ASA5505 VPN client problems

Answered Question

my ASA5505Plus connect to the internet and to a laptop, the laptop can access the internet.

a VPN client connect to ASA but can't access either internal or external IPs

I see that the default gateway is wrong but can't find how to change it:

********************************

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.200.5

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.200.1

DNS Servers . . . . . . . . . . . : 4.2.2.2

************************************


I hope this is why I can't access either the laptop (192.168.200.2), management by telnet (192.168.200.4) or the internet via the client. I'm not sure if that part is configured correctly


see attached configuration



Attachment: 
Correct Answer by husycisco about 8 years 9 months ago

Ofir,

Try the following


ip local pool VPN_Pool 172.16.20.1-172.16.20.254 netmask 255.255.255.0


access-list inside_nat0_outbound permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.200.4 255.255.255.252

no access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0


access-list Split_T permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0


tunnel-group test general-attributes

address-pool VPN_Pool

no address-pool test


group-policy test attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_T


crypto isakmp nat-traversal 20


management-access inside


Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Wed, 07/23/2008 - 13:05
User Badges:
  • Blue, 1500 points or more

access-list inside_nat0_outbound doesn't exist.

try something like:

access-list inside_nat0_outbound permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0

a.alekseev Thu, 07/24/2008 - 05:41
User Badges:
  • Gold, 750 points or more

no ip verify reverse-path interface outside


or


crypto dynamic-map outside_dyn_map 20 set reverse-route

a.alekseev Thu, 07/24/2008 - 06:01
User Badges:
  • Gold, 750 points or more

I thought that you had applyed access-list without success.


First of all apply STEVEN's solution.

I did apply the access-list and it didn't work

then tried both commands, separately and together and it is still getting the same result - I see it coming on the ASA log but there is no reply:

Teardown ICMP connection for faddr 192.168.200.5/768 gaddr 192.168.200.2/0 laddr 192.168.200.2/0 (test)

I still wonder if it isn't for the wrong default gateway on the VPN client (and how to change it?)

connection doesn't work on the reverse direction (from my test machine to the VPN machine)

husycisco Thu, 07/24/2008 - 08:04
User Badges:
  • Gold, 750 points or more

Hello Ofir,

Please upload the most recent config that appeared after above experts' suggestions.

Also do not use PING for connectivity tests when firewalls are involved. Use telnet and a port that you are sure it is listened.


Regards

I've tested other ports with a port-listener utility and I see they DO get from the VPN client to the test machine (telnet with few different port numbers) but telnet to the ASA itself didn't connect.

from the VPN client machine I can't get to the web or use nslookup to resolve names

see attached config



Attachment: 
a.alekseev Thu, 07/24/2008 - 08:45
User Badges:
  • Gold, 750 points or more

add the following line

crypto isakmp nat-traversal 20


Correct Answer
husycisco Thu, 07/24/2008 - 08:46
User Badges:
  • Gold, 750 points or more

Ofir,

Try the following


ip local pool VPN_Pool 172.16.20.1-172.16.20.254 netmask 255.255.255.0


access-list inside_nat0_outbound permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.200.4 255.255.255.252

no access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0


access-list Split_T permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0


tunnel-group test general-attributes

address-pool VPN_Pool

no address-pool test


group-policy test attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_T


crypto isakmp nat-traversal 20


management-access inside


Regards


husycisco Thu, 07/24/2008 - 09:33
User Badges:
  • Gold, 750 points or more

Ofir,

You are welocme. The major change I applied is split tunnelling, which lets VPN clinets to use their local gateway to connect to internet while connecting to the networks specified in tunnel acl over VPN

Second, Using a VPN pool within a subnet which is already used in ASA , and specifying an unusual exempt nat statement like "permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0" is not the best practise. Does it work like that? Yes it does, nothing wrong with that, but is not the best practise, can cause issues like IP conflicts, overlaps while configuring dynamic&static routing in campus. I made changes accordingly.

IPSEC has some problems when NAT is involved, nat-traversal resolves that one. Main symptom is connection established but no traffic.

management-access lets outside clients connect to the interface specified within command.


Regards

well, something is still wrong with this config.

I noticed that the VPN client still get the 192.168.200.x IP so using the console I changed the IP Pool for that security profile to use VPN_Pool (172.16.20.0/24) other then the original test(192.168.200.5-7)

so, doing that the client connect and does get a 172.16 IP, it is still connecting the internet but the connection to ASA (192.168.200.4) or the attached PC stopped working.

when I switch teh IP Pool back to test, it is working as before.

husycisco Fri, 07/25/2008 - 13:39
User Badges:
  • Gold, 750 points or more

Can you upload the working and non working configs?

see the 2 attachments:

current is what I have NOW - both test & VPN_Pool options get the client connected, access to the internet via own network and access to the ASA console. no access to 192.168.200.2

before is the previous version. I'm not 100% sure it is the one that worked sinc I test so many options and change it all the time but I think it's the right one (and see nothing that ring a bell)

thanks



Attachment: 
husycisco Sat, 07/26/2008 - 07:54
User Badges:
  • Gold, 750 points or more

Ofir,


group-policy test attributes

no address-pools value test


Disconnect, reconnect and try again. Couple of things to check if still no joy,

Modify the VPN_Pool to start from 172.16.20.1 not 172.16.20.0 .

When VPN client is connected, right-click VPN lock icon at right-bottom> click statistics> click route details tab and make sure 192.168.200.0 255.255.255.0 is listed in right pane.

Make sure that the station with IP address 192.168.200.2 you try to reach has 192.168.200.4 as default gateway. As I previously mentioned, try for example remote desktop to that station instead pinging.

Also open your ASDM and monitor the logs in real-time as you try to connect 192.168.200.2 from a VPN client and see if any logs appear about that.

Try installing the latest version of Cisco VPN client or at least 5.x

* typed in the commands. still not working

* modified the pool to start at 172.16.20.1

it doesn't have a D\G - is it normal?

* 192.168.200.0 route show on the statistics page as expected

* 192.168.200.4 is the D\G for 192.168.200.2

* RDP from the VPN machine couldn't find the computer 192.168.200.2

* ADSM show the following message multiple times:

no translation group found src 176.16.20.1/x dst 192.168.200.2/y

also - VPN client can't access ASA telnet console (when I use test pool it can)

* I'm using client v5.0.01.0600

husycisco Mon, 07/28/2008 - 07:12
User Badges:
  • Gold, 750 points or more

Lol how could I have missed that, thanks for the ASDM output


add the following and you are good to go


nat (inside) 0 access-list inside_nat0_outside

thanks.

so now the VPN access any port including RDP to the inside station, it can ping ASA but not telnet to console.

if I want it to allow management access, what should I permit (and is it per user?)

and what if I want to allow and NAT outside connections to the same test station (outside will go to 63.x.y.26 on port abc and be routed to the internal 192.168.200.x using the same port)

husycisco Mon, 07/28/2008 - 08:44
User Badges:
  • Gold, 750 points or more

For telnet,

telnet VPNPool VpnMask outside


For port forwarding,

static (inside,outside) tcp interface abc 192.168.200.x abc netmask 255.255.255.255


access-list outside_access_in permit tcp any interface outside eq abc

access-group outside_access_in in interface outside

husycisco Mon, 07/28/2008 - 09:46
User Badges:
  • Gold, 750 points or more

Ah, management-access inside is issued. So you should enter the following


no telnet 172.16.20.0 255.255.255.0 outside

telnet 172.16.20.0 255.255.255.0 inside

Actions

This Discussion