ASA 5505 VPN can't access inside host

Answered Question
May 30th, 2008
User Badges:

I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.


part of config below


interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0


ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


service-policy global_policy global

group-policy xxxxxxx internal

group-policy xxxxxxx attributes

banner value xxxxx Disaster Recovery Site

wins-server none

dns-server value 24.xxx.xxx.xx

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

default-domain none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout none

ip-phone-bypass disable

leap-bypass disable

nem disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools value xxxxxx

smartcard-removal-disconnect enable

client-firewall none

webvpn

functions url-entry

vpn-nac-exempt none



no vpn-addr-assign aaa

no vpn-addr-assign dhcp

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general-attributes

address-pool xxxx

default-group-policy xxxx

tunnel-group blountdr ipsec-attributes

pre-shared-key *


Correct Answer by acomiskey about 8 years 10 months ago

You are missing nat exemption for the vpn clients. Add the following and you should be good to go.


access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 05/30/2008 - 07:22
User Badges:
  • Green, 3000 points or more

If you can post the config, that would be great.

randyclark Fri, 05/30/2008 - 09:48
User Badges:

I get the banner and IP adress info...


This is what the client log provides...


1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route: code 87

Destination 172.20.255.255

Netmask 255.255.255.255

Gateway 10.1.2.1

Interface 10.1.2.5


2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201.

randyclark Mon, 06/02/2008 - 11:01
User Badges:

Here's the latest config... I can connect, get an IP but still cannot access the local host or the firewall. The firewall show that I have a tunnel but I still can't access anything.





Attachment: 
Correct Answer
acomiskey Mon, 06/02/2008 - 12:47
User Badges:
  • Green, 3000 points or more

You are missing nat exemption for the vpn clients. Add the following and you should be good to go.


access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

a.alekseev Wed, 07/09/2008 - 00:52
User Badges:
  • Gold, 750 points or more

open a new topic, attach configs, give full description of the problem.

Actions

This Discussion