ASA5510 with Cisco VPN client. No traffic over VPN tunnel

Hi all,

In the hopes anyone sees my error in my config (I'm almost sure it's a config error on my part but i can't find it). I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the manual config way and the ASDM way through the wizard.

The problem is not that i can't get any ipsec connection. That works. But when the VPN connection is established i can't get any trafic from my Client VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24). The logs in the ASDM keep giving me the same error (this is another error but the error for opening a RDP connection from src to dst is the same):

3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group found for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53

This is the current config file i'm using (anonymised offcourse):

: Saved : ASA Version 8.0(3) ! hostname asa5510 enable password 1mujhtmA4fcM3pOA encrypted ! interface Ethernet0/0 description Interface connected to Internet nameif outside security-level 0 ip address x.x.x.x 255.255.255.248 ! interface Ethernet0/1 description Interface connected to the Company-Holding LAN speed 1000 duplex full nameif Company-lan security-level 100 ip address 172.16.100.1 255.255.255.0 ! interface Ethernet0/2 description Interface connected to the old OLDLAN-Lan nameif OLDLAN-lan security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/3 description Interface for DMZ purposes nameif DMZ security-level 50 ip address 10.172.100.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 10.10.10.1 255.255.255.0 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted boot system disk0:/asa803-k8.bin ftp mode passive dns server-group CompanyDNS name-server 172.16.100.252 name-server 192.168.1.100 name-server 194.151.228.18 name-server 194.151.228.34 domain-name Company-holding.local dns-group CompanyDNS same-security-traffic permit inter-interface access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0

255.255.255.0 192.168.1.0 255.255.255.0 access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0 access-list OLDLAN-lan_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0 access-list outside-entry extended permit tcp any host x.x.x.x eq smtp access-list outside_access_in remark SMTP permit line to the Exchange Server access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh inactive access-list outside_access_in extended permit ip 172.16.101.0 255.255.255.0 172.16.100.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu Company-lan 1500 mtu OLDLAN-lan 1500 mtu DMZ 1500 mtu management 1500 ip local pool CompanySecure 172.16.101.100-172.16.101.252 mask 255.255.255.0 ip verify reverse-path interface outside no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdn-611.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (Company-lan) 0 access-list Company-lan_nat0_outbound nat (Company-lan) 1 0.0.0.0 0.0.0.0 nat (OLDLAN-lan) 0 access-list OLDLAN-lan_nat0_outbound nat (OLDLAN-lan) 1 0.0.0.0 0.0.0.0 static (Company-lan,outside) tcp interface smtp 172.16.100.251 smtp netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 77.61.155.73 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server IASadCompany protocol radius aaa-server IASadCompany (Company-lan) host key aaa authentication http console IASadCompany LOCAL aaa authentication ssh console LOCAL http server enable 20443 http 172.16.100.0 255.255.255.0 Company-lan http 10.10.10.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp ipsec-over-tcp port 10000 telnet timeout 5 ssh 172.16.100.0 255.255.255.0 Company-lan ssh 10.10.10.0 255.255.255.0 management ssh timeout 5 ssh version 2 console timeout 0 dhcpd address 10.10.10.100-10.10.10.200 management dhcpd dns 194.151.228.18 194.151.228.34 interface management dhcpd domain itmanagement.Company-holding.local interface management dhcpd enable management ! vpn load-balancing interface lbprivate DMZ threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list webvpn csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg csd enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol l2tp-ipsec webvpn group-policy ClientVPN internal group-policy ClientVPN attributes dns-server value 172.16.100.252 vpn-tunnel-protocol IPSec password-storage disable default-domain value secure.Company-holding.local secure-unit-authentication enable user-authentication enable msie-proxy server value 172.16.100.250:8080 msie-proxy method use-server msie-proxy local-bypass enable username admin password privilege 15 tunnel-group ClientVPN type remote-access tunnel-group ClientVPN general-attributes address-pool CompanySecure default-group-policy ClientVPN tunnel-group ClientVPN ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname domain context Cryptochecksum:25bc95a8279f59219e3d64b5129271c8 : end

Hope anyone can help....

Reply to
Locutus
Loading thread data ...

the error you listed indicates you have not setup nat for your clients. You can fix it one of 2 ways either configure Nat for your vpn clients or configure nat 0

use the the following command

nat 0 access-list vpnclients

then creat an acl called vpn clients with the ip address of your vpn clients.

like so access-list vpnclients extended permit ip any host {enter your host ips here}

Reply to
Newbie72

or in your case just add the address to this access list nat (Company- lan) 0 access-list Company-lan_nat0_outbound

Reply to
Newbie72

Hi thanks for the quick answer .. I tried those yesterday. Unfortunately to effect. It did however bring me to the solution.

There is a bug in the ASA "IOS" image i was using (i know it's not IOS but don't know another name for it). It caused the rules i added to the ACL to be entered but they where never applied. The issue is described in

formatting link
never thought about restarting the device and therefore never got the rules applied to the Nonat acl0 interface. I finally updated to an interim release of the asa firmware and this issue seems to be resolved.

Locutus

or in your case just add the address to this access list nat (Company- lan) 0 access-list Company-lan_nat0_outbound

Reply to
Locutus

ASA 7 kernel is "Finesse". ASA 8's kernel is Linux (according to wikipedia.)

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.