Easyvpn experiment and Problem Analysis

Easyvpn is a common VPN solution in daily life. Although easyvpn can only be used on cisco devices, it is a very practical solution with low environmental requirements. The client only needs to connect to the Internet, and does not need to consider fixed IP addresses or whether NAT or other factors are added. There were redundant cisco devices on hand, so I started to experiment with easyVPN. (The following experiments are all true machines.) I first drew a topology on the paper and marked the IP address. The topology is as follows:
Connect ASA5520 C2811 and C2851 to the two computers based on the topology. 1. start to set the basic network settings ASA5520int e0/1ip add 10.9.30.1 incluinsidesecurity-level 100int e0/0 multicast ip add commandid ousidesecurity-level 0 2811int f0/0ip add commandid 255.255.0no shutint f0/1ip add 202.96.128.86 255.255.255.0no shut 2851int G0/1ip add 202.96.128.85 255.255.255.0no shutint G0/0ip add 192.168.1.1 255.255.255.0no shut, in addition, the default route ASA5520rout E ouside 0.0.0.0 0.0.0.0 255.12851 www.2cto.com ip route 0.0.0.0 0.0.0.0 202.96.128.86 PAT2851access-list 1 permit anyip nat inside source list 1 interface g0/1 overload test connectivity 192.168.1.10 202.96.127.85 connectivity test 10.9.30.158 to 202.96.128.85 failed to find the cause: 1. ping 202.96.128.85 on the asa, indicating that the routes and connections are normal. 2. ping 10.9.30.158 to connect to the gateway 10.9.30.1. 3. note that by default, high-security access and low-security access are allowed, but ASA only records the TCP and UDP status packets, and does not record the status of packets such as ICMP and ESP, that is, they are rejected by outside when returned. therefore, access-list out-in extended permit icmp any access-group out-in interface ouside and 10.9.30.158 to 202.96.128.85 cannot be used. 4. Check the configuration carefully and find that no nat is performed. Nat (inside) 1 10.9.30.0 255.255.255.0 global (ouside) 1 202.96.127.80 netmask 255.255.255.0 5. Then the test is successful. Next configure easyvpnip local pool vpnpool 192.168.100.1-192.168.100.100access-list split extended permit ip 10.9.30.0 255.255.255.0 anycrypto ipsec transform-set myset esp-des esp-md5-hmaccrypto dynamic-map dymap 10 set transform-set your map easyvpn- map 10 ipsec-isakmp dynamic dymapcrypto map easyvpn-map interface extends isakmp policy 10 authentication pre-share encryption 3des hash md5 www.2cto.com group 2 crypto isakmp enable ouside group-policy easyvpn-policy internalgroup-policy easyvpn-policy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value split username cisco password ciscousername cisco attributes vpn-group-policy easyvpn-policy password-storage enable tunnel-group szvpn type remote-accesstunnel-group szvpn general-attributes address-pool vpnpooltunnel-group szvpn ipsec-attributes pre-shared-key 123456 is configured, and then the cisco vpn client is installed on the host 192.168.1.10. parameters
The connection is successful. The IP address 192.168.100.1 is obtained. I thought it was done, so I shared a directory on 10.9.30.158, which confirmed that it could be accessed within the LAN (to exclude sharing settings errors) and shared with the host 192.168.1.10, the result is: The network path is not found. Check all the configurations again: 1. The intermediate route is passed, and the outside from 192.168.1.10 to ASA is passed. 2. the encryption settings are correct. The ping packet from 3.192.168.1.10 to 10.9.30.158 is displayed. The problem lies in the firewall. Use debug icmp trace to trace without displaying any data. Check the ACL list. icmp traffic is allowed. sysopt connection permit-vpn is enabled by default. Is easyvpn different from other VPNs in ACL? Therefore, access-list out-in extended permit ip 192.168.100.0 255.255.255.0 10.9.30.0 255.255.255.0 www.2cto.com is still inaccessible. I doubt the common sense again. Is the source address incorrect? Is the easyvpn source address the Intranet address of the other Party used? Therefore, access-list out-in extended permit ip 192.168.1.0 255.255.255.0 10.9.30.0 255.255.255.0 still cannot be accessed. Sort the data packets carefully and send them to 2851 after the packets are encapsulated by the vpn client. Then, the data packets are encrypted and the source IP address 192.168.100.1 is added to the destination IP address 202.96.127.85. 2851 find the route and send it to 2811 after the NAT source address is 202.96.128.85. 2811 find the route and send it to the outside of ASA5520.ASA5520. after decryption, the IP address is transmitted to the 10.9.30.0 CIDR block, and the source address is 192.168.100.1. After finding the route and the nat entry, no NAT entry is found, so you can directly discard it. the problem is found, because the firewall only passes the nat traffic by default. no nat-control can be used here because the host 10.9.30.158 responds to the packet. The source address is 10.9.30.158 and the destination address is 192.168.100.1. After easyvpn is connected successfully, the asa automatically adds a route pointing to the static route and ACL. When Inside data is sent to outside data, the nat priority is higher than encrypted. Therefore, ouside receives a packet whose source address is 202.96.127.80 and the destination address is 192.168.100.1. This packet does not trigger encryption (status record, which can be understood as automatically increasing ACL interest traffic) and is directly sent to 2811. 2811 after receiving the data packet, it finds that there is no route for 192.168.1.1 and is discarded. After clarification, access-list vpnacl extended permit ip 10.9.30.0 255.255.255.0 192.168.100.0 255.255.255.0 www.2cto.com nat (inside) 0 access-list vpnacl is added to the asa for successful access. To verify that the source packet is ip 192.168.100.1 on the asa, no sysopt connection permit-vpn is deleted, and access-list out-in extended permit ip 192.168.100.0 255.255.255.0 10.9.30.0 255.255.255.0 is rejected. Easyvpn encapsulates data and uses its own IP Address Header like other VPNs. Sysopt connection permit-vpn indicates that the vpn traffic does not pass the port ACL check, and the firewall is enabled by default. Author Player 7