ASA5510 with Cisco VPN client. No traffic over VPN tunnel

Hi all,

In the hopes anyone sees my error in my config (I'm almost sure it's a
config error on my part but i can't find it).
I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the
manual config way and the ASDM way through the wizard.

The problem is not that i can't get any ipsec connection. That works. But
when the VPN connection is established i can't get any trafic from my Client
VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24).
The logs in the ASDM keep giving me the same error (this is another error
but the error for opening a RDP connection from src to dst is the same):

3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found
for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found
for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found
for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found
for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found
for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group found
for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53
3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group found
for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53


This is the current config file i'm using (anonymised offcourse):

: Saved
:
ASA Version 8.0(3)
!
hostname asa5510
enable password 1mujhtmA4fcM3pOA encrypted
!
interface Ethernet0/0
description Interface connected to Internet
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description Interface connected to the Company-Holding LAN
speed 1000
duplex full
nameif Company-lan
security-level 100
ip address 172.16.100.1 255.255.255.0
!
interface Ethernet0/2
description Interface connected to the old OLDLAN-Lan
nameif OLDLAN-lan
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
description Interface for DMZ purposes
nameif DMZ
security-level 50
ip address 10.172.100.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group CompanyDNS
name-server 172.16.100.252
name-server 192.168.1.100
name-server 194.151.228.18
name-server 194.151.228.34
domain-name Company-holding.local
dns-group CompanyDNS
same-security-traffic permit inter-interface
access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
255.255.255.0 192.168.1.0 255.255.255.0
access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
255.255.255.0 172.16.101.0 255.255.255.0
access-list OLDLAN-lan_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 172.16.100.0 255.255.255.0
access-list outside-entry extended permit tcp any host x.x.x.x eq smtp
access-list outside_access_in remark SMTP permit line to the Exchange Server
access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
inactive
access-list outside_access_in extended permit ip 172.16.101.0 255.255.255.0
172.16.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Company-lan 1500
mtu OLDLAN-lan 1500
mtu DMZ 1500
mtu management 1500
ip local pool CompanySecure 172.16.101.100-172.16.101.252 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdn-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Company-lan) 0 access-list Company-lan_nat0_outbound
nat (Company-lan) 1 0.0.0.0 0.0.0.0
nat (OLDLAN-lan) 0 access-list OLDLAN-lan_nat0_outbound
nat (OLDLAN-lan) 1 0.0.0.0 0.0.0.0
static (Company-lan,outside) tcp interface smtp 172.16.100.251 smtp netmask
255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 77.61.155.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server IASadCompany protocol radius
aaa-server IASadCompany (Company-lan) host <host>
key <omitted>
aaa authentication http console IASadCompany LOCAL
aaa authentication ssh console LOCAL
http server enable 20443
http 172.16.100.0 255.255.255.0 Company-lan
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 172.16.100.0 255.255.255.0 Company-lan
ssh 10.10.10.0 255.255.255.0 management
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 10.10.10.100-10.10.10.200 management
dhcpd dns 194.151.228.18 194.151.228.34 interface management
dhcpd domain itmanagement.Company-holding.local interface management
dhcpd enable management
!
vpn load-balancing
interface lbprivate DMZ
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
webvpn
csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
csd enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy ClientVPN internal
group-policy ClientVPN attributes
dns-server value 172.16.100.252
vpn-tunnel-protocol IPSec
password-storage disable
default-domain value secure.Company-holding.local
secure-unit-authentication enable
user-authentication enable
msie-proxy server value 172.16.100.250:8080
msie-proxy method use-server
msie-proxy local-bypass enable
username admin password <omitted> privilege 15
tunnel-group ClientVPN type remote-access
tunnel-group ClientVPN general-attributes
address-pool CompanySecure
default-group-policy ClientVPN
tunnel-group ClientVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname domain context
Cryptochecksum:25bc95a8279f59219e3d64b5129271c8
: end


Hope anyone can help....

 

the error you listed indicates you have not setup nat for your
clients. You can fix it one of 2 ways either configure Nat for your
vpn clients or configure nat 0

use the the following command

nat 0 access-list vpnclients

then creat an acl called vpn clients with the ip address of your vpn
clients.

like so
access-list vpnclients extended permit ip any host {enter your host
ips here}

 

or in your case just add the address to this access list nat (Company-
lan) 0 access-list Company-lan_nat0_outbound

 

Hi thanks for the quick answer ..
I tried those yesterday. Unfortunately to effect.
It did however bring me to the solution.

There is a bug in the ASA "IOS" image i was using (i know it's not IOS but
don't know another name for it).
It caused the rules i added to the ACL to be entered but they where never
applied.
The issue is described in
http://tools.cisco.com/Support/BugT...ls.do?method=fetchBugDetails&bugId=CSCsl46310.
I never thought about restarting the device and therefore never got the
rules applied to the Nonat acl0 interface.
I finally updated to an interim release of the asa firmware and this issue
seems to be resolved.

Locutus

or in your case just add the address to this access list nat (Company-
lan) 0 access-list Company-lan_nat0_outbound

 

ASA 7 kernel is "Finesse". ASA 8's kernel is Linux (according to
wikipedia.)