VPN limited to two users... 1

[x90syl]

Hi,

I have recently 'inherited' the network role at work and have come across this problem which I hope you knowledgeable can help me with.

We have a ASA 5505 with a Security Plus package which, in theory, has a combined capacity of up to 25 VPN users. However, in practise it seems only two people are able to log on at any one time. When the third users logs on, the next IP address, within the defined IP pool, is correctly assigned but when they try to connect via Rempte Desktop it eventually times out. Upon checking the logging monitor it says something like...

Expalnation:
'%PIX|ASA-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port'

A packet does not match any of the outbound nat command rules.

Recommended Action:
This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.

Please note I do not have a firewall/security background, as mentioned earlier this role was 'inherited' so could you explain exactly what this means in clear & simple terms.

Thanks in advance.

Regards.

 

[unclerico]

please post a scrubbed config and we will have a look.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[kmills]

x90syl,
If all your users are trying to RDC into the same machine, it is probably caused by RDC. By default, only 2 RDC connections are allowed to connect at a time.

kmills

 

[x90syl]

Thx unclerico and kmills for speedy responses.

unclerico - 'a scrubbed config'... sorry is this the output from a show running config command?

kmills - Will remember that for next time for now but the users are all logging into their own desktops.

Regards.

 

[unclerico]

is this the output from a show running config command?

yes. remove any public ip address info as well as usernames and passwords

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[x90syl]

Hi unclerico,

Please find the info requested below:

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa-sdsl
domain-name xxx
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 87.224.119.130 255.255.255.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.5.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
domain-name xxx
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host

http://WWW1-ext

network-object host

http://WWW2-ext

network-object host

http://WWW3-ext

network-object host

http://WWW4-ext

object-group network DM_INLINE_NETWORK_2
network-object host consortium-ftp
network-object host roadtech-ftp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.200 255.255.255.254
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host

http://WWW4-ext

object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host

http://WWW2-ext

eq smtp
access-list dmz_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz_access_in extended permit tcp 192.168.5.0 255.255.255.0 host xxx002 eq 1433
access-list dmz_access_in extended permit ip any any
access-list xxx_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_DHCP 192.168.1.200-192.168.1.210 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (dmz,outside)

http://WWW4-ext

WWW4 netmask 255.255.255.255
static (dmz,outside)

http://WWW3-ext

WWW3 netmask 255.255.255.255
static (dmz,outside)

http://WWW2-ext

WWW2 netmask 255.255.255.255
static (dmz,outside)

http://WWW1-ext

WWW1 netmask 255.255.255.255
static (outside,dmz) WWW1

http://WWW1-ext

netmask 255.255.255.255
static (outside,dmz) WWW2

http://WWW2-ext

netmask 255.255.255.255
static (outside,dmz) WWW3

http://WWW3-ext

netmask 255.255.255.255
static (outside,dmz) WWW4

http://WWW4-ext

netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route inside 10.0.0.0 255.0.0.0 192.168.1.3 1
route inside 172.16.0.0 255.255.255.248 192.168.1.3 1
route outside 0.0.0.0 0.0.0.0 87.224.119.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 217.13.128.17 83.218.143.36 interface inside
!
dhcprelay server 192.168.1.17 inside

group-policy xxx internal
group-policy xxx attributes
dns-server value 192.168.1.17
dhcp-network-scope 192.168.1.200
vpn-simultaneous-logins 5
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xxx_splitTunnelAcl
default-domain value xxx
tunnel-group DefaultL2LGroup ipsec-attributes
tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group xxx type ipsec-ra
tunnel-group xxx general-attributes
address-pool VPN_DHCP
default-group-policy xxx
tunnel-group xxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:eafa2c49e160e42d75aa4840ddcb24fb
: end
asdm image disk0:/asdm-524.bin
asdm location

http://WWW3-ext

255.255.255.255 inside
asdm location WWW3 255.255.255.255 inside
asdm location WWW1 255.255.255.255 inside
asdm location WWW2 255.255.255.255 inside
asdm location WWW4 255.255.255.255 inside
asdm location

http://WWW1-ext

255.255.255.255 inside
asdm location

http://WWW2-ext

255.255.255.255 inside
asdm location

http://WWW4-ext

255.255.255.255 inside
asdm location roadtech-ftp 255.255.255.255 inside
asdm location consortium-ftp 255.255.255.255 inside
asdm location cms 255.255.255.255 inside
asdm location MAIL-ext 255.255.255.255 inside
no asdm history enable

Thanks again.

Regards

 

[unclerico]

you have a couple of issues:
1) Your mask on the end of the destination address in teh below ACE will only bypass nat for two addresses

access-list inside_nat0_outbound extended permit ip any 192.168.1.200 255.255.255.254

2) Best practice is to have your RA VPN pool in a completely different address range than your internal network(s). So instead of 192.168.1.x I would make it something like 192.168.2.x/24 or something similar. Then you'll alter your inside_nat0_outbound ACL to exempt internal traffic from the NAT process when traversing the ASA to the VPN users.

Hopefully this makes sense.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[x90syl]

Thanks unclerico.

I have added a new VPN pool as recommended, 192.168.2.100, and added an entry to the NAT outbound on the extended ACL list all within ASDM. However, I am having problems getting the VPN to log in now via the Cisco VPN gui - it just times out saying error 412???




Regards

 

[unclerico]

can you post the new config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[x90syl]

unclerico,

Here you go... thanks again.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa-sdsl
domain-name xxx.co.uk
names
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
domain-name xxx.co.uk
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host

http://WWW1-ext

network-object host

http://WWW2-ext

network-object host

http://WWW3-ext

network-object host

http://WWW4-ext

object-group network DM_INLINE_NETWORK_2
network-object host consortium-ftp
network-object host roadtech-ftp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.200 255.255.255.254
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 192.168.2.100 255.255.255.252
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host

http://WWW4-ext

object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host

http://WWW2-ext

eq smtp
access-list dmz_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz_access_in extended permit tcp 192.168.5.0 255.255.255.0 host XXX002 eq 1433
access-list dmz_access_in extended permit ip any any
access-list XXX_splitTunnelAcl standard permit any
access-list XXXASA_splitTunnelAcl standard permit any
access-list outside_cryptomap extended permit ip any any inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_DHCP 192.168.1.200-192.168.1.215 mask 255.255.255.0
ip local pool VPN_Static 192.168.2.100-192.168.2.124 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (dmz,outside)

http://WWW4-ext

WWW4 netmask 255.255.255.255
static (dmz,outside)

http://WWW3-ext

WWW3 netmask 255.255.255.255
static (dmz,outside)

http://WWW2-ext

WWW2 netmask 255.255.255.255
static (dmz,outside)

http://WWW1-ext

WWW1 netmask 255.255.255.255
static (outside,dmz) WWW1

http://WWW1-ext

netmask 255.255.255.255
static (outside,dmz) WWW2

http://WWW2-ext

netmask 255.255.255.255
static (outside,dmz) WWW3

http://WWW3-ext

netmask 255.255.255.255
static (outside,dmz) WWW4

http://WWW4-ext

netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route inside 10.0.0.0 255.0.0.0 192.168.1.3 1
route inside 172.16.0.0 255.255.255.248 192.168.1.3 1
route outside 0.0.0.0 0.0.0.0 87.224.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
eou clientless password XXX
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 217.13.XXX.XXX 83.218.XXX.XXX interface inside
!
dhcprelay server 192.168.1.17 inside

group-policy XXX internal
group-policy XXX attributes
dns-server value 192.168.1.17
vpn-session-timeout 420
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXX_splitTunnelAcl
default-domain value XXX.co.uk
group-policy XXX internal
group-policy XXX attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value XXXASA_splitTunnelAcl
.
.
.
tunnel-group DefaultL2LGroup ipsec-attributes
tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group XXX type ipsec-ra
tunnel-group XXX general-attributes
address-pool VPN_DHCP
authorization-server-group LOCAL
default-group-policy XXX
tunnel-group XXX ipsec-attributes
pre-shared-key *
tunnel-group XXXASA type ipsec-ra
tunnel-group XXXASA general-attributes
address-pool VPN_Static
authorization-server-group LOCAL
default-group-policy XXXASA
tunnel-group XXXASA ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:96deb164070b5a2282afecdcadab25d4

 

[unclerico]

did you double check your username/password, group, pre-shared key, and ip address are correct??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[x90syl]

I deleted the entry from the ASDM and re-keyed the new Tunnel Group and now the VPN is working... phew... however I am having a problem with RDC, it says computer not found or check ip address. But when I use the original TUnnel Group it works fine.

 

[unclerico]

verify your DNS settings are correct for the group-policy

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[x90syl]

Checked the both group-policies and they both have the same DNS settings???

 

[unclerico]

when you connect to the VPN, do you see the correct DNS settings on the VPN adapter?? What happens when you try to connect to it via FQDN (i.e. ts.yourdomain.local)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[brianinms]

Are the remote users using the Cisco VPN client or the Anyconnect client?

 

[x90syl]

Hi brianinms,

Thanks for response.

Users are logging onto Cisco VPN Client.

Regards

 

[x90syl]

unclerico,

Sorry but your response went over my head which is not that difficult!

As far as I can tell the DNS settings look to be the same as the based on one.

Regards

 

[unclerico]

when you try to connect via RDC, try to connect by typing in the server's FQDN (i.e. server1.yourdomain.local). If that doesn't work try by IP address.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[x90syl]

Thanks unclerico... why didn't you say so in the first place... just kidding! I have tried that already but got same response i.e. Just times out.

Regards.