ASA 5505 VPN di accesso remoto - Connessione stabilita, ma nessuna connessione Internet / accesso alla sottorete interna


10

Aggiornare

Finalmente aggiornato a 9.1.4. Ho configurato tutto, riattivato la VPN e continuavo ad avere lo stesso problema. Quindi, ho cancellato tutte le informazioni di configurazione della VPN e ho iniziato da zero. Di seguito è la mia configurazione attuale. Sono in grado di connettermi e accedere alle risorse sulla rete interna. Non sono, tuttavia, in grado di accedere a Internet tramite la VPN.

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
ip local pool VPNPool 192.168.3.1-192.168.3.30
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description Private-Interface
 nameif inside
 security-level 100
 ip address 10.3.3.1 255.255.255.0 
!
interface Vlan2
 description Public-Interface
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
boot system disk0:/asa914-k8.bin
object network obj-10.3.3.0
 subnet 10.3.3.0 255.255.255.0
object network vpn_nat
 subnet 192.168.3.0 255.255.255.0
object-group service Internet-udp udp
 description UDP Standard Internet Services
 port-object eq domain
 port-object eq ntp
object-group service Internet-tcp tcp
 description TCP Standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 465
 port-object eq pop3
 port-object eq 995
 port-object eq ftp
 port-object eq ftp-data
 port-object eq domain
 port-object eq ssh
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any4 object-group Internet-udp 
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any4 object-group Internet-tcp 
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any4 
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply 
access-list outside-in extended permit icmp any4 any4 echo 
access-list vpn_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0 
nat (inside,outside) source static obj-10.3.3.0 obj-10.3.3.0 destination static vpn_nat vpn_nat no-proxy-arp route-lookup
object network obj-10.3.3.0
 nat (inside,outside) dynamic interface
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.3.3.0 255.255.255.0 inside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 10.3.3.100-10.3.3.150 inside dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics host number-of-rate 2 threat-detection statistics port number-of-rate 2 threat-detection statistics protocol number-of-rate 2 threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy vpn_policy internal group-policy vpn_policy attributes vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value vpn_splitTunnelAcl username mike password x username mike attributes vpn-tunnel-protocol l2tp-ipsec username admin password x encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes address-pool VPNPool default-group-policy vpn_policy tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny
inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip
inspect xdmcp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily : end

Roba vecchia

Sto cercando di impostare un L2TP su VPN di accesso remoto IPSec su un ASA 5505, versione 8.2 (5). Sono in grado di autenticarmi e viene stabilita una connessione. Non sono, tuttavia, in grado di accedere alle risorse sulla rete interna o accedere a Internet. Inoltre, ASA non è in grado di eseguire il ping dei client connessi.

Sul client connesso posso eseguire il ping dell'IP esterno dell'ASA. Quando lo faccio, vedo persino il conteggio dei pacchetti crittografati e decrittografati salire su ASA con show crypto ipsec sa.

Ho provato a fare alcune cose con NAT e con i percorsi, ma non riesco proprio a farlo funzionare.

La mia rete interna è 10.3.3.0/24 e il mio pool VPN è 192.168.3.0/24. Di seguito ho copiato le parti pertinenti della configurazione.


object-group service Internet-udp udp
 description UDP Standard Internet Services
 port-object eq domain
 port-object eq ntp
object-group service Internet-tcp tcp
 description TCP Standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 465
 port-object eq pop3
 port-object eq 995
 port-object eq ftp
 port-object eq ftp-data
 port-object eq domain
 port-object eq ssh
 port-object eq 993
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any object-group Internet-tcp
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any any echo-reply
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.3.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 192.168.3.0 255.255.255.0

ip local pool VPNPool 192.168.3.100-192.168.3.120 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.3.3.0 255.255.255.0
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 **.**.**.** 1

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value **.**.**.** **.**.**.**
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400


Aggiornamento 1

Ho seguito il suggerimento di Ron e ho imparato come packet-tracerfunzionano i comandi. Ecco alcune cose che ho trovato dopo l'emissionepacket-tracer input inside icmp 10.3.3.100 8 0 192.168.3.100


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.3.100   255.255.255.255 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any 
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: INSPECT 
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype: 
Result: ALLOW
Config:
  match ip inside 10.3.3.0 255.255.255.0 outside 192.168.3.0 255.255.255.0
    NAT exempt
    translate_hits = 16, untranslate_hits = 2
Additional Information:

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 outside any
    dynamic translation to pool 1 (**.**.**.** [Interface PAT])
    translate_hits = 21582, untranslate_hits = 2392
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: L2TP-PPP
Subtype: 
Result: ALLOW 
Config:
Additional Information:

Phase: 10
Type: PPP
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 23037, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

La fase 6 mostra una traduzione NAT. Quindi controllo l'eco-risposta con packet-tracer input outside icmp 192.168.3.100 0 0 10.3.3.100.


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.3.3.0        255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit icmp any any echo-reply 
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: CP-PUNT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: L2TP-PPP
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW 
Config:
Additional Information:

Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 outside any
    dynamic translation to pool 1 (**.**.**.** [Interface PAT])
    translate_hits = 21589, untranslate_hits = 2392
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 23079, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

La fase 8 mostra NAT-EXEMPTma la fase 10 mostra una traduzione NAT. Sarebbe problematico.


Aggiornamento 2

Attualmente show vpn-sessiondb detail remote filter protocol L2TPOverIPSecnon restituisce nulla mentre un client è connesso.

D'altra parte show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNatTmostra il client connesso. Durante il tentativo di eseguire operazioni sul client, aumentano i byte Rx e Pkts Rx. I byte Tx e Pkts Tx non aumentano (Pkts Tx rimane a 17). Pkts Tx Drop e Pkts Rx Drop sono entrambi 0. Se eseguo il ping 192.168.3.100 (il client vpn), allora Pkts Tx aumenta per ogni ping.


Aggiornamento 3

Ho abilitato la registrazione sull'ASA e stabilito una connessione. Ecco alcuni interessanti messaggi di registro che sto vedendo


%ASA-6-737026: IPAA: Client assigned 192.168.3.100 from local pool
ppp_virtual_interface_id is 1, client_dynamic_ip is 192.168.3.100
%ASA-7-609001: Built local-host outside:192.168.3.100
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN  on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN  on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN  on interface outside
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/9562 to **.**.**.**/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/61529 to **.**.**.**/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/38824 to **.**.**.**/53 due to DNS Query

%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.3.3.100, Dst: 192.168.3.100
%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.3.3.100, Dst: 192.168.3.100

Hai provato a utilizzare la funzione di tracciamento dei pacchetti di ASA per vedere dove le cose potrebbero andare male?
Ron Trunk,

@ Ron per simulare un pacchetto http dalla VPN utilizzerei questo input di pacchetto-tracer al di fuori di 192.168.3.100 50612 8.8.8.8 80 ? Sono confuso sul fatto che dovrei usare all'esterno o all'interno per il traffico VPN.
Mikeazo,

Come esperimento, rimuovi l'istruzione nat (1) e vedi se funziona.
Ron Trunk,


2
Non sono, tuttavia, in grado di accedere a Internet tramite la VPN. Sembra che tu sia configurato per un tunnel diviso, quindi non utilizzerai il tunnel per il traffico Internet. Se esegui il tunneling di tutto il traffico, dovresti essere in grado di accedere a Internet tramite la VPN.
James

Risposte:


1

Per consentire al client di connettersi a risorse esterne al tunnel VPN, è necessario configurare un tunnel diviso. Ciò consentirà all'adattatore di ereditare le rotte al di fuori della propria tabella delle rotte e di consentire il traffico in uscita. L'aggiunta di route al momento della connessione è solo una parte del problema.

Ecco un link con le istruzioni per ADM e CLI http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa -split-tunnel VPN-client.html


1

Tutte le risposte suggeriscono un tunnel diviso, che credo di aver impostato correttamente.

Alla fine, ho installato un server proxy sulla rete interna. Se il mio browser fosse puntato su quello, allora potrei accedere a Internet attraverso di esso.


0

Per accedere a Internet dovrai configurare il tunnel diviso, perché il tunnel diviso definisce quale traffico passerà per tunnel e cosa no, perché di default tutto il traffico passerà per tunnel. puoi vedere sul tuo computer digitando (percorso di stampa), che tutto il traffico passerà attraverso il tunnel, e se non vuoi usare il tunnel diviso, allora abbiamo un'altra soluzione che puoi configurare il reverse natting, il primo pacchetto andrà sul tuo telecomando il server e il server remoto rispediranno a Internet


0

Ho il sospetto che Split Tunneling potrebbe non essere supportato con L2TP su IPSec. Potresti provare quanto segue per me?

conf t
!
same-security-traffic permit intra-interface
!
object network vpn_nat
 nat (outside,outside) dynamic interface
!

Ho anche notato che la configurazione del server DNS non è presente nei criteri di gruppo aggiornati.

Utilizzando il nostro sito, riconosci di aver letto e compreso le nostre Informativa sui cookie e Informativa sulla privacy.
Licensed under cc by-sa 3.0 with attribution required.