Brak dostępu do sieci INSIDE przez VPN Remote Access

Wiadomość

marckamil · #1

Witam,
Po podłączeniu się przez VPN Clienta do ASA, nie mam dostępu do sieci inside ASY. Po nawiązaniu połączenia moge pingować interfejs inside oraz mam dostep przez SSH i ASDM od strony inside. Mam jednak urządzenie w sieci INSIDE o adresie .64.5 ze skonfigurowanym SSH, i z nim przez VPN nie ma komunikacji. Urządzenie to ma skonfigurowany default gateway jako adres inside ASY. Co mogłem przeoczyć? Mój config ASY poniżej:

Kod: Zaznacz cały

ASA Version 9.0(1)
!
hostname ASA

!
interface Ethernet0/0
 switchport access vlan 10
!

interface Ethernet0/3
 switchport access vlan 20

interface Vlan10
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Vlan20
 nameif inside
 security-level 100
 ip address 192.168.64.3 255.255.255.0
!
boot system disk0:/asa901-k8.bin
ftp mode passive

object network VPN_POOL
 subnet 192.168.66.0 255.255.255.0
object network NAT_FROM_LAN
 subnet 192.168.64.0 255.255.255.0
object network LAN
 subnet 192.168.64.0 255.255.255.0

access-list SPLIT standard permit 192.168.64.0 255.255.255.0

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN LAN destination static VPN_POOL VPN_POOL no-proxy-arp route-lookup
!
object network NAT_FROM_LAN
 nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.66.202 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPN_SET1 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map VPN 1 set ikev1 transform-set VPN_SET1
crypto dynamic-map VPN 1 set reverse-route
crypto map MAP 1 ipsec-isakmp dynamic VPN
crypto map MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86000
telnet timeout 5
ssh 192.168.64.0 255.255.255.0 inside
ssh 192.168.66.202 255.255.255.255 inside
ssh timeout 30
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

group-policy TECH internal
group-policy TECH attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT

username test password *** encrypted
username test attributes
 vpn-framed-ip-address 192.168.66.202 255.255.255.0
tunnel-group VPN_TECH type remote-access
tunnel-group VPN_TECH general-attributes
 default-group-policy TECH
tunnel-group VPN_TECH ipsec-attributes
 ikev1 pre-shared-key *****

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
 class class-default
  user-statistics accounting
!
service-policy global_policy global

FrozenShadoow · #2

Hej,

Dodaj

Kod: Zaznacz cały

ssh 0.0.0.0 0.0.0.0 outside

oczywiscie sprecyzuj adres

Powinno pomóc

EDIT:// znaczniki

Kod: Zaznacz cały

gryglas

marckamil · #3

Komenda ta umozliwia okreslenie dostepu przez SSH do ASY, nie ma nic wspolnego z dostępem do sieci lokalnej przez VPN

FrozenShadoow · #4

Testowo wpisz:

Kod: Zaznacz cały

sysopt connection permit-vpn

i zobacz.

EDIT:// znaczniki

Kod: Zaznacz cały

gryglas

marckamil · #5

Dotarłem wczesniej do tej komendy i przetestowałem ją. Z ACL'kami tez kombinowałem, bez efektów.
A tak wogole to:

sysopt connection permit-vpn

jest domyślnie włączone od wersji 7 ASY

Pozdrawiam

LukaszM · #6

Sprobuj dodac polecenie:

Kod: Zaznacz cały

same-security-traffic permit intra-interface

Dodatkowo mozesz wrzucic output z packet-tracera:
np:

Kod: Zaznacz cały

packet-tracer input inside icmp  X.X.64.5 8 8 Adres_z_pulivpn

marckamil · #7

Niestety to tez juz sprawdzalem.
Testowo zestawiałem na tej konfiguracji site to site vpn oraz ssl web vpn. wszystko działa oprocz remote access przez vpn clien.

LukaszM · #8

A co masz w logach z vpn clienta?

marckamil · #9

Ciągle sypie tym:

Kod: Zaznacz cały

Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

3885   23:19:30.419  03/20/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

3886   23:19:32.408  03/20/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

3887   23:19:35.443  03/20/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

3888   23:19:38.939  03/20/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

3889   23:19:40.503  03/20/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

3890   23:19:42.534  03/20/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

3891   23:19:44.587  03/20/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

czaja200 · #10

Witam

1. Log - przydał by się zrzut z etapu zestawiania tunelu.
Czy ten fragment, który wstawiłeś był robiony podczas nawiązywania komunikacji z hostem w sieci INSIDE?
(trzeba by było zmienić poziomy logowania)

2. Czy sprawdzałeś VPN Client na kompie z XP?

3. Jak chcesz to sprawdź na innym kliencie np. SHREW
w ramach testu zmień polisę

Kod: Zaznacz cały

crypto ikev1 policy 1 
encryption 3des

marckamil · #11

Zauwazyłem ciekawy przypadek, firewall asa ktory konfiguruje pod vpn clienta miala zastapic router ktory robil za serwer vpn do tej pory. Jak dotąd wszystko działało na routerze wzorowo, jednak pewnego dnia vpn client zaprzestal komunikacji z siecia wewnetrzna routera mimo ze polaczenie nawiazuje. czyli sytuacja dokładnie taka jak na tej asie co ją konfiguruje.
Wg sugestii wypróbowałem innego klienta VPN (SHREW), z routerem komunikacja wróciła, jednak ASA dalej nie chce gadać. Tunel sie zestawia ale bez dostępu do inside.

Czy ma to może jakiś związek z ogłoszeniem end of life i end of sale dla Cisco VPN Client?

Na XP nie sprawdzalem bo do tej pory wszystko działalo tak jak powinno na Win7.

Dołączam log z VPN Client z poziomem logowania "High"

Kod: Zaznacz cały

Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

1      15:43:43.421  03/21/13  Sev=Info/4	CM/0x63100002
Begin connection process

2      15:43:43.440  03/21/13  Sev=Info/4	CM/0x63100004
Establish secure connection

3      15:43:43.440  03/21/13  Sev=Info/4	CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"

4      15:43:43.443  03/21/13  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.

5      15:43:43.449  03/21/13  Sev=Info/4	IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      15:43:43.455  03/21/13  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx

7      15:43:43.486  03/21/13  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started

8      15:43:43.486  03/21/13  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

9      15:43:43.486  03/21/13  Sev=Info/6	IPSEC/0x6370002C
Sent 66 packets, 0 were fragmented.

10     15:43:43.486  03/21/13  Sev=Info/4	IPSEC/0x6370000D
Key(s) deleted by Interface (192.168.66.100)

11     15:43:43.535  03/21/13  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

12     15:43:43.535  03/21/13  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from xxx.xxx.xxx.xxx

13     15:43:43.535  03/21/13  Sev=Info/5	IKE/0x63000001
Peer is a Cisco-Unity compliant peer

14     15:43:43.535  03/21/13  Sev=Info/5	IKE/0x63000001
Peer supports XAUTH

15     15:43:43.535  03/21/13  Sev=Info/5	IKE/0x63000001
Peer supports DPD

16     15:43:43.535  03/21/13  Sev=Info/5	IKE/0x63000001
Peer supports NAT-T

17     15:43:43.535  03/21/13  Sev=Info/5	IKE/0x63000001
Peer supports IKE fragmentation payloads

18     15:43:43.544  03/21/13  Sev=Info/6	IKE/0x63000001
IOS Vendor ID Contruction successful

19     15:43:43.544  03/21/13  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xxx.xxx.xxx.xxx

20     15:43:43.545  03/21/13  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA

21     15:43:43.545  03/21/13  Sev=Info/4	IKE/0x63000083
IKE Port in use - Local Port =  0xCB1A, Remote Port = 0x1194

22     15:43:43.545  03/21/13  Sev=Info/5	IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

23     15:43:43.545  03/21/13  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

24     15:43:43.602  03/21/13  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

25     15:43:43.602  03/21/13  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx

26     15:43:43.602  03/21/13  Sev=Info/4	CM/0x63100015
Launch xAuth application

27     15:43:43.604  03/21/13  Sev=Info/6	GUI/0x63B00012
Authentication request attributes is 6h.

28     15:43:47.666  03/21/13  Sev=Info/4	CM/0x63100017
xAuth application returned

29     15:43:47.666  03/21/13  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx

30     15:43:47.721  03/21/13  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

31     15:43:47.721  03/21/13  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx

32     15:43:47.721  03/21/13  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx

33     15:43:47.721  03/21/13  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

34     15:43:47.725  03/21/13  Sev=Info/5	IKE/0x6300005E
Client sending a firewall request to concentrator

35     15:43:47.725  03/21/13  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx

36     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

37     15:43:47.782  03/21/13  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx

38     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.66.101

39     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

40     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

41     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

42     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x6300000F
SPLIT_NET #1
	subnet = 192.168.64.0 
	mask = 255.255.255.0
	protocol = 0
	src port = 0
	dest port=0

43     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

44     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 9.0(1) built by builders on Fri 26-Oct-12 16:36

45     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

46     15:43:47.782  03/21/13  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

47     15:43:47.783  03/21/13  Sev=Info/4	CM/0x63100019
Mode Config data received

48     15:43:47.790  03/21/13  Sev=Info/4	IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.66.101, GW IP = xxx.xxx.xxx.xxx, Remote IP = 0.0.0.0

49     15:43:47.791  03/21/13  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xxx.xxx.xxx.xxx

50     15:43:47.872  03/21/13  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

51     15:43:47.873  03/21/13  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xxx.xxx.xxx.xxx

52     15:43:47.873  03/21/13  Sev=Info/5	IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86000 seconds

53     15:43:47.873  03/21/13  Sev=Info/5	IKE/0x63000047
This SA has already been alive for 4 seconds, setting expiry to 85996 seconds from now

54     15:43:47.875  03/21/13  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

55     15:43:47.875  03/21/13  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from xxx.xxx.xxx.xxx

56     15:43:47.875  03/21/13  Sev=Info/5	IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds

57     15:43:47.875  03/21/13  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to xxx.xxx.xxx.xxx

58     15:43:47.875  03/21/13  Sev=Info/5	IKE/0x63000059
Loading IPsec SA (MsgID=FA7D9F64 OUTBOUND SPI = 0x57B3853D INBOUND SPI = 0x36DAECB8)

59     15:43:47.876  03/21/13  Sev=Info/5	IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x57B3853D

60     15:43:47.876  03/21/13  Sev=Info/5	IKE/0x63000026
Loaded INBOUND ESP SPI: 0x36DAECB8

61     15:43:47.908  03/21/13  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0          10.0.0.1         10.0.0.13       25
       10.0.0.0     255.255.255.0         10.0.0.13         10.0.0.13      281
      10.0.0.13   255.255.255.255         10.0.0.13         10.0.0.13      281
     10.0.0.255   255.255.255.255         10.0.0.13         10.0.0.13      281
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0         10.0.0.13         10.0.0.13      281
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255         10.0.0.13         10.0.0.13      281


62     15:43:48.226  03/21/13  Sev=Info/6	CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter

63     15:43:48.609  03/21/13  Sev=Info/4	CM/0x63100034
The Virtual Adapter was enabled: 
	IP=192.168.66.101/255.255.255.0
	DNS=0.0.0.0,0.0.0.0
	WINS=0.0.0.0,0.0.0.0
	Domain=
	Split DNS Names=

64     15:43:48.651  03/21/13  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0          10.0.0.1         10.0.0.13       25
       10.0.0.0     255.255.255.0         10.0.0.13         10.0.0.13      281
      10.0.0.13   255.255.255.255         10.0.0.13         10.0.0.13      281
     10.0.0.255   255.255.255.255         10.0.0.13         10.0.0.13      281
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0         10.0.0.13         10.0.0.13      281
      224.0.0.0         240.0.0.0           0.0.0.0           0.0.0.0      281
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255         10.0.0.13         10.0.0.13      281
255.255.255.255   255.255.255.255           0.0.0.0           0.0.0.0      281


65     15:43:49.568  03/21/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

66     15:43:51.696  03/21/13  Sev=Info/4	CM/0x63100038
Successfully saved route changes to file.

67     15:43:51.697  03/21/13  Sev=Info/5	CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0          10.0.0.1         10.0.0.13       25
       10.0.0.0     255.255.255.0         10.0.0.13         10.0.0.13      281
       10.0.0.1   255.255.255.255         10.0.0.13         10.0.0.13      100
      10.0.0.13   255.255.255.255         10.0.0.13         10.0.0.13      281
     10.0.0.255   255.255.255.255         10.0.0.13         10.0.0.13      281
 xxx.xxx.xxx.xxx   255.255.255.255          10.0.0.1         10.0.0.13      100
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1      306
      127.0.0.1   255.255.255.255         127.0.0.1         127.0.0.1      306
127.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
   192.168.64.0     255.255.255.0      192.168.66.1    192.168.66.101      100
   192.168.66.0     255.255.255.0    192.168.66.101    192.168.66.101      281
 192.168.66.101   255.255.255.255    192.168.66.101    192.168.66.101      281
 192.168.66.255   255.255.255.255    192.168.66.101    192.168.66.101      281
      224.0.0.0         240.0.0.0         127.0.0.1         127.0.0.1      306
      224.0.0.0         240.0.0.0         10.0.0.13         10.0.0.13      281
      224.0.0.0         240.0.0.0    192.168.66.101    192.168.66.101      281
255.255.255.255   255.255.255.255         127.0.0.1         127.0.0.1      306
255.255.255.255   255.255.255.255         10.0.0.13         10.0.0.13      281
255.255.255.255   255.255.255.255    192.168.66.101    192.168.66.101      281


68     15:43:51.697  03/21/13  Sev=Info/6	CM/0x63100036
The routing table was updated for the Virtual Adapter

69     15:43:51.713  03/21/13  Sev=Info/4	CM/0x6310001A
One secure connection established

70     15:43:51.747  03/21/13  Sev=Info/4	CM/0x6310003B
Address watch added for 10.0.0.13.  Current hostname: profelektronix2, Current address(es): 192.168.66.101, 10.0.0.13.

71     15:43:51.751  03/21/13  Sev=Info/4	CM/0x6310003B
Address watch added for 192.168.66.101.  Current hostname: profelektronix2, Current address(es): 192.168.66.101, 10.0.0.13.

72     15:43:51.751  03/21/13  Sev=Info/5	CM/0x63100001
Did not find the Smartcard to watch for removal

73     15:43:51.751  03/21/13  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

74     15:43:51.751  03/21/13  Sev=Info/4	IPSEC/0x63700010
Created a new key structure

75     15:43:51.751  03/21/13  Sev=Info/4	IPSEC/0x6370000F
Added key with SPI=0x3d85b357 into key list

76     15:43:51.751  03/21/13  Sev=Info/4	IPSEC/0x63700010
Created a new key structure

77     15:43:51.751  03/21/13  Sev=Info/4	IPSEC/0x6370000F
Added key with SPI=0xb8ecda36 into key list

78     15:43:51.751  03/21/13  Sev=Info/4	IPSEC/0x6370002F
Assigned VA private interface addr 192.168.66.101

79     15:43:51.751  03/21/13  Sev=Info/4	IPSEC/0x63700037
Configure public interface: 10.0.0.13. SG: xxx.xxx.xxx.xxx

80     15:43:51.753  03/21/13  Sev=Info/6	CM/0x63100046
Set tunnel established flag in registry to 1.

81     15:43:51.796  03/21/13  Sev=Info/4	CLI/0x63900002
Started vpnclient:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

82     15:43:52.915  03/21/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

83     15:43:53.627  03/21/13  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA

84     15:43:54.632  03/21/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

85     15:43:57.712  03/21/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

86     15:43:58.187  03/21/13  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xxx.xxx.xxx.xxx

87     15:43:58.187  03/21/13  Sev=Info/6	IKE/0x6300003D
Sending DPD request to xxx.xxx.xxx.xxx, our seq# = 3386867157

88     15:43:58.241  03/21/13  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

89     15:43:58.241  03/21/13  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from xxx.xxx.xxx.xxx

90     15:43:58.241  03/21/13  Sev=Info/5	IKE/0x63000040
Received DPD ACK from xxx.xxx.xxx.xxx, seq# received = 3386867157, seq# expected = 3386867157

91     15:43:58.792  03/21/13  Sev=Warning/3	CLI/0xA3900004
Unable to purge old log files. Function returned -4.

92     15:43:58.792  03/21/13  Sev=Info/4	CLI/0x63900002

czaja200 · #12

1. Nie podoba mi się modyfikacja tablicy rutingu, jaką wprowadza Clinet VPN, dokładnie zapis:

Kod: Zaznacz cały

Destination           Netmask           Gateway         Interface   Metric 

192.168.64.0     255.255.255.0      192.168.66.1    192.168.66.101      100

brama - to powinno być IP wirtualnego interfejsu VPN: 192.168.66.101 , czyli coś takiego:

Kod: Zaznacz cały

 192.168.64.0     255.255.255.0      192.168.66.101    192.168.66.101      100

2. Zobacz, czy faktycznie po zestawieniu VPN-a tablica rutingu ma taką postać jak w przedstawionym logu (cmd -> route print)

Jeżeli tak jest, to ja bym w ramach testu przerobił tablicę rutingu na kompie i sprawdził

(zmiany wprowadzamy po zapięciu się VPN-a)

Kod: Zaznacz cały

route delete 192.168.64.0
route add 192.168.64.0 mask 255.255.255.0 192.168.66.101 metric 100 if 192.168.66.101

3. Masz jakiś program AV/FW na W7?

LukaszM · #13

Masz w konfiguracji ASA 9.0 wiec raczej Cisco VPN client nie jest wspierany i zalecany na tej wersji systemu- czyt powinienes uzywac AnyConnecta:

Q. Can we use the Cisco VPN Client with Cisco Adaptive Security Appliance Software Version 9.0?
A. Yes, the Cisco VPN Client is supported in Cisco Adaptive Security Appliance Software Version 9.0. The Cisco VPN Client is no longer under active development and customers are encouraged to migrate to Cisco AnyConnect Secure Mobility Client as soon as possible.

bugi · #14

ASA 9.x jak najbardziej suppportuje starego vpn clienta wlącznie z uwierzytelnieniem po certyfikatach. Sprawdź co widzisz w logach w momencie wykonywania połączenia. Dodatkowo zobacz czy w statystykach klienta widać że pakiety wpadają w tunel.

pozdr!

marckamil · #15

W momencie nawiązywania połączenia rosną liczniki "Sent" i "Encrypted" reszta bez zmian, logi z vpn clienta podczas proby komunikacji z inside wkleilem wczesniej. Zakłądka "Route details" pokazuje adres sieci inside asy.

Kombinacje z tablicą routingu nic nie zmienily niestety

Antivirus jest i byl zawsze ten sam, zreszta proba wylaczenia go nic nie zmienia.

Zmiana algorytmow szyfrowania na asie tez nie pomaga

Dodam że sytuacja tą ma miejsce nie tylko na moim komputerze ale na wszystskich, które miały wszesniej dostep przez vpn