA "IOS" image i was using (i know it's not IOS but
    don't know another name for it).
    It caused the rules i added to the ACL to be entered but they where never
    applied.
    The issue is described in
    http://tools.cisco.com/Support/BugT...ls.do?method=fetchBugDetails&bugId=CSCsl46310.
    I never thought about restarting the device and therefore never got the
    rules applied to the Nonat acl0 interface.
    I finally updated to an interim release of the asa firmware and this issue
    seems to be resolved.

    Locutus



    or in your case just add the address to this access list nat (Company-
    lan) 0 access-list Company-lan_nat0_outbound
     
    Locutus, May 18, 2008
    #4
  5. ASA 7 kernel is "Finesse". ASA 8's kernel is Linux (according to
    wikipedia.)
     
    Walter Roberson, May 19, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.