VPN de acceso remoto ASA 5505: conexión establecida, pero no internet / acceso a subred interna


10

Actualizar

Finalmente se actualizó a 9.1.4. Lo configuré todo, volví a habilitar VPN y seguía teniendo el mismo problema. Entonces, borré toda la información de configuración de VPN y comencé desde cero. A continuación se muestra mi configuración actual. Puedo conectarme y acceder a recursos en la red interna. Sin embargo, no puedo acceder a Internet a través de la VPN.

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
ip local pool VPNPool 192.168.3.1-192.168.3.30
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description Private-Interface
 nameif inside
 security-level 100
 ip address 10.3.3.1 255.255.255.0 
!
interface Vlan2
 description Public-Interface
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
boot system disk0:/asa914-k8.bin
object network obj-10.3.3.0
 subnet 10.3.3.0 255.255.255.0
object network vpn_nat
 subnet 192.168.3.0 255.255.255.0
object-group service Internet-udp udp
 description UDP Standard Internet Services
 port-object eq domain
 port-object eq ntp
object-group service Internet-tcp tcp
 description TCP Standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 465
 port-object eq pop3
 port-object eq 995
 port-object eq ftp
 port-object eq ftp-data
 port-object eq domain
 port-object eq ssh
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any4 object-group Internet-udp 
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any4 object-group Internet-tcp 
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any4 
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any4 any4 echo-reply 
access-list outside-in extended permit icmp any4 any4 echo 
access-list vpn_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0 
nat (inside,outside) source static obj-10.3.3.0 obj-10.3.3.0 destination static vpn_nat vpn_nat no-proxy-arp route-lookup
object network obj-10.3.3.0
 nat (inside,outside) dynamic interface
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 10.3.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set vpn-transform-set-ikev1 mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.3.3.0 255.255.255.0 inside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 10.3.3.100-10.3.3.150 inside dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics host number-of-rate 2 threat-detection statistics port number-of-rate 2 threat-detection statistics protocol number-of-rate 2 threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy vpn_policy internal group-policy vpn_policy attributes vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value vpn_splitTunnelAcl username mike password x username mike attributes vpn-tunnel-protocol l2tp-ipsec username admin password x encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes address-pool VPNPool default-group-policy vpn_policy tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny
inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip
inspect xdmcp class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily : end

Cosas viejas

Estoy tratando de configurar un L2TP sobre VPN de acceso remoto IPSec en un ASA 5505, versión 8.2 (5). Puedo autenticar y se establece una conexión. Sin embargo, no puedo acceder a los recursos en la red interna o acceder a Internet. Además, el ASA no puede hacer ping a los clientes conectados.

En el cliente conectado puedo hacer ping a la IP externa del ASA. Cuando hago eso, incluso veo que el recuento de paquetes cifrados y descifrados sube en el ASA con show crypto ipsec sa.

He intentado hacer algunas cosas con NAT y con las rutas, pero no puedo hacerlo funcionar.

Mi red interna es 10.3.3.0/24 y mi grupo de VPN es 192.168.3.0/24. A continuación, he copiado las partes relevantes de la configuración.


object-group service Internet-udp udp
 description UDP Standard Internet Services
 port-object eq domain
 port-object eq ntp
object-group service Internet-tcp tcp
 description TCP Standard Internet Services
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq 465
 port-object eq pop3
 port-object eq 995
 port-object eq ftp
 port-object eq ftp-data
 port-object eq domain
 port-object eq ssh
 port-object eq 993
object-group network Internal-Subnet
object-group network obj-vpnpool
access-list inside-in remark -=[Access Lists for Outgoing Packets from Inside interface]=-
access-list inside-in extended permit udp 10.3.3.0 255.255.255.0 any object-group Internet-udp
access-list inside-in extended permit tcp 10.3.3.0 255.255.255.0 any object-group Internet-tcp
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists for Incoming Packets on OUTSIDE interface]=-
access-list outside-in extended permit icmp any any echo-reply
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.3.96 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 192.168.3.0 255.255.255.0

ip local pool VPNPool 192.168.3.100-192.168.3.120 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.3.3.0 255.255.255.0
access-group inside-in in interface inside
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 **.**.**.** 1

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value **.**.**.** **.**.**.**
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400


Actualización 1

Tomé la sugerencia de Ron y aprendí cómo funcionan los packet-tracercomandos. Aquí hay algunas cosas que encontré después de emitirpacket-tracer input inside icmp 10.3.3.100 8 0 192.168.3.100


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.3.100   255.255.255.255 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit icmp 10.3.3.0 255.255.255.0 any 
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: INSPECT 
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype: 
Result: ALLOW
Config:
  match ip inside 10.3.3.0 255.255.255.0 outside 192.168.3.0 255.255.255.0
    NAT exempt
    translate_hits = 16, untranslate_hits = 2
Additional Information:

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 outside any
    dynamic translation to pool 1 (**.**.**.** [Interface PAT])
    translate_hits = 21582, untranslate_hits = 2392
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: L2TP-PPP
Subtype: 
Result: ALLOW 
Config:
Additional Information:

Phase: 10
Type: PPP
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 23037, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

La fase 6 muestra una traducción NAT. Luego verifico la respuesta de eco con packet-tracer input outside icmp 192.168.3.100 0 0 10.3.3.100.


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.3.3.0        255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit icmp any any echo-reply 
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: CP-PUNT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: L2TP-PPP
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW 
Config:
Additional Information:

Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 10.3.3.0 255.255.255.0
  match ip inside 10.3.3.0 255.255.255.0 outside any
    dynamic translation to pool 1 (**.**.**.** [Interface PAT])
    translate_hits = 21589, untranslate_hits = 2392
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 23079, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

La fase 8 muestra NAT-EXEMPTpero la fase 10 muestra una traducción NAT. Eso sería problemático.


Actualización 2

Actualmente show vpn-sessiondb detail remote filter protocol L2TPOverIPSecno devuelve nada mientras un cliente está conectado.

Por otro lado show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNatTmuestra el cliente conectado. Al intentar hacer cosas en el cliente, los Bytes Rx y Pkts Rx aumentan. Los bytes Tx y Pkts Tx no aumentan (Pkts Tx permanece en 17). Pkts Tx Drop y Pkts Rx Drop son ambos 0. Si hago ping 192.168.3.100 (el cliente vpn), entonces Pkts Tx aumenta para cada ping.


Actualización 3

Permití iniciar sesión en el ASA y establecí una conexión. Aquí hay algunos mensajes de registro interesantes que estoy viendo


%ASA-6-737026: IPAA: Client assigned 192.168.3.100 from local pool
ppp_virtual_interface_id is 1, client_dynamic_ip is 192.168.3.100
%ASA-7-609001: Built local-host outside:192.168.3.100
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN  on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN  on interface outside
%ASA-2-106001: Inbound TCP connection denied from 192.168.3.100/57013 to **.**.**.**/443 flags SYN  on interface outside
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/9562 to **.**.**.**/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/61529 to **.**.**.**/53 due to DNS Query
%ASA-2-106007: Deny inbound UDP from 192.168.3.100/38824 to **.**.**.**/53 due to DNS Query

%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.3.3.100, Dst: 192.168.3.100
%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.3.3.100, Dst: 192.168.3.100

¿Has intentado usar la función de rastreo de paquetes del ASA para ver dónde podrían salir mal las cosas?
Ron Trunk

@Ron para simular un paquete http desde la VPN ¿utilizaría esta entrada de seguimiento de paquetes fuera de 192.168.3.100 50612 8.8.8.8 80 ? Estoy confundido en cuanto a si debería usar el tráfico VPN fuera o dentro .
mikeazo

Como experimento, elimine la instrucción nat (1) y vea si funciona.
Ron Trunk


2
Sin embargo, no puedo acceder a Internet a través de la VPN. Parece que está configurado para un túnel dividido, por lo que no utilizará el túnel para el tráfico de Internet. Si túneles todo el tráfico, deberías poder acceder a Internet a través de la VPN.
James.Birmingham

Respuestas:


1

Para que el cliente pueda conectarse a recursos fuera del túnel VPN, se debe configurar un túnel dividido. Esto permitirá que el adaptador herede rutas fuera de su propia tabla de rutas y también permitirá que salga el tráfico. Agregar rutas al conectarse es solo una parte del problema.

Aquí hay un enlace con instrucciones para ADM y CLI http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa -split-tunnel-vpn-client.html


1

Todas las respuestas sugieren un túnel dividido, que creo que configuré correctamente.

Al final, configuré un servidor proxy en la red interna. Si mi navegador apuntara a eso, entonces podría acceder a Internet a través de él.


0

Para acceder a Internet tendrá que configurar el túnel dividido, porque el túnel dividido define qué tráfico irá por túnel y qué no, porque de manera predeterminada todo el tráfico irá por túnel. puede ver en su computadora escribiendo (ruta de impresión), que todo el tráfico irá por túnel, y si no desea usar un túnel dividido, entonces tenemos una solución más que puede configurar natting inverso, el primer paquete irá a su control remoto servidor y servidor remoto enviará de vuelta a internet


0

Sospecho que Split Tunneling puede no ser compatible con L2TP sobre IPSec. ¿Podrías probar lo siguiente por mí?

conf t
!
same-security-traffic permit intra-interface
!
object network vpn_nat
 nat (outside,outside) dynamic interface
!

También noté que falta la configuración del servidor DNS en su Política de grupo actualizada.

Al usar nuestro sitio, usted reconoce que ha leído y comprende nuestra Política de Cookies y Política de Privacidad.
Licensed under cc by-sa 3.0 with attribution required.