unable to access vpn box internal address after vpn

Unanswered Question
Sep 2nd, 2008

Hi all. My office network is protected by asa5510 firewall with vpn configured. When i vpn into my office network i could not access the firewall via the firewall's internal address using telnet etc even though i have already enable telnet. The firewall is my office network gateway. Below is my config. Pls advise. Thks in advance. Access to my office network is fine using vpn.





hostname firewall

domain-name default.domain.invalid

enable password xxx

names

dns-guard

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1x.x 255.255.255.0

!

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.2x.x 255.255.255.0

!

interface Ethernet0/2

nameif outside

security-level 0

ip address 8x.x.x.x 255.255.255.240

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

same-security-traffic permit inter-interface


access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended deny ip any any

access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224

access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0

pager lines 24

logging enable

logging asdm-buffer-size 500

logging asdm informational

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

mtu management 1500

ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0

no failover

monitor-interface inside

monitor-interface DMZ

monitor-interface outside

monitor-interface management

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 100 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 100 192.168.1x.0 255.255.255.0

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 8x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy vpn internal

group-policy vpn attributes

dns-server value 192.168.1x.x 192.168.1x.x

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

webvpn

username ciscoadm password xxx encrypted privilege 15

username ciscoadm attributes

vpn-group-policy vpn

webvpn

http server enable

http 192.168.1x.x 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 13800

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group vpn type ipsec-ra

tunnel-group vpn general-attributes

address-pool addpool

default-group-policy vpn

tunnel-group vpn ipsec-attributes

pre-shared-key *

telnet 192.168.1x.x 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Tue, 09/02/2008 - 19:58

u have mimatch in subnet mask between the nat0 ACL and vpn pool


ur pool is

ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0


while in the ACL the mask is


access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224


try to make the vpn pool like


ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.255.0

also the ACL u have dos not cover all IPs

so if u want make it like


access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.0


finally check this ACL might blocking the traffic


access-group outside_access_in in interface outside


good luck


if helpful Rate

donnie Tue, 09/02/2008 - 22:02

Hi marwanshawi,


Thk you for your response.

I have made the following changes.

1)i have change "access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224 " to "access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0" hence the vpn address pool match my nat exemption ACL

2)i have remove the deny statement from outside_access_in acl.


After doing the above, i am still unable to telnet into the firewall after i manage to vpn into my office network.All other server can be accessed once my vpn connection is up. Pls advise, thks in advance.

Marwan ALshawi Tue, 09/02/2008 - 22:11

even if u remove the deny

there is deny all by default called implicit deny

u need to make explicit allow

so allow what ever traffic u want the vpn client to do

like

permit tcp 172.16.0.0 255.255.0.0 [asa inside ip] eq 23

permit tcp [asa inside ip] eq 23 172.16.0.0 255.255.0.0


and also

do

clear xlate and clear conn

good luck


dhananjoy chowdhury Tue, 09/02/2008 - 22:30

Hi,

Did you add the "management-access" command ?


To allow management access to an interface other than the onefrom which you

entered the security appliance when using IPSec VPN, use the management-access

command in global configuration mode.


management-access inside

donnie Tue, 09/02/2008 - 23:13

Hi dhana,


Thk you for your response. After adding "management-access inside" i now can ping the internal interface of my firewall after connection to my office network via vpn which i previously could not. However i could not access my firewall via asdm and telnet even though i have allowed 0.0.0.0 0.0.0.0 to access the firewall for both telnet and asdm using the device access option available in asdm. Pls advise. Thks in advance.

donnie Thu, 09/04/2008 - 20:09

Hi all. Below is my configuration. After i enable "management-access inside" i could access my firewall internal ip via ping after establishing vpn connection but not others like telnet even though "telnet 0.0.0.0 0.0.0.0 inside" is enabled. Pls advise.


interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1x.254 255.255.255.0

!

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.2x.254 255.255.255.0

!

interface Ethernet0/2

nameif outside

security-level 0

ip address 8x.xx.xx.xx 255.255.255.240

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

same-security-traffic permit inter-interface

access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any

access-list inside_access_in extended permit esp any any

access-list inside_access_in extended permit gre any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended deny ip any any

access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0

access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0

access-list prod standard permit host 192.168.1x.x

access-list prod standard deny any

pager lines 24

logging enable

logging asdm-buffer-size 500

logging asdm informational

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

mtu management 1500

ip local pool pool 172.16.0.1-172.16.0.20 mask 255.255.0.0

no failover

monitor-interface inside

monitor-interface DMZ

monitor-interface outside

monitor-interface management

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 100 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 100 192.168.1x.0 255.255.255.0

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 8x.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy vpnuser internal

group-policy vpnuser attributes

dns-server value 192.168.1x.x 192.168.1x.x

split-tunnel-policy tunnelspecified

split-tunnel-network-list value prod

default-domain value mm.com

webvpn

username user password xxx encrypted privilege 15

username user attributes

vpn-group-policy vpnuser

webvpn

http server enable

http 192.168.1x.x 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 13800

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group vpnuser type ipsec-ra

tunnel-group vpnuser general-attributes

address-pool pool

default-group-policy vpnuser

tunnel-group vpnuser ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 8x.x.1x.x 8x.x.x.x

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management




marshall.blanco... Fri, 09/05/2008 - 06:06

try specifying your vpn ip pool range of telnelt access...


telnet 172.16.0.0 255.255.0.0 inside


http 172.16.0.0 255.255.0.0 inside

...if your still having issues with asdm via vpn.

donnie Mon, 09/08/2008 - 20:03

Hi marshall, thk you for your response. I specified what you suggested and now i can access asdm interface after connecting vpn. However i still could not access through telnet after connecting vpn. Pls advise. Thks in advance.

marshall.blanco... Tue, 09/09/2008 - 05:30

are you trying to access in the mgmt interface or the inside interface when trying to telnet over VPN?

donnie Tue, 09/09/2008 - 17:06

Hi. I am trying to access the inside interface of my firewall over vpn. After i enable "management-access inside" i manage to access my firewall inside interface via asdm over vpn but not through telnet. Even though i have enable my vpn ip to access the firewall via telnet and asdm as below.

"http 172.20.0.0 255.255.255.0 inside"

"telnet 172.20.0.0 255.255.255.0 inside"

JORGE RODRIGUEZ Tue, 09/09/2008 - 17:13

Hi,


You have an interface specified as manegement0/0 namif management as asa magament only interface


try


management-access management


Rgds

Jorge

marshall.blanco... Wed, 09/10/2008 - 06:55

i would suggest trying to add an acl for telnet access..


access-list acl_in extended permit tcp any any eq telnet

Actions

This Discussion